Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
0
Helpful
3
Replies

ipsec connection access problem at firewall module.

teymur azimov
Level 1
Level 1

‎01-10-2012 04:17 AM - edited ‎02-21-2020 05:48 PM

Hi dears. I configurate ipsec vpn at firewall.i connect vpn but i do not access inside server,i want to access 172.16.10.254,172.18.10.10 but i can not access

this is my configuartion.please help me.thank you.

FWSM Version 4.0(4)

!

hostname FWSM

domain-name socar.local

enable password 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248 standby x.x.x.x

!

interface Vlan3

description LAN/STATE Failover Interface

!

interface Vlan210

nameif inside

security-level 100

ip address 172.18.10.253 255.255.255.0 standby 172.18.10.252

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list OUT extended permit ip any any

access-list NONAT extended permit ip 172.0.0.0 255.0.0.0 10.10.100.0 255.255.255.0

access-list SPLIT standard permit 172.16.10.0 255.255.255.0

access-list SPLIT standard permit 172.18.10.0 255.255.255.0

access-list O2I extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool VPN-POOL 10.10.100.1-10.10.100.254

no failover

failover lan unit primary

failover lan interface FAILOVER Vlan3

failover link FAILOVER Vlan3

failover interface ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.16.0 255.255.255.0

nat (inside) 1 172.18.10.0 255.255.255.0

nat (inside) 1 172.18.20.0 255.255.255.0

nat (inside) 1 172.18.30.0 255.255.255.0

nat (inside) 1 172.18.40.0 255.255.255.0

access-group O2I in interface outside

access-group OUT in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 172.16.10.0 255.255.255.0 172.18.10.254 1

route inside 172.16.16.0 255.255.255.0 172.18.10.254 1

route inside 172.18.20.0 255.255.255.0 172.18.10.254 1

route inside 172.18.30.0 255.255.255.0 172.18.10.254 1

route inside 172.18.40.0 255.255.255.0 172.18.10.254 1

route inside 172.16.15.0 255.255.255.0 172.18.10.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy SOCAR internal

group-policy SOCAR attributes

vpn-idle-timeout 30

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT

username risk password 3rtm490m1auSWuAX encrypted

http server enable

http 172.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service reset no-connection

crypto ipsec transform-set SOCAR esp-3des esp-sha-hmac

crypto dynamic-map SOCAR 10 set transform-set SOCAR

crypto map SOCAR 30 ipsec-isakmp dynamic SOCAR

crypto map SOCAR interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 3600

tunnel-group SOCAR type ipsec-ra

tunnel-group SOCAR general-attributes

address-pool VPN-POOL

default-group-policy SOCAR

tunnel-group SOCAR ipsec-attributes

pre-shared-key *

telnet 172.0.0.0 255.0.0.0 inside

telnet timeout 15

ssh timeout 15

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!            

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect sunrpc

inspect rsh

inspect smtp

inspect sqlnet

inspect skinny

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:3f7dae74243f6137b135741e677fe4b2

: end

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎01-10-2012 05:28 AM

FWSM supports IPsec connections only to manage FWSM itself anything else is untested and unsupported.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/mgacc_f.html#wp1060264

The FWSM supports IPSec for management access.
0 Helpful

teymur azimov
Level 1
Level 1
In response to Marcin Latosiewicz

‎01-10-2012 10:29 PM

Hi. Thank you very much to reply me. you said fwsm support ipsec for management access but we want to access our networks(servers,...)

can we configure remote access vpn on our core 6500 series catalyst, on which FWSM module is installed?

if yes, how we can do it? please help me. thank you very much.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to teymur azimov

‎01-11-2012 12:14 AM

Teymur,

cat6k supports IPsec only when VPN SPA, VPNSM or WS-IPSEC-3 (VSPA) is installed in the chassis.

This is the configu guide for all those:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html

A long time ago we also supported IPsec to cat6k for management access without additional modules, it is not longer the case as far as my understanding goes.

M.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents