Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN with PIX no access to Remote LAN

Hi @all,

i´ve running in problems and i found no solutions. Can somebody check my config???

Facts:

PIX 501 6.3(3)

VPN Client 4.04

Wanted solution: Access to HO via VPN

VPN Tunnel will be established, i get an IP but i can´t access the systems behind the pix neither the pix himself.

At VPN Client Staticts i see outgoing packages, but no incoming (if i send a ping to peers behind the pix)

I hope somebody can help me

Attached you will find my config:

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: VPN with PIX no access to Remote LAN

pix 501 and pix 506/506e are not supported in v7 due to the fact that the cpu is not capable to cope with the v7 extensive features.

pix 520 is not supported i guess it's because of the fact that the model is discontinued.

13 REPLIES
New Member

Re: VPN with PIX no access to Remote LAN

Small changes to be made.

Use this configuration example to the letter and you should be good.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

New Member

Re: VPN with PIX no access to Remote LAN

Hi,

thanks for this information above.

I only add "isakmp identity address" and it´s running.

But, i dont understand this.

1. Why is this command not written at so many other descripitions (original "tutorials" from cisco) neither other information queues.

2. What happens through this command.

In CommandReferenceGuide i found any informations about isakmp identity "address" only about "hostname"

Kind regards

New Member

Re: VPN with PIX no access to Remote LAN

The "isakmp identity address" command tell the PIX to use the IP address as the identifier of the peers, instead of a hostname.

Why the command is not written in so many guides? I do not know. I think it is because that the identity address is the default behavior and therefore one should not have to include it. Then why did it not work? That's something that the Cisco DEs can answer. I know it makes a difference because of experience when working at Cisco TAC.

Gold

Re: VPN with PIX no access to Remote LAN

just wondering if the pix acts as the default gateway of the ho lan.

New Member

Re: VPN with PIX no access to Remote LAN

Why not?? I´ve six systems which are behind the PIX.

I can put an router before the pix, but i dont know why. Is their any advantage if i put an router befor the pix???

And security issues: the Pix has to do wherefor it was build.

Please declare, why you are wondering.

Kind regards

Gold

Re: VPN with PIX no access to Remote LAN

the reason being if there is an internal router, then a route will be needed pointing to the pix for the remote vpn client pc.

e.g. remote vpn client <--> www/vpn <--> pix <--> net1 <--> rt <--> rt <--> branch office

obviously i was thinking too much.

New Member

Re: VPN with PIX no access to Remote LAN

OK, i understand ;-)

i thank you all for your support.

I can fix my problem

But i´m wondering why i´m running in this problem.

I thought that the VPN Wizard from PDM would configure all right, but i doesnt. Therefor i did it manual. (with the one missing line ;-)

Have you heard, that PDM don´t configure VPN Access rigth??

Is there any one else, who had the same problems?

Greetings

Gold

Re: VPN with PIX no access to Remote LAN

just a quick comment, the default isakmp identify is "isakmp identify hostname".

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312

personally, i've never use pdm. however, there was an issue with one of our clients related to pdm. basically he was trying to configure remote vpn access via pdm, but there was no luck. so he started discussing the issue with us, and i found that the commands generated by pdm were not right. e.g. couple commands were not necessary and couple essential commands were missing. fortunately, the client was playing in a lab environment.

having said that, pdm does a good job in general as i know many clients rely on pdm.

just another piece of info. with pix v7, pdm is replaced by asdm, which is so much better. e.g. you don't have to worry about the java anymore, you can install an utility on your pc and luanch it directly rather than relying on browser/java.

New Member

Re: VPN with PIX no access to Remote LAN

Hi,

i´m sorry, but PIX V7 isn´t a possible change option, ecause i have an PIX 501.

I readed at ReleaseNotes: "The PIX 501, PIX 506E, and PIX 520 security appliances are not supported in software Version 7.0."

Because of less memory.

Is this a wrong information???

Gold

Re: VPN with PIX no access to Remote LAN

pix 501 and pix 506/506e are not supported in v7 due to the fact that the cpu is not capable to cope with the v7 extensive features.

pix 520 is not supported i guess it's because of the fact that the model is discontinued.

New Member

Re: VPN with PIX no access to Remote LAN

Hi Jackko, Hi pkapoor,

i thank you for your support.

I´ve fixed my problem.

Thank you very much.

I will close this thread.

Kind Regards

New Member

Re: VPN with PIX no access to Remote LAN

Are sure that it's not because of the size of the flash and RAM limitations?

The PIX 501 & 506 have only 8MB of flash. ASDM & PIX Image v 7 = 10MB.

I heard that the 506 will be supported using a compressed image and memory upgrade. No news on the 501 though.

Gold

Re: VPN with PIX no access to Remote LAN

maybe there is a plan, but according to the v7.0.4 release notes, which was published on 17/oct/05:

The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_release_note09186a0080546bbd.html#wp31988

150
Views
0
Helpful
13
Replies
CreatePlease login to create content