Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site to site pix and vpn client

Greetings all,

I need some help going thru this configuration. Previous post, I would like the head quarter PIX 515 configure so that it can accept Cisco VPN client and at the same time l2l with a remote office. I tested out the VPN client and it does not accept username in Windows active directory. But will accept local username within the pix. For my l2l, it does not work. Please review the config in attachment and see if you find something wrong.

Thank you very much!

5 REPLIES
Cisco Employee

Re: site to site pix and vpn client

Hello,

The pix code 6.3.5 will not talk to Active Directory. You must install MS IAS server (RADIUS) so that the VPN clients can talk to the IAS then IAS will talk to the AD.

On the cisco site look for 'ipsec configuration examples' and you will find a page full of IPSEC configuration examples on every cisco device (well, nearly) you will also find configuration of IAS to talk to PIX.

Support for AD is in 7.X code.

Vikas

Cisco Employee

Re: site to site pix and vpn client

Hello,

Could you post the debugs also?

Vikas

New Member

Re: site to site pix and vpn client

Hi Vikas,

Thank you for your respond. My 515E pix has version 7.1.2. It is the pix that is acting as the concentrator or the end point for the Cisco vpn clients. I configured it to use radius and it is point to a windows 2000 radius server (IAS). Previously, when i setup vpn client using ADSM, it works fine but the configurations seems not very clean. By the way, my l2l is up and working. The reason it was not working because the remote office turn off the computer. Right now, i am still having problem with the client VPN. I configure local vpn user and i can vpn but i can not access any resources. Not sure if it has anything to do with my ip pool or the access list. Also, I am attached the debug. level 1-255 debug? I turned on level 7.

Thanks

New Member

Re: site to site pix and vpn client

Update.

After I added these command, i can authenticate agains the IAS radius server.

tunnel-group IDSDYNAMICMAP general-attributes

address-pool VPNclient

authentication-server-group IDSDC02

But the problem is still this. I can't access anything inside while the VPN tunnel is establish. The error is ADSM reported:

no translation group found for tcp src outside:192.168.0.1/1817 des inside 192.168.100.10

New Member

Re: site to site pix and vpn client

Updating on this problem.

Since this PIX is version 7, it has the Cisco router IOS commands. So, the problem is the access-list IP address subnetmask. For example:

My IP local pool for remote VPN clients:

ip local pool VPNclient 172.16.0.10-172.16.0.15 mask 255.255.0.0

In PIX version 6, i can type:

access-list noNAT_inside extended permit ip any 172.16.0.0 255.255.0.0

In PIX version 7, I type the above and my VPN client will not connect to my internal network.

So, i modified it to:

access-list noNAT_inside extended permit ip any 172.16.0.8 255.255.255.248

for subneting review, take 254-248 will give me 6 IP addresses. Since in my ip pool, i defined 172.16.0.10 to .15.

Hope this helps.

152
Views
0
Helpful
5
Replies
CreatePlease to create content