Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

EasyVPN and Pix501-Pix501-Problem

Hi,

I have a problem with my two Pix501.

I want that one of them is the EasyVPN Server and the other one is the EasyVPN Remote Client.

I configured everything like it is shown at http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008019e6d7.shtml

In my testenvironment I have my "normal" network 192.168.0.0/24 that is at the outside interface of the two pixes. The EasyVPN Servers-network is 192.168.1.0/24 the otherone is 192.168.2.0/24.

My problem is, that the two pixes don't connect.

Here are the configs:

EasyVPN Server:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr02
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.220 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.3.1-192.168.3.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.1.200
vpngroup mygroup wins-server 192.168.1.200
vpngroup mygroup default-domain cisco.com
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:4967199c613b5553f9bc5aaa09aa02b3
: end

Client:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr03
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.221 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.2-192.168.2.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
vpnclient server 192.168.0.220
vpnclient mode network-extension-mode
vpnclient vpngroup mygroup password ********
vpnclient enable
terminal width 80
Cryptochecksum:3caebce68a73c906150eb011e7b18f8a
: end

Does anyone has an idea why it doesn't work?

Thanks,

Kriss

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: EasyVPN and Pix501-Pix501-Problem

ok, thanks for the test and great to hear software vpn client works fine. That eliminates the vpn server from the problem.

You would also need to add the following on the client:

vpnclient nem-st-autoconnect

vpnclient  connect

Cisco Employee

Re: EasyVPN and Pix501-Pix501-Problem

Yes, you would need to add the following ACL:

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.120.0 255.255.255.0

and also add this if vpn client is behind PAT device: isakmp nat-traversal 25

You would need to reconnect with your vpn client after the above changes.

28 REPLIES
Cisco Employee

Re: EasyVPN and Pix501-Pix501-Problem

Which phase does it break?

Can you share the output of "show crypto isa sa" and "show crypto ipsec sa".

Also, please collect output of "debug cry isa" and "debug crypto ipsec" so check where it's breaking.

New Member

Re: EasyVPN and Pix501-Pix501-Problem

Hi

At the EasyVPN server:

kr01icr02# show crypto isa sa
Total     : 0
Embryonic : 0
        dst               src        state     pending     created


and

kr01icr02# show crypto ipsec sa


interface: outside
    Crypto map tag: mymap, local addr. 192.168.0.220

At the second pix:
kr01icr03(config)# show crypto isa sa
Total     : 0
Embryonic : 0
        dst               src        state     pending     created
kr01icr03(config)# show crypto ipsec sa

kr01icr03(config)#

The debug-commands generate no output on the second (remote) pix. Even if I disable the vpnclient with "no vpnclient enable" and enable it again with "vpnclient enable"

So it seems like the client does not initiate the connection, correct?

Cisco Employee

Re: EasyVPN and Pix501-Pix501-Problem

You might want to enable logging on the PIX:

Depending on whether you console or ssh to the PIX:

logging on

logging console debugging

logging terminal debugging

Then turn on the debug:

debug crypto isa

debug crypto ipsec

Then disable and enable the vpnclient.

Are you able to ping the server from the client? from the remote PIX, ping 192.168.0.220?

Last resort, you might want to check with packet capture on the remote PIX just to confirm whether it initiates the VPN connection. You should see UDP/500 packet to start with for Phase 1.

New Member

Re: EasyVPN and Pix501-Pix501-Problem

Hi, yes I can ping the server from the client and the client from the server too.

The logging does not show any requests from the pixes.

There are only messages like this from different PCs but no message shows the IP of the other pix.

710005: UDP request discarded from 192.168.0.105/138 to outside:192.168.0.255/netbios-dgm
710005: UDP request discarded from 192.168.0.115/137 to outside:192.168.0.255/netbios-ns

So I still can't see that the client tries to connect to the server

I tried to connect to the server with the cisco software-VPN-Client and this works (the connection itselves). If I connect, there is much output in the console at the server.

Cisco Employee

Re: EasyVPN and Pix501-Pix501-Problem

ok, thanks for the test and great to hear software vpn client works fine. That eliminates the vpn server from the problem.

You would also need to add the following on the client:

vpnclient nem-st-autoconnect

vpnclient  connect

New Member

Re: EasyVPN and Pix501-Pix501-Problem

Ah, wonderful!

Now there is any traffic. But it seems that there is the next problem.

The servers says:

crypto_isakmp_process_block:src:192.168.0.221, dest:192.168.0.220 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 3307215273
ISAMKP (0): received DPD_R_U_THERE from peer 192.168.0.221
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS

The client says:

ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:192.168.0.220, dest:192.168.0.221 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
        spi 0, message ID = 248407712
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 192.168.0.220
return status is IKMP_NO_ERR_NO_TRANS

The message appears every few seconds (~8) at both Pixes.

A ping to the other pix/device in the other subnet is not possible.

Cisco Employee

Re: EasyVPN and Pix501-Pix501-Problem

Can you please share the output of:

show crypto isa sa

show crypto ipsec sa

New Member

Re: EasyVPN and Pix501-Pix501-Problem

Hi,

at the client:

kr01icr03(config)# show crypto isa sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
   192.168.0.220    192.168.0.221    QM_IDLE         0           6
kr01icr03(config)#

kr01icr03(config)# show crypto ipsec sa
interface: outside
    Crypto map tag: _vpnc_cm, local addr. 192.168.0.221

   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer: 192.168.0.220:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 468, #pkts encrypt: 468, #pkts digest 468
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.0.221, remote crypto endpt.: 192.168.0.220
     path mtu 1500, ipsec overhead 72, media mtu 1500
     current outbound spi: 7ed32d4e

     inbound esp sas:
      spi: 0xbeae2329(3199083305)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: _vpnc_cm
        sa timing: remaining key lifetime (k/sec): (4608000/26412)
        IV size: 16 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x7ed32d4e(2127768910)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: _vpnc_cm
        sa timing: remaining key lifetime (k/sec): (4607972/26403)
        IV size: 16 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:

   local  ident (addr/mask/prot/port): (192.168.0.221/255.255.255.255/0/0)
k  remote ident (addr/mas
/IprSot/pAoKrt): M(P1 9(2.0168).:1 .s0e/2n5d5i.255.25n5g. 0/0N/O0)T
I  FcuYr rmeents_pseear:g 192e.16 83.601.2203:65 0p0r
g   t oPcERMIoT,l  f1la                               o
s={orcirgyipnt_ios__aicsl,}
a  k m p#_pkpts renocapsc: 0e, s#pskts_ ebnlcorycpkt: :0s, r#pckt:s dig1e9s2t 0.
   1 #6pkts 8dec.aps: 00, .#p2kt2s0 d,e cdryepts: 0t, :#1p9kts2 .ve1ri6f8y 0.
d: 0 #.p2k2ts 1c osmpprets:se5d:0 00, #p ktds pdetcom:p5r0ess0e
   I0S
K M P  #(p0k)ts n:o t pcromporecsessed: s0,i n#gp kNtOsT comIpFrY.  fapilaeyd: 0l,o a#dp k3ts6 d1ec3o7m prpesrso failetdo:c o0
  1                  l
        #ssenpd eirro rs 00, ,#re cmve serrsoargse 0

.D     =lo c3al 0cry9p2t0o 0e7n9dpt.8: 1192
16I8.S0A.2M2K1P,  re(m0o)te:  crreycpetoi evndpet.d: 19 2D.P168D.0.2_2R0_
U   _ T pHaEtRh mEt_uA C15K00 , fiprsoemc  ovpeerheeadr  72,1 m9ed2ia .mt1u6 81.5000.
   0                                                                                 2
  crureretnt uoutrbnound  sspti: a3tf0u089s7 8

i s   I KinbMoPu_nNd eOs_pE RsasR:
_  N   O sp_iT:R A0x5N7Se2aac3(1474472643)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: _vpnc_cm
        sa timing: remaining key lifetime (k/sec): (4608000/26430)
        IV size: 16 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x3f008978(1056999800)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: _vpnc_cm
        sa timing: remaining key lifetime (k/sec): (4608000/26430)
        IV size: 16 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:


kr01icr03(config)#

at the Server:

kr01icr02(config)# show crypto isa sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
   192.168.0.220    192.168.0.221    QM_IDLE         0           6
kr01icr02(config)# show crypto ipsec sa

interface: outside
    Crypto map tag: mymap, local addr. 192.168.0.220

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer: 192.168.0.221:500
   dynamic allocated peer ip: 0.0.0.0

     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 504, #pkts decrypt: 504, #pkts verify 504
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.0.220, remote crypto endpt.: 192.168.0.221
     path mtu 1500, ipsec overhead 72, media mtu 1500
     current outbound spi: beae2329

     inbound esp sas:
      spi: 0x7ed32d4e(2127768910)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4607950/26224)
        IV size: 16 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0xbeae2329(3199083305)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4608000/26226)
        IV size: 16 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.221/255.255.255.255/0/0)
   current_peer: 192.168.0.221:500
   dynamic allocated peer ip: 0.0.0.0

     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.0.220, remote crypto endpt.: 192.168.0.221
     path mtu 1500, ipsec overhead 72, media mtu 1500
     current outbound spi: 57e2aac3

     inbound esp sas:
      spi: 0x3f008978(1056999800)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4608000/26201)
        IV size: 16 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x57e2aac3(1474472643)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4608000/26201)
        IV size: 16 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:


kr01icr02(config)#

Cisco Employee

Re: EasyVPN and Pix501-Pix501-Problem

Great... phase 1 is up (QM_IDLE), and phase 2 is up too.

On the client, the packets got encrypted, and it is decrypted on the server end, however, there is no encrypt on the server, which means there is no return traffic.

How do you try to access LAN behind the server? Are you trying to ping? which ip address did you ping? also, pls make sure that the host that you are trying to access or ping does not have any firewall that might be blocking the inbound access.

You can also add "management-access inside" and try to ping the PIX server inside ip address (192.168.1.1) from the client LAN. That would be successfull.

New Member

Re: EasyVPN and Pix501-Pix501-Problem

ok, it works!

It was a problem with some routes at pcs at the client side.

Thank you very very very much for your help!

Cisco Employee

Re: EasyVPN and Pix501-Pix501-Problem

Great to hear it's working now.

Please kindly mark the post answered and rate useful post. Thanks.

New Member

Re: EasyVPN and Pix501-Pix501-Problem

Hi,

ok, my Pix501 to Pix501 Connection via EasyVPN works.

I'm so happy

Now I tried to connect a second client-Pix to my "network".

So I have the EasyVPN-Server Pix and two EasyVPN-Client Pixes.

Both of them can connect to the server and both of them are reaching the server-Subnet (192.168.1.0).

From the serversubnet I reach the client subnets (192.168.2.0 and 192.168.3.0).

From the clientsubnots I reach the server subnet, but not the other client-subnet.

Is there an option I don't see like "vpnclient client-client-communication"?

Thanks again!

Cisco Employee

Re: EasyVPN and Pix501-Pix501-Problem

No, with Easy VPN connections, you won't be able to communicate between the clients.

If you would like to communicate between client, I would suggest that you configure LAN-to-LAN tunnel instead of Easy VPN tunnels.

New Member

Re: EasyVPN and Pix501-Pix501-Problem

What a pitty, but this is not such a bad thing.

My next problem:

When I connect to my EasyVPN-Server with the Software-Client, then I get an IP, can ping the EasyVPN-Server but nothing else. I can't ping any device in this network. The EasyVPN-Server can.

Re: EasyVPN and Pix501-Pix501-Problem

Either the internal network is not included in the split-tunneling or NAT0 ACL or most likely, internally there's no route back to the

VPN pool pointing to the PIX.

Federico.

New Member

Re: EasyVPN and Pix501-Pix501-Problem

hmm,

my route at the pix is just the "default" one:

route outside 0.0.0.0 0.0.0.0 192.168.0.250 1

My Split-tunnel-configs are

vpngroup mygroup split-tunnel 101

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

additional I have this nat-settings:

nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Re: EasyVPN and Pix501-Pix501-Problem

Kristian,

You're saying that from the VPN client you can PING the inside of the PIX but not the internal network correct?

What I meant is to check that the default gateway for the internal network is the PIX.

The actual route that you posted is the default gateway on the PIX (that is fine), but I'm talking about the route that uses the internal network to reach the PIX (is it a default gateway on the machines)?

Federico.

New Member

Re: EasyVPN and Pix501-Pix501-Problem

OK, now I understand.

There was no gateway on the machine I connect from. Why does the VPN Client Software does not that automaticaly?

I entered a gateway but no change. I am still able to ping the pix but not the machine

I tried some more pings:

Ping from connected Softwareclient to Pix: successful

Ping from connected Softwareclient to a machine in the network: fail (with and without a gateway)

Ping from Pix to Softwareclient: successful

Ping from Pix to machine: successful

Ping from machine to softwareclient: fail (with and without a gateway)

Ping from machine to Pix: successful

New Member

Re: EasyVPN and Pix501-Pix501-Problem

I tried out several things but I don't get the traffic to work

Has anybody any Ideas how to fix this problem?

Cisco Employee

Re: EasyVPN and Pix501-Pix501-Problem

Can you pls repost the latest configuration on the server?

I am interested to see what is the vpn client ip pool subnet. Hopefully it is not the same subnet as your internal network. If it is, please change it to a unique subnet.

New Member

Re: EasyVPN and Pix501-Pix501-Problem

yes, the IP-Pool is the same subnet as the inside interface.

I will try to change this and will report the result.

Thanks for the hint!

New Member

Re: EasyVPN and Pix501-Pix501-Problem

OK,

I tried it out but it didn't changed anything.

Here my current config


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
domain-name *********
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.220 255.255.255.0
ip address inside 192.168.1.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.120.221-192.168.120.225
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.1.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.1.60
vpngroup mygroup wins-server 192.168.1.60
vpngroup mygroup default-domain ***********
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80

Cisco Employee

Re: EasyVPN and Pix501-Pix501-Problem

Yes, you would need to add the following ACL:

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.120.0 255.255.255.0

and also add this if vpn client is behind PAT device: isakmp nat-traversal 25

You would need to reconnect with your vpn client after the above changes.

New Member

Re: EasyVPN and Pix501-Pix501-Problem

your something like a cisco-god!

It works!!!

Thank you very very much!

Cisco Employee

Re: EasyVPN and Pix501-Pix501-Problem

Great to hear it's working now. Thanks for the rating.

New Member

Re: EasyVPN and Pix501-Pix501-Problem

I start crying ;(

everything worked in my homenet, then I installed the Pix at the final destination after changing the outside interface to PPPOE.

So now I have the two Pixes connected over the internet.

The Server is directly connected to the modem, the Client get the internetconnection over an existing network and it is using the gateway in that network for connecting to the internet.

Now I can ping the server-Pix from the remoteclient - and ONLY the server-Pix, no other clients.

If I connect from a softclient it is the same.

Here my final configs:

Server:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password LLkMi3KcZgYfuWCi encrypted
passwd LLkMi3KcZgYfuWCi encrypted
hostname kr01icr02
domain-name ........
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389
access-list 102 permit tcp host 192.168.128.78 any eq https
access-list 102 permit tcp host 192.168.128.78 any eq ftp
access-list 102 permit tcp host 192.168.128.78 any eq 27
access-list 102 permit tcp host 192.168.128.78 any eq www
access-list 102 permit tcp host 192.168.128.78 any eq 5938
access-list 102 permit tcp host 192.168.128.78 any eq 5959
access-list 102 permit ip any any (Just for having access from my current PC)
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.128.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.120.221-192.168.120.225
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.128.10 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
access-group 102 in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 25
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.128.60
vpngroup mygroup wins-server 192.168.128.60
vpngroup mygroup default-domain .......
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname -user-
vpdn group pppoe_group ppp authentication pap
vpdn username -user- password ********* store-local
terminal width 80
Cryptochecksum:1a8f27c3a10328f56b798f7634d2c691
: end
kr01icr02#

Client:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr03
domain-name ........
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.221 255.255.255.0
ip address inside 192.168.129.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.129.0 255.255.255.0 inside
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
http 192.168.129.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.128.0 255.255.255.0 inside
telnet 192.168.129.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.129.0 255.255.255.0 inside
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpnclient server wan-serverip
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup mygroup password ********
vpnclient enable
terminal width 80

New Member

Re: EasyVPN and Pix501-Pix501-Problem

Has anybody an idea?

I have to fix it today..

New Member

Re: EasyVPN and Pix501-Pix501-Problem

Here some more information that my help:

Ping from ServerPix to ClientPix - OK
Ping from ClientPix to ServerPix - OK
Ping from PC aus Server-Net to ServerPix - OK
Ping from PC aus Client-Net to ClientPix - OK
Ping from PC aus Client-Net to ServerPix - OK
Ping from PC aus Server-Net to ClientPix - OK
Ping from PC aus Server-Net to PC from Client-Netz - FAIL
Ping from PC aus Client-Net to PC from Server-Netz - FAIL

Ping from PC, via CiscoVPN-Client connected, to ServerPix - OK
Ping from PC, via CiscoVPN-Client connected, to ClientPix - FAIL - but you told me that it is normal, sh** happens...

Here the current configs:

Server
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password LLkMi3KcZgYfuWCi encrypted
passwd LLkMi3KcZgYfuWCi encrypted
hostname kr01icr02
domain-name e***
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389
access-list 102 permit tcp host 192.168.128.78 any eq https
access-list 102 permit tcp host 192.168.128.78 any eq ftp
access-list 102 permit tcp host 192.168.128.78 any eq 27
access-list 102 permit tcp host 192.168.128.78 any eq www
access-list 102 permit tcp host 192.168.128.78 any eq 5938
access-list 102 permit tcp host 192.168.128.78 any eq 5959
access-list 102 permit tcp host 192.168.128.78 any eq domain
access-list 102 permit ip host 192.168.128.104 any
access-list 102 permit udp host 192.168.128.78 any eq domain
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.128.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.120.221-192.168.120.225
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.128.104 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
access-group 102 in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 25
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.128.60
vpngroup mygroup wins-server 192.168.128.60
vpngroup mygroup default-domain e****
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 60
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname ***
vpdn group pppoe_group ppp authentication pap
vpdn username *** password ********* store-local
terminal width 80


Client:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr03
domain-name hamburg.praxis
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.221 255.255.255.0
ip address inside 192.168.129.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.129.0 255.255.255.0 inside
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
http 192.168.129.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.128.0 255.255.255.0 inside
telnet 192.168.129.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.129.0 255.255.255.0 inside
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpnclient server 85.1**.**.**
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup mygroup password ********
vpnclient enable
terminal width 80

show route-Command shows:

Server:
kr01icr02# sh route
outside 0.0.0.0 0.0.0.0 213.191.84.232 1 PPPOE static
outside 85.1**.**.** 255.255.255.255 85.1**.**.** 1 CONNECT static
inside 192.168.128.0 255.255.255.0 192.168.128.220 1 CONNECT static

Client:
kr01icr03(config)# sh route
outside 0.0.0.0 0.0.0.0 192.168.0.250 1 OTHER static
outside 192.168.0.0 255.255.255.0 192.168.0.221 1 CONNECT static
inside 192.168.129.0 255.255.255.0 192.168.129.220 1 CONNECT static


show access-list shows:

Server:
kr01icr02# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list 101; 2 elements
access-list 101 line 1 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0 (hitcnt=12)
access-list 101 line 2 permit ip 192.168.128.0 255.255.255.0 192.168.120.0 255.255.255.0 (hitcnt=0)
access-list ftpin; 2 elements
access-list ftpin line 1 permit tcp any host 192.168.0.220 eq ftp (hitcnt=0)
access-list ftpin line 2 permit tcp any host 192.168.0.220 eq 3389 (hitcnt=0)
access-list 102; 10 elements
access-list 102 line 1 permit tcp host 192.168.128.78 any eq https (hitcnt=3329)
access-list 102 line 2 permit tcp host 192.168.128.78 any eq ftp (hitcnt=0)
access-list 102 line 3 permit tcp host 192.168.128.78 any eq 27 (hitcnt=0)
access-list 102 line 4 permit tcp host 192.168.128.78 any eq www (hitcnt=27)
access-list 102 line 5 permit tcp host 192.168.128.78 any eq 5938 (hitcnt=6)
access-list 102 line 6 permit tcp host 192.168.128.78 any eq 5959 (hitcnt=0)
access-list 102 line 7 permit tcp host 192.168.128.78 any eq domain (hitcnt=0)
access-list 102 line 8 permit ip host 192.168.128.104 any (hitcnt=974)
access-list 102 line 9 permit udp host 192.168.128.78 any eq domain (hitcnt=0)
access-list dynacl58; 1 elements
access-list dynacl58 line 1 permit ip 192.168.128.0 255.255.255.0 host 192.168.0.221 (hitcnt=0)
access-list dynacl59; 1 elements
access-list dynacl59 line 1 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0 (hitcnt=8)

Client:
kr01icr03(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list _vpnc_acl; 2 elements
access-list _vpnc_acl line 1 permit ip 192.168.129.0 255.255.255.0 192.168.128.0 255.255.255.0 (hitcnt=19)
access-list _vpnc_acl line 2 permit ip host 192.168.0.221 192.168.128.0 255.255.255.0 (hitcnt=3)

1351
Views
0
Helpful
28
Replies
CreatePlease to create content