1) I have configured a PIX 515E 6.3(4) f/w which is up & running fine for d past 3 mths. I have configured a Pool to assign IP's 2 my VPN clients. I c tht as days progress d f/w is assigning more & more higher IP's in d pool & d unused 1s r not getting flushed out. Is there anyway 2 define d lease period 4 this VPN DHCP Pool, else I'll run short of IP's.
2) Also 1 of our users is trying 2 connect 2 another PIX 515E f/w using Cisco VPN Client 4.6 from within my n/w. I have given a static NAT 2 this user. Also I have opened all ports 4 him 4 outbound traffic. The problem v face is tht whenever v dial using d VPN client v get d authentication screen & also get authenticated successfully, but d user is unable 2 browse d remote n/w. When d same user connects via dial-up Internet everything works fine. Could sum1 tell me d incoming & outgoing ports tht need 2 b kept open on PIX-515E for VPN 2 work perfectly.
3) Many users (infact me) face a problem tht whenever v try 2 connect 2 this f/w remotely from home the VPN dialer gets stuck up in d screeen "Securing Communications Channel....". Is there any sorts of fine tuning needed in my existing config.
1) Don't worry about this, the way the PIX works with IP assignment is that it'll use higher and higher ones, but it is releasing the lower ones. When it gets to the top of your pool it'll just start back down at the bottom again. Nothing to worry about and quite normal behaviour (or abnormal if you like, but that's the way it's designed anyway :-) )
2) Configure "fixup protocol esp-ike" on your PIX, this allow it to open up the correct holes for the return traffic. The issue here is primarily ESP traffic, which since it is non-TCP/UDP based the PIX doesn't open up a hole to allow the return traffic for it.
3) Not generally, difficult to say what is causing this without seeing some debug on your PIX and VPN client.
Thnx 4 all ur help. But I get d following error when I try to run "fixup protocol esp-ike"
"PAT for ESP cannot be enabled since ISAKMP is enabled. Please correct your conf
iguration and re-issue the command!"
I was successful in disabling d IKE for d Outside interface & run d fixup. But once I do a fixup 4 esp-ike, I cannot enable IKE on my outside interface. This prevents me 2 use VPN client 2 connect 2 my n/w externally. I get d error "The remote peer is no longer responding"
Yes, that's correct, you can't enable th eESP fixup if you have VPn clients coming in as well, my apologies, I should have mentioned that.
In that case then you will have to enable NAT-Transparency on your VPN client/concentrator, or whatever UDP/TCP encapsulation it has (sorry, you don't mention whethre it's a Cisco VPN client/conc or someone else's). all of them however, do some sort of UDP/TCP encapsulation of ESP packets to get around exactly the problem you're seeing, of being behind a NAT/PAT device. If you can get the client and concentrator to encapsulate the ESP packets into UDP/TCP packets, then the PIX will PAT them properly and more importantly, will open up holes for the return traffic.
If that still fails, you do mention that you have a static NAT translation in the PIX for this internal client, and that you have opened up all ports for it. Try adding the following line to your ACL:
Thnx 4 d info. For my Problem Statement 3 (VPN Client gets stuck up at "Securing Communications Channel") I interpreted something from the logs & tried out, it seems to work. I dont know whether I am rite, but I feel that the MS IPSec driver is somehow interfering. After I stopped the MS IPSec service & tried 2 connect 4 atleast 3 or 4 times, it always connected. Thnx in advance.
Oh no...My Problem no. 3 (VPN Client gets stuck up at "Securing Communications Channel") is not completely solved. I was still facing this problem after reinstalling d VPN client. I tried installing versions 4.6.0045 & 4.6.0049. Both of these versions were giving me the same problems. Finally I guess the version 4.0.5 (Rel) seems 2 work perfectly. This is d same version which I also use in Win98. Actually with this version even my authentication procedure is faster. FYI I also have a ZoneAlarm firewall installed in my PC. Does ZA conflict with any of d above mentioned versions. Thnx in advance.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :