Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote Connection is not working

Below is the VPN setup using wizard PIX515e.

tested on simulation it works but not on real environment.Any wrong config?

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxx encrypted

passwd xxxxxxencrypted

hostname ciscopix

domain-name cisco.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list abc_splitTunnelAcl permit ip host 192.168.253.0 any

access-list inside_outbound_nat0_acl permit ip host 192.168.253.0 192.168.253.24

8 255.255.255.248

access-list outside_cryptomap_dyn_20 permit ip any 192.168.253.248 255.255.255.2

48

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.0

ip address inside 192.168.253.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool abc 192.168.253.250-192.168.253.254

pdm location 192.168.253.0 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-

http 192.168.253.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup abc address-pool abc

vpngroup abc split-tunnel abc_splitTunnelAcl

vpngroup abc idle-time 1800

vpngroup abc password ********

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxx

: end

  • VPN
2 REPLIES
Silver

Re: Remote Connection is not working

Your ip addressing is all messed up. Your internal ip address is 192.168.253.1/24, but you are trying to use crypto maps to connect to hosts on 192.168.253.248/28, which is on the subnet that the inside interface is connected to. If the pix thought it had any traffic for those hosts, it would send it out its inside interface, and not thru a crypto tunnel that it would never attempt to negotiate

New Member

Re: Remote Connection is not working

Hi,

I suggest you make these changes and this should work:

Change the ip pool , let the ip pool be different from the inside address :

ip local pool abc 10.1.2.1-10.1.2.254

Please remove this command , match-address is used only in the case of L2L tunnel.

no access-list outside_cryptomap_dyn_20 permit ip any 192.168.253.248 255.255.255.2 48

no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

Please add this command:

isakmp identity address

Please refer to the following link for more information:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

Let me know if you have any queries.

Deepali

208
Views
0
Helpful
2
Replies