I have troubles with a PIX 515-E VPN config. The PIX does a site to site VPN with another PIX which works fine. I have to add a dialin VPN for mobile workers. My configuration shows like below. I can dialin using the VPN Client V 4.0.1 and I receive an IP address (172.17.130.120). The Radius Authentication works fine. The only problem is that there is no back traffic to the VPN client. The statistics show me a number of bytes sent but 0 bytes received. When i delete the access-list ACLVPNTAG permit ip 172.17.128.0 255.255.252.0 host 172.17.130.120 then i receive bytes but only ISAKMP Informational packets. The packets sent from the mobile worker's machine get to the destination machine (something in 172.17.128.0 /22). Has anyone a idea?
Thanks very much
when access-list ACLVPNTAG permit ip 172.17.128.0 255.255.252.0 host 172.17.130.120 is deleted:
access-list dynacl16 turbo-configured; 1 elements
access-list dynacl16 line 1 permit ip any host 172.17.130.120 (hitcnt=2)
when access-list ACLVPNTAG permit ip 172.17.128.0 255.255.252.0 host 172.17.130.120 is present:
access-list dynacl14 turbo-configured; 1 elements
access-list dynacl14 line 1 permit ip any host 172.17.130.120 (hitcnt=0)
current config: --> site to site (operational), client to site (not operational)
access-list in2any permit ip 172.17.128.0 255.255.252.0 10.0.4.0 255.255.252.0
access-list ACLVPNTAG permit ip 172.17.128.0 255.255.252.0 10.0.4.0 255.255.252.0 log
access-list ACLVPNTAG permit ip 172.17.128.0 255.255.252.0 host 172.17.130.120
access-list ACLVPNTAG permit ip 172.17.128.0 255.255.252.0 host 172.17.130.121
access-list ACLVPNTAG permit ip 172.17.128.0 255.255.252.0 host 172.17.130.122
ip local pool DIALIN 172.17.130.120-172.17.130.122
I added the isakmp nat-traversal, but it's still the same. Can it be that there is a problem due to the existing site to site VPN? I made a test configuration with a lab pix before which worked properly. The difference was that there was no site to site VPN and no ACL on the inside interface.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...