Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Win2k Radius/PIX Connectivity

Hello all,

I have IPSEC VPN clients terminating on the outside interface of a PIX 515 with a crypto map defined (crypto map mymap client auth test ) that attempts to authenticate the user using XAUTH to an inside Windows 2000 IAS Radius server.

When I try to connect from a remote VPN 3000 (3.5a) client, I am not prompted for username and password. It's as if the PIX cannot talk to the IAS Radius server.

If I disable the crypto map mymap client auth, the VPN connection is established without problems.

On the PIX, the log shows that it is constantly "ISAKMP (0): retransmitting phase 2..."

As a note, the inside interface of the PIX must talk to a Cisco 2621 in order to get to the true inside network. The Cisco 2621 has no access lists defined. The IAS Radius server exists behind the Cisco 2621.

Here is the actual setup:

IAS Radius Server ----- Cisco 2621 ---- Cisco PIX 515 --- Another Cisco 2621

I had this working without either Cisco 2621 in place. Now I'm not sure what's going on.

The IAS Radius server logs show nothing.

Please help.


Dean Davis

  • Other Security Subjects
New Member

Re: Win2k Radius/PIX Connectivity

I think it is a routing issue between the IAS Radius Server to your PIX inside interface.

Please make sure you be able to ping from PIX to IAS server, from IAS server can ping the PIX inside interface, when you put Cisco 2621 in the middle.

If you put static route correctly in the Cisco 2621 router and the PIX, and also the default gateway of the IAS Radius Server point to Cisco 2621, it should be working fine.

Best Regards,

This widget could not be displayed.