Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipsec connection access problem at firewall module.

Hi dears. I configurate ipsec vpn at firewall.i connect vpn but i do not access inside server,i want to access 172.16.10.254,172.18.10.10 but i can not access

this is my configuartion.please help me.thank you.

FWSM Version 4.0(4)

!

hostname FWSM

domain-name socar.local

enable password 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248 standby x.x.x.x

!

interface Vlan3

description LAN/STATE Failover Interface

!

interface Vlan210

nameif inside

security-level 100

ip address 172.18.10.253 255.255.255.0 standby 172.18.10.252

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list OUT extended permit ip any any

access-list NONAT extended permit ip 172.0.0.0 255.0.0.0 10.10.100.0 255.255.255.0

access-list SPLIT standard permit 172.16.10.0 255.255.255.0

access-list SPLIT standard permit 172.18.10.0 255.255.255.0

access-list O2I extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool VPN-POOL 10.10.100.1-10.10.100.254

no failover

failover lan unit primary

failover lan interface FAILOVER Vlan3

failover link FAILOVER Vlan3

failover interface ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 172.16.10.0 255.255.255.0

nat (inside) 1 172.16.16.0 255.255.255.0

nat (inside) 1 172.18.10.0 255.255.255.0

nat (inside) 1 172.18.20.0 255.255.255.0

nat (inside) 1 172.18.30.0 255.255.255.0

nat (inside) 1 172.18.40.0 255.255.255.0

access-group O2I in interface outside

access-group OUT in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 172.16.10.0 255.255.255.0 172.18.10.254 1

route inside 172.16.16.0 255.255.255.0 172.18.10.254 1

route inside 172.18.20.0 255.255.255.0 172.18.10.254 1

route inside 172.18.30.0 255.255.255.0 172.18.10.254 1

route inside 172.18.40.0 255.255.255.0 172.18.10.254 1

route inside 172.16.15.0 255.255.255.0 172.18.10.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy SOCAR internal

group-policy SOCAR attributes

vpn-idle-timeout 30

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT

username risk password 3rtm490m1auSWuAX encrypted

http server enable

http 172.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service reset no-connection

crypto ipsec transform-set SOCAR esp-3des esp-sha-hmac

crypto dynamic-map SOCAR 10 set transform-set SOCAR

crypto map SOCAR 30 ipsec-isakmp dynamic SOCAR

crypto map SOCAR interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 3600

tunnel-group SOCAR type ipsec-ra

tunnel-group SOCAR general-attributes

address-pool VPN-POOL

default-group-policy SOCAR

tunnel-group SOCAR ipsec-attributes

pre-shared-key *

telnet 172.0.0.0 255.0.0.0 inside

telnet timeout 15

ssh timeout 15

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!            

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect sunrpc

inspect rsh

inspect smtp

inspect sqlnet

inspect skinny

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:3f7dae74243f6137b135741e677fe4b2

: end

3 REPLIES
Cisco Employee

ipsec connection access problem at firewall module.

FWSM supports IPsec connections only to manage FWSM itself anything else is untested and unsupported.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/mgacc_f.html#wp1060264

The FWSM supports IPSec for management access. 
New Member

ipsec connection access problem at firewall module.

Hi. Thank you very much to reply me. you said fwsm support ipsec for management access but we want to access our networks(servers,...)

can we configure remote access vpn on our core 6500 series catalyst, on which FWSM module is installed?

if yes, how we can do it? please help me. thank you very much.

Cisco Employee

ipsec connection access problem at firewall module.

Teymur,

cat6k supports IPsec only when VPN SPA, VPNSM or WS-IPSEC-3 (VSPA) is installed in the chassis.

This is the configu guide for all those:

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76ovwvpn.html

A long time ago we also supported IPsec to cat6k for management access without additional modules, it is not longer the case as far as my understanding goes.

M.

324
Views
0
Helpful
3
Replies