Security Appliance 7.0(4) - Problem configuring IPSec over TCP
I'm configuring a PIX 525 Firewall running Security Appliance Software version 7.0(4), to support remote access VPNs using IPSec-over-TCP (port 80).
ISAKMP is enabled and crypto map set is applied on the inside interface which terminates the VPN tunnel from VPN clients. An ACL is applied inbound on inside interface which permits "ip any any" (for troubleshooting purpose).
I also have configured these commands:
sysopt connection permit-ipsec
isakmp nat-traversal 3600
isakmp ipsec-over-tcp port 80
I used Cisco VPN Client Version 4.0.2 (A) to connect to the PIX but failed. The following is error messages on the PIX:
Nov 18 2005 16:48:14: %PIX-6-302013: Built inbound TCP connection 4 for inside:10.230.5.133/1487 (10.230.5.133/1487) to NP Identity Ifc:10.1.1.1/80 (10.1.1.1/80)
Nov 18 2005 16:48:19: %PIX-6-302014: Teardown TCP connection 4 for inside:10.230.5.133/1487 to NP Identity Ifc:10.1.1.1/80 duration 0:00:04 bytes 0 TCP Reset-I
Nov 18 2005 16:48:35: %PIX-6-106015: Deny TCP (no connection) from 10.230.5.133/1487 to 10.1.1.1/80 flags RST on interface inside
Nov 18 2005 16:48:35: %PIX-7-710005: TCP request discarded from 10.230.5.133/1487 to inside:10.1.1.1/80
10.1.1.1 - IP address of PIX
10.230.5.133 - IP address of my workstation from which I launched VPN
Attached is screenshot of my VPN client configuration settings.
Anyone please kindly tell me what's missing to make the setup work (i.e. IPSec over TCP with port 80)?
Re: Security Appliance 7.0(4) - Problem configuring IPSec over T
My VPN config was working fine before I posted this problem. FYI, the command "vpngroup" is deprecated in version 7.0 and replaced by "tunnel-group".
My problem is, there's a requirement to enable IPSec over TCP on port 80 for remote VPN clients. To the best of my knowledge, the only command needed is "isakmp ipsec-over-tcp port 80" which I configured but failed to work.
I included the PIX system error messages in my earlier post. Also, attached was screenshot of VPN client 4.0.2 (A).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :