It seems that I am having similar problems to a lot of others in connecting remote clients to a PIX 515E.
I currently have tried both the Cisco VPN client 3.6 and 4.03 with no success. The users are authenticated fine and within the client you can see that they have been allocated an address etc but they are unable to access the internal network. The sh crypto ipsec sa shows no encrypted traffic has hit the Pix for that sa...
within the Client status etc it does show that packets are being encrypted so I am at a bit of a loss.
I also have a problem with pptp connections - this seems to differ between OS on the client but Win2K machines can connect and get verified etc but again cannot connect to the inside networks. could these be related ?
My current config is: (addresses etc changed)
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password xxxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol skinny 2000
no fixup protocol sip 5060
name 10.0.0.0 Inside_All
name 10.30.1.0 Ireland1_LAN
name 22.214.171.124 Ireland1_VPN
name 126.96.36.199 IrelandSt1_VPN
name 10.30.2.0 Cardiff_LAN
name 188.8.131.52 Cardiff_VPN
access-list 101 permit ip Inside_All 255.0.0.0 10.1.1.88 255.255.255.248
access-list 101 permit ip Inside_All 255.0.0.0 Ireland1_LAN 255.255.255.0
access-list 101 permit ip Inside_All 255.0.0.0 Cardiff_LAN 255.255.255.0
access-list 101 permit ip Inside_All 255.0.0.0 10.30.3.0 255.255.255.0
access-list 101 permit ip Inside_All 255.0.0.0 192.168.253.0 255.255.255.0
access-list outside_interface permit icmp any any echo
access-list outside_interface permit icmp any any echo-reply
access-list outside_interface permit icmp any any traceroute
access-list outside_interface permit tcp any host 184.108.40.206 eq smtp
access-list outside_interface permit ip any host 220.127.116.11
I was actually doing the testing on a different machine (no secure Remote) but using the account details from my laptop. I too have found some real problems with having the two running together and eventually gave up - hence the two machines.
But all does seem now to be OK with the Cisco client, I just used a different account and it worked straight away, I guess its been maybe a couple of weeks since I used the SR so the ISP may well have changed their allowed ports etc - this will be the second time I have had to change dial up for this reason....I should have known but I immediately doubted my config !
As for the PPTP - any ideas ? I will have another go at this in the next couple of days - I am just going to enjoy the fact that the client works after almost pulling my hair out over this one !!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :