10-19-2005 07:38 AM - edited 02-21-2020 02:03 PM
Hi @All,
i´ve running in problems and i found no solutions. Can somebody check my config???
Facts:
PIX 501 6.3(3)
VPN Client 4.04
Wanted solution: Access to HO via VPN
VPN Tunnel will be established, i get an IP but i can´t access the systems behind the pix neither the pix himself.
At VPN Client Staticts i see outgoing packages, but no incoming (if i send a ping to peers behind the pix)
I hope somebody can help me
Attached you will find my config:
Solved! Go to Solution.
10-21-2005 06:18 AM
pix 501 and pix 506/506e are not supported in v7 due to the fact that the cpu is not capable to cope with the v7 extensive features.
pix 520 is not supported i guess it's because of the fact that the model is discontinued.
10-19-2005 09:13 AM
Small changes to be made.
Use this configuration example to the letter and you should be good.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml
10-20-2005 12:12 AM
Hi,
thanks for this information above.
I only add "isakmp identity address" and it´s running.
But, i dont understand this.
1. Why is this command not written at so many other descripitions (original "tutorials" from cisco) neither other information queues.
2. What happens through this command.
In CommandReferenceGuide i found any informations about isakmp identity "address" only about "hostname"
Kind regards
10-20-2005 04:52 AM
The "isakmp identity address" command tell the PIX to use the IP address as the identifier of the peers, instead of a hostname.
Why the command is not written in so many guides? I do not know. I think it is because that the identity address is the default behavior and therefore one should not have to include it. Then why did it not work? That's something that the Cisco DEs can answer. I know it makes a difference because of experience when working at Cisco TAC.
10-19-2005 07:44 PM
just wondering if the pix acts as the default gateway of the ho lan.
10-19-2005 11:43 PM
Why not?? I´ve six systems which are behind the PIX.
I can put an router before the pix, but i dont know why. Is their any advantage if i put an router befor the pix???
And security issues: the Pix has to do wherefor it was build.
Please declare, why you are wondering.
Kind regards
10-20-2005 04:45 AM
the reason being if there is an internal router, then a route will be needed pointing to the pix for the remote vpn client pc.
e.g. remote vpn client <--> www/vpn <--> pix <--> net1 <--> rt <--> rt <--> branch office
obviously i was thinking too much.
10-20-2005 08:09 AM
OK, i understand ;-)
i thank you all for your support.
I can fix my problem
But i´m wondering why i´m running in this problem.
I thought that the VPN Wizard from PDM would configure all right, but i doesnt. Therefor i did it manual. (with the one missing line ;-)
Have you heard, that PDM don´t configure VPN Access rigth??
Is there any one else, who had the same problems?
Greetings
10-20-2005 03:28 PM
just a quick comment, the default isakmp identify is "isakmp identify hostname".
personally, i've never use pdm. however, there was an issue with one of our clients related to pdm. basically he was trying to configure remote vpn access via pdm, but there was no luck. so he started discussing the issue with us, and i found that the commands generated by pdm were not right. e.g. couple commands were not necessary and couple essential commands were missing. fortunately, the client was playing in a lab environment.
having said that, pdm does a good job in general as i know many clients rely on pdm.
just another piece of info. with pix v7, pdm is replaced by asdm, which is so much better. e.g. you don't have to worry about the java anymore, you can install an utility on your pc and luanch it directly rather than relying on browser/java.
10-21-2005 03:40 AM
Hi,
i´m sorry, but PIX V7 isn´t a possible change option, ecause i have an PIX 501.
I readed at ReleaseNotes: "The PIX 501, PIX 506E, and PIX 520 security appliances are not supported in software Version 7.0."
Because of less memory.
Is this a wrong information???
10-21-2005 06:18 AM
pix 501 and pix 506/506e are not supported in v7 due to the fact that the cpu is not capable to cope with the v7 extensive features.
pix 520 is not supported i guess it's because of the fact that the model is discontinued.
10-22-2005 01:28 AM
Hi Jackko, Hi pkapoor,
i thank you for your support.
I´ve fixed my problem.
Thank you very much.
I will close this thread.
Kind Regards
10-24-2005 06:47 AM
Are sure that it's not because of the size of the flash and RAM limitations?
The PIX 501 & 506 have only 8MB of flash. ASDM & PIX Image v 7 = 10MB.
I heard that the 506 will be supported using a compressed image and memory upgrade. No news on the 501 though.
10-24-2005 02:55 PM
maybe there is a plan, but according to the v7.0.4 release notes, which was published on 17/oct/05:
The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a0080546bbd.html#wp31988
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: