Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Security Appliance 7.0(4) - Problem configuring IPSec over TCP

Hi Sir,

I'm configuring a PIX 525 Firewall running Security Appliance Software version 7.0(4), to support remote access VPNs using IPSec-over-TCP (port 80).

ISAKMP is enabled and crypto map set is applied on the inside interface which terminates the VPN tunnel from VPN clients. An ACL is applied inbound on inside interface which permits "ip any any" (for troubleshooting purpose).

I also have configured these commands:

sysopt connection permit-ipsec

isakmp nat-traversal 3600

isakmp ipsec-over-tcp port 80

I used Cisco VPN Client Version 4.0.2 (A) to connect to the PIX but failed. The following is error messages on the PIX:

Nov 18 2005 16:48:14: %PIX-6-302013: Built inbound TCP connection 4 for inside:10.230.5.133/1487 (10.230.5.133/1487) to NP Identity Ifc:10.1.1.1/80 (10.1.1.1/80)

Nov 18 2005 16:48:19: %PIX-6-302014: Teardown TCP connection 4 for inside:10.230.5.133/1487 to NP Identity Ifc:10.1.1.1/80 duration 0:00:04 bytes 0 TCP Reset-I

Nov 18 2005 16:48:35: %PIX-6-106015: Deny TCP (no connection) from 10.230.5.133/1487 to 10.1.1.1/80 flags RST on interface inside

Nov 18 2005 16:48:35: %PIX-7-710005: TCP request discarded from 10.230.5.133/1487 to inside:10.1.1.1/80

Note:

10.1.1.1 - IP address of PIX

10.230.5.133 - IP address of my workstation from which I launched VPN

Attached is screenshot of my VPN client configuration settings.

Anyone please kindly tell me what's missing to make the setup work (i.e. IPSec over TCP with port 80)?

Thank you.

B.Rgds,

Lim TS

2 REPLIES
New Member

Re: Security Appliance 7.0(4) - Problem configuring IPSec over T

did you configure:

crypto ipsec transform-set

crypto dynamic-map

crypto map xxx 10 ipsec-isakmp dynamic

crypto map xxx interface inside

isakmp enable inside

isakmp policy

vpngroup ???

New Member

Re: Security Appliance 7.0(4) - Problem configuring IPSec over T

Hi,

My VPN config was working fine before I posted this problem. FYI, the command "vpngroup" is deprecated in version 7.0 and replaced by "tunnel-group".

My problem is, there's a requirement to enable IPSec over TCP on port 80 for remote VPN clients. To the best of my knowledge, the only command needed is "isakmp ipsec-over-tcp port 80" which I configured but failed to work.

I included the PIX system error messages in my earlier post. Also, attached was screenshot of VPN client 4.0.2 (A).

Please help.

Thank you.

B.Rgds,

Lim TS

130
Views
0
Helpful
2
Replies
CreatePlease to create content