Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pb Connection VPN client with Pix 515E v7.0! please help me

Hi,

I have the cisco vpn client v4.6.02(in USA) and a pix 515Ev7(France).

I create a VPN remote access(with vpn wizard, ASDM v5.0 ) and it's no Ok. When i connect with the client i have on the pix Log this message :

-Removing peer from peer table fail, no match

- Error : unable to remove PeerTblEntry

Please help me

I give you my conf, What is my error :

ftp mode passive

access-list Outside_access_in extended permit tcp any host 81.192.X.W eq smtp

access-list Outside_access_in extended deny ip any any

access-list inside_nat0_outbound extended permit ip any 192.168.39.240 255.255.255.248

access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.39.240 255.255.255.248

ip local pool vpnpool 192.168.39.240-192.168.39.245 mask 255.255.255.0

nat-control

global (Outside) 1 interface

global (DMZ) 1 192.168.40.20-192.168.40.50 netmask 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.38.0 255.255.255.0

nat (inside) 1 192.168.39.0 255.255.255.0

nat (DMZ) 1 192.168.40.0 255.255.255.0

static (inside,DMZ) 192.168.40.0 192.168.39.0 netmask 255.255.255.0

static (DMZ,Outside) 81.192.X.W ISVW netmask 255.255.255.255

static (inside,DMZ) SRV-MAIL SRV-MAIL netmask 255.255.255.255

static (inside,Outside) 81.192.X.Y 192.168.38.220 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group Outside_access_in in interface Outside

access-group DMZ_access_in in interface DMZ

route inside 192.168.31.0 255.255.255.0 192.168.39.254 1

route inside 192.168.38.0 255.255.255.0 192.168.39.254 1

route Outside 0.0.0.0 0.0.0.0 Router 1

group-policy QQQQQQ internal

username admin password xxx encrypted privilege 15

username user password xxx encrypted privilege 0

username user attributes

vpn-group-policy QQQQQQ

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

isakmp enable Outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal 20

isakmp ipsec-over-tcp port 10000

tunnel-group QQQQQ type ipsec-ra

tunnel-group QQQQQQgeneral-attributes

address-pool vpnpool

default-group-policy QQQQQQ

tunnel-group QQQQQQ ipsec-attributes

pre-shared-key *

telnet 192.168.38.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.39.252-192.168.39.254 inside

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

!

service-policy global_policy global

2 REPLIES

Re: Pb Connection VPN client with Pix 515E v7.0! please help me

Hi Marza

I just gone through your config sample and found missing the interface configuration.

I would also suggest to refer this link for more info and also post the interface config.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949fb.shtml

regds

New Member

Re: Pb Connection VPN client with Pix 515E v7.0! please help me

Hi Marza

I found by myself that

crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20

not works if you define the source as any if you want to define source for every ip addresses remove the following line from your config or if you want to connect to your pix from a specified ip address then define the source in your access list ,it was my problem that i solved it in this way.

Thanks.

Hope to helpful.

remember rate the useful post.

Best Regards Bahman Mozaffari

211
Views
0
Helpful
2
Replies
CreatePlease to create content