Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Trying to clean up VPN conf on a PIX506

This is the config information I have on my PIX 506 related to the VPN. I'm trying to clean it up since there is no site-to-site and I guess there is commands in there I don't need. Just want to use the Cisco VPN client and another NCP Secure Entry client (both work fine right now). I have tried cleaning it up and then my clients cannot I need some expert advice! What can be cleaned up here or renamed so it makes more sense?

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-sha-hmac

crypto dynamic-map dynmap 100 set transform-set strong

crypto map I-P 20 ipsec-isakmp

crypto map I-P 20 match address site2site

crypto map I-P 20 set peer

crypto map I-P 20 set transform-set strong

crypto map I-P 100 ipsec-isakmp dynamic dynmap

crypto map I-P interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp identity address

isakmp nat-traversal 20

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption 3des

isakmp policy 2 hash md5

isakmp policy 2 group 2

isakmp policy 2 lifetime 86400

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption 3des

isakmp policy 9 hash sha

isakmp policy 9 group 1

isakmp policy 9 lifetime 86400

I figure once I get this cleaned up, I will remove the access-list for site2site as well. Just not 100% sure what I am doing!

Community Member

Re: Trying to clean up VPN conf on a PIX506

One thing I did not and still allowed data to pass was to reduce the number of isakmp policy statements. Now I just have:

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Community Member

Re: Trying to clean up VPN conf on a PIX506

Leave the sysopt connection permit ipsec statement in and as long as you have no crypto map's you are using with the other device it should work. W/out the sysopt conn.. no connections are accepted on the outside regardless of conf.

CreatePlease to create content