i´ve running in problems and i found no solutions. Can somebody check my config???
PIX 501 6.3(3)
VPN Client 4.04
Wanted solution: Access to HO via VPN
VPN Tunnel will be established, i get an IP but i can´t access the systems behind the pix neither the pix himself.
At VPN Client Staticts i see outgoing packages, but no incoming (if i send a ping to peers behind the pix)
I hope somebody can help me
Attached you will find my config:
Solved! Go to Solution.
Small changes to be made.
Use this configuration example to the letter and you should be good.
thanks for this information above.
I only add "isakmp identity address" and it´s running.
But, i dont understand this.
1. Why is this command not written at so many other descripitions (original "tutorials" from cisco) neither other information queues.
2. What happens through this command.
In CommandReferenceGuide i found any informations about isakmp identity "address" only about "hostname"
The "isakmp identity address" command tell the PIX to use the IP address as the identifier of the peers, instead of a hostname.
Why the command is not written in so many guides? I do not know. I think it is because that the identity address is the default behavior and therefore one should not have to include it. Then why did it not work? That's something that the Cisco DEs can answer. I know it makes a difference because of experience when working at Cisco TAC.
Why not?? I´ve six systems which are behind the PIX.
I can put an router before the pix, but i dont know why. Is their any advantage if i put an router befor the pix???
And security issues: the Pix has to do wherefor it was build.
Please declare, why you are wondering.
the reason being if there is an internal router, then a route will be needed pointing to the pix for the remote vpn client pc.
e.g. remote vpn client <--> www/vpn <--> pix <--> net1 <--> rt <--> rt <--> branch office
obviously i was thinking too much.
OK, i understand ;-)
i thank you all for your support.
I can fix my problem
But i´m wondering why i´m running in this problem.
I thought that the VPN Wizard from PDM would configure all right, but i doesnt. Therefor i did it manual. (with the one missing line ;-)
Have you heard, that PDM don´t configure VPN Access rigth??
Is there any one else, who had the same problems?
just a quick comment, the default isakmp identify is "isakmp identify hostname".
personally, i've never use pdm. however, there was an issue with one of our clients related to pdm. basically he was trying to configure remote vpn access via pdm, but there was no luck. so he started discussing the issue with us, and i found that the commands generated by pdm were not right. e.g. couple commands were not necessary and couple essential commands were missing. fortunately, the client was playing in a lab environment.
having said that, pdm does a good job in general as i know many clients rely on pdm.
just another piece of info. with pix v7, pdm is replaced by asdm, which is so much better. e.g. you don't have to worry about the java anymore, you can install an utility on your pc and luanch it directly rather than relying on browser/java.
i´m sorry, but PIX V7 isn´t a possible change option, ecause i have an PIX 501.
I readed at ReleaseNotes: "The PIX 501, PIX 506E, and PIX 520 security appliances are not supported in software Version 7.0."
Because of less memory.
Is this a wrong information???
Hi Jackko, Hi pkapoor,
i thank you for your support.
I´ve fixed my problem.
Thank you very much.
I will close this thread.
Are sure that it's not because of the size of the flash and RAM limitations?
The PIX 501 & 506 have only 8MB of flash. ASDM & PIX Image v 7 = 10MB.
I heard that the 506 will be supported using a compressed image and memory upgrade. No news on the 501 though.
maybe there is a plan, but according to the v7.0.4 release notes, which was published on 17/oct/05:
The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.