Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
613
Views
0
Helpful
2
Replies

VPN client troubles

patrick.bolt
Level 1
Level 1

‎09-12-2005 06:29 AM - edited ‎02-21-2020 01:57 PM

Hi all

I have troubles with a PIX 515-E VPN config. The PIX does a site to site VPN with another PIX which works fine. I have to add a dialin VPN for mobile workers. My configuration shows like below. I can dialin using the VPN Client V 4.0.1 and I receive an IP address (172.17.130.120). The Radius Authentication works fine. The only problem is that there is no back traffic to the VPN client. The statistics show me a number of bytes sent but 0 bytes received. When i delete the access-list ACLVPNTAG permit ip 172.17.128.0 255.255.252.0 host 172.17.130.120 then i receive bytes but only ISAKMP Informational packets. The packets sent from the mobile worker's machine get to the destination machine (something in 172.17.128.0 /22). Has anyone a idea?

Thanks very much

Regards Patrik

when access-list ACLVPNTAG permit ip 172.17.128.0 255.255.252.0 host 172.17.130.120 is deleted:

access-list dynacl16 turbo-configured; 1 elements

access-list dynacl16 line 1 permit ip any host 172.17.130.120 (hitcnt=2)

when access-list ACLVPNTAG permit ip 172.17.128.0 255.255.252.0 host 172.17.130.120 is present:

access-list dynacl14 turbo-configured; 1 elements

access-list dynacl14 line 1 permit ip any host 172.17.130.120 (hitcnt=0)

current config: --> site to site (operational), client to site (not operational)

access-list in2any permit ip 172.17.128.0 255.255.252.0 10.0.4.0 255.255.252.0

access-list ACLVPNTAG permit ip 172.17.128.0 255.255.252.0 10.0.4.0 255.255.252.0 log

access-list ACLVPNTAG permit ip 172.17.128.0 255.255.252.0 host 172.17.130.120

access-list ACLVPNTAG permit ip 172.17.128.0 255.255.252.0 host 172.17.130.121

access-list ACLVPNTAG permit ip 172.17.128.0 255.255.252.0 host 172.17.130.122

ip local pool DIALIN 172.17.130.120-172.17.130.122

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 0 access-list ACLVPNTAG

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

access-group out2any in interface outside

access-group in2any in interface inside

access-group dmz2any in interface dmz

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host 172.17.128.75 xxxxx timeout 5

sysopt connection permit-ipsec

crypto ipsec transform-set TRANSVPNTAG esp-aes esp-md5-hmac

crypto ipsec transform-set TRANSDIALIN esp-des esp-md5-hmac

crypto dynamic-map DYNDIALIN 10 set transform-set TRANSDIALIN

crypto map CMAPVPNTAG 1 ipsec-isakmp

crypto map CMAPVPNTAG 1 match address ACLVPNTAG

crypto map CMAPVPNTAG 1 set peer x.x.x.x

crypto map CMAPVPNTAG 1 set transform-set TRANSVPNTAG

crypto map CMAPVPNTAG 10 ipsec-isakmp dynamic DYNDIALIN

crypto map CMAPVPNTAG client authentication partnerauth

crypto map CMAPVPNTAG interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool DIALIN

vpngroup vpn3000 dns-server 172.17.128.76 172.17.128.75

vpngroup vpn3000 wins-server 172.17.128.76 172.17.128.75

vpngroup vpn3000 default-domain adsdomain.com

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

Labels:
0 Helpful
2 Replies 2

jackko
Level 7
Level 7

‎09-12-2005 04:51 PM

try enable nat-traversal

isakmp nat-traversal

0 Helpful

patrick.bolt
Level 1
Level 1
In response to jackko

‎09-12-2005 10:34 PM

Hi

I added the isakmp nat-traversal, but it's still the same. Can it be that there is a problem due to the existing site to site VPN? I made a test configuration with a lab pix before which worked properly. The difference was that there was no site to site VPN and no ACL on the inside interface.

Thanks

Regards Patrik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents