Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote VPN issue

I have a remote site and i need to access the network through remote VPN and i made the configuration and remote VPN is connected but not able to ping the internal host including PIX inside IP

PIX OS : 8X.0.X.X

PIX IS : 192.168.170.1

config :

interface Ethernet0

nameif outside

security-level 0

ip address XX.8X.XX.XX 255.255.255.224

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.170.1 255.255.255.0

!

interface Ethernet2

description STATE Failover Interface

speed 100

duplex full

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

ftp mode passive

dns server-group DefaultDNS

domain-name LYCASWE

access-list 101 extended permit ip any 192.168.170.248 255.255.255.248

access-list 110 extended permit ip 192.168.170.0 255.255.255.0 10.195.0.0 255.25

5.0.0

access-list VPN-MAR extended permit ip 192.168.170.0 255.255.255.0 10.195.0.0 25

5.255.0.0

pager lines 24

logging console debugging

mtu outside 1500

mtu inside 1500

ip local pool RemoteVPNpool 192.168.170.250-192.168.170.254

failover

failover polltime unit 3 holdtime 9

failover link STATE Ethernet2

failover interface ip STATE 172.16.35.1 255.255.255.0 standby 172.16.35.2

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 110

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 XX.8X.XX.XX 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set VPN_OFFICE-set esp-3des esp-sha-hmac

crypto ipsec transform-set RVPN esp-des esp-md5-hmac

crypto ipsec transform-set RVPN1 esp-3des esp-md5-hmac

crypto dynamic-map DYN-map 1 set transform-set RVPN RVPN1

crypto map Sweden-map 11 match address VPN-MAR

crypto map Sweden-map 11 set peer xx7.xx8.1xx.xx

crypto map Sweden-map 11 set transform-set VPN_OFFICE-set

crypto map Sweden-map 20 ipsec-isakmp dynamic DYN-map

crypto map Sweden-map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 13

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 14

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.0.0.0 255.0.0.0 inside

ssh timeout 10

console timeout 0

management-access inside

service-policy global_policy global

group-policy RAswe internal

group-policy RAswe attributes

user-authentication enable

username admin password XXXXXXXX encrypted

tunnel-group xx7.xx8.1xx.xx type ipsec-l2l

tunnel-group xx7.xx8.1xx.xx ipsec-attributes

pre-shared-key

tunnel-group RAswe type ipsec-ra

tunnel-group RAswe general-attributes

address-pool RemoteVPNpool

default-group-policy RAswe

tunnel-group RAswe ipsec-attributes

pre-shared-key

1 REPLY

Re: Remote VPN issue

1) Use a seperate IP Subnet for remote VPN connections

2) You need to add the VPN subnet to your no-nat rule, acl 110

3) You will not be able to ping the inside IP of the PIX - this is normal and by design.

4) If you want to access the remote site over the IPSEC tunnel you need to enable same security traffic.

HTH>

234
Views
0
Helpful
1
Replies