Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

EZ VPN to PIX

I'm not sure if this is the right place for this so if it's not any guidance would be appreciated. I have configued an EZVPN between a router (1842) and our PIX firewall (515). The tunnel comes up just fine so that part looks to be working as expected which is great. the issue is that once connected you cannot connect to any of our internal networks. I configured the VPN as a client so that it would act like a user connecting via VPN client software. I suspect that this may be a routing issue but I'm not certain about it. The networks are all defined on the PIX and when you connect via the client software it works just fine but from the router although the loopback interface is assigned an IP from the vpnpool it just does not seem to route correctly. Here is a portion of the configuration from the router;

--------------------------------------------------------------------------

crypto ipsec client ezvpn DHQB-EZVPN

connect auto

group XXXX key XXXX

mode client

peer XX.XX.XX.XX

username XXXX password XXXX

xauth userid mode local

!

interface Loopback0

ip address 10.106.200.109 255.255.255.255

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$

ip address 10.107.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

crypto ipsec client ezvpn DHQB-EZVPN inside

!

interface FastEthernet0/1

description $ES_WAN$$FW_OUTSIDE$

ip address dhcp client-id FastEthernet0/1

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

crypto ipsec client ezvpn DHQB-EZVPN

!

ip classless

----------------------------------------------------------------------------

Here is a portion of the PIX configuration;

crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

crypto dynamic-map vpn-ra 10 set transform-set 3des-sha

crypto map our-vpn 50 ipsec-isakmp dynamic vpn-ra

crypto map our-vpn client configuration address initiate

crypto map our-vpn client configuration address respond

crypto map our-vpn client authentication TACACS+

crypto map our-vpn interface outside

-----------------------------------------------------------------------------

If anybody may have any pointers or ideas that they would be willing to share I would be most appreciative. Thank you in advance.

2 REPLIES
Silver

Re: EZ VPN to PIX

you need to put in your acl for traffic internal to allow your VPN pool to communicate to your local network subnet or hosts.

If you already have an ACL, which I assume you do, if this pool is not there it is being denied, you need to allow it.

Community Member

Re: EZ VPN to PIX

Thank you for the information. I actually found out this morning that a rule that was put in place a couple of weeks ago was causing the issue but nobody said anything about it. I'm still trying to figure out how to make the VPN come up automatically without any user intervention but I don't think that is even possible but I'm still digging into that. Thank you again.

107
Views
4
Helpful
2
Replies
CreatePlease to create content