Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN Client to PIX

Reply
Thread Tools

VPN Client to PIX

 
 
GKurcon
Guest
Posts: n/a
 
      12-29-2003
I need to connect to a PIX 501 running 6.2(2)with either the Cisco VPN
client or a Windows built in PPTP client. I can connect with either
of these clients, but am not able to access anything on the inside
subnet (192.168.1.x). We do have a site to site VPN established with
another PIX 501 as well, which works fine. Right now it is not
necessary for me to access the remote side (192.168.2.x), as I have
read that there are issues with attempting to do so. I just want to
connect to the PIX and get to the 192.168.1.x resources. What do I
need to change in the config to accomplish this?? (I realize that I
am a few versions behind...one step at a time )

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 4R3vD8XGO4lVLaq6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX1
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_out permit icmp any any
access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
255.255.255.0
access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
access-list 200 permit tcp any host x.x.185.50 eq 5632
access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
255.255.255.0
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.185.50 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ciscovpn 172.16.1.1-172.16.1.20
ip local pool pptp-pool 172.16.101.1-172.16.101.14
pdm location 192.168.1.11 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 172.16.1.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 172.16.0.0 255.255.254.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 111
nat (inside) 1 172.16.0.0 255.255.254.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
pcanywhere-da
ta netmask 255.255.255.255 0 20
static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
255.255.255
..255 0 0
access-group 200 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set cityset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set cityset
crypto map citymap 1 ipsec-isakmp
crypto map citymap 1 set peer x.x.184.146
crypto map citymap 1 set transform-set cityset
crypto map citymap 2 ipsec-isakmp
crypto map citymap 2 set transform-set cityset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address x.x.184.146 netmask 255.255.255.255
no-xauth no-co
nfig-mode
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local ciscovpn outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup ctvpn address-pool ciscovpn
vpngroup ctvpn dns-server x.x.226.13
vpngroup ctvpn split-tunnel 201
vpngroup ctvpn idle-time 7200
vpngroup ctvpn password ********
vpngroup pgmr address-pool ciscovpn
vpngroup pgmr dns-server x.x.226.13
vpngroup pgmr idle-time 1800
vpngroup pgmr password ********
telnet 192.168.2.0 255.255.255.0 outside
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.1.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username scsadmin password ********
vpdn username cisco password ********
vpdn username gkurcon password ********
vpdn enable outside
vpdn enable inside
username cisco password 2J6.dR4Av1kpERLo encrypted privilege 2
terminal width 80
Cryptochecksum:e62274b3c71e69f4fe95b9693b1ad1b4
 
Reply With Quote
 
 
 
 
scott enwright
Guest
Posts: n/a
 
      12-30-2003
G'day,

I assume when you connect using PPTP you receive an address from the pool
pptp-pool (172.16.101.1-172.16.101.14)? This pool is not being excluded
from the NAT process so it's being translated. To correct this you need to
make access-list 111 the following:

access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
255.255.255.0

The last line is new and stops pptp traffic from being natted.

Scott.


"GKurcon" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> I need to connect to a PIX 501 running 6.2(2)with either the Cisco VPN
> client or a Windows built in PPTP client. I can connect with either
> of these clients, but am not able to access anything on the inside
> subnet (192.168.1.x). We do have a site to site VPN established with
> another PIX 501 as well, which works fine. Right now it is not
> necessary for me to access the remote side (192.168.2.x), as I have
> read that there are issues with attempting to do so. I just want to
> connect to the PIX and get to the 192.168.1.x resources. What do I
> need to change in the config to accomplish this?? (I realize that I
> am a few versions behind...one step at a time )
>
> PIX Version 6.2(2)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password 4R3vD8XGO4lVLaq6 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname PIX1
> domain-name ciscopix.com
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> access-list acl_out permit icmp any any
> access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> 255.255.255.0
> access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> 255.255.255.0
> access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
> access-list 200 permit tcp any host x.x.185.50 eq 5632
> access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> 255.255.255.0
> pager lines 24
> logging on
> interface ethernet0 10baset
> interface ethernet1 10full
> icmp deny any outside
> mtu outside 1500
> mtu inside 1500
> ip address outside x.x.185.50 255.255.255.252
> ip address inside 192.168.1.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool ciscovpn 172.16.1.1-172.16.1.20
> ip local pool pptp-pool 172.16.101.1-172.16.101.14
> pdm location 192.168.1.11 255.255.255.255 inside
> pdm location 192.168.2.0 255.255.255.0 inside
> pdm location 172.16.1.0 255.255.255.0 outside
> pdm location 192.168.2.0 255.255.255.0 outside
> pdm location 172.16.0.0 255.255.254.0 inside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list 111
> nat (inside) 1 172.16.0.0 255.255.254.0 0 0
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
> pcanywhere-da
> ta netmask 255.255.255.255 0 20
> static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
> 255.255.255
> .255 0 0
> access-group 200 in interface outside
> route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 si
> p 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> http server enable
> http 192.168.1.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> sysopt connection permit-pptp
> no sysopt route dnat
> crypto ipsec transform-set cityset esp-des esp-md5-hmac
> crypto dynamic-map dynmap 10 set transform-set cityset
> crypto map citymap 1 ipsec-isakmp
> crypto map citymap 1 set peer x.x.184.146
> crypto map citymap 1 set transform-set cityset
> crypto map citymap 2 ipsec-isakmp
> crypto map citymap 2 set transform-set cityset
> crypto map mymap 10 ipsec-isakmp dynamic dynmap
> crypto map mymap client configuration address initiate
> crypto map mymap client configuration address respond
> crypto map mymap interface outside
> isakmp enable outside
> isakmp key ******** address x.x.184.146 netmask 255.255.255.255
> no-xauth no-co
> nfig-mode
> isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> isakmp identity address
> isakmp client configuration address-pool local ciscovpn outside
> isakmp policy 8 authentication pre-share
> isakmp policy 8 encryption des
> isakmp policy 8 hash md5
> isakmp policy 8 group 1
> isakmp policy 8 lifetime 86400
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> vpngroup ctvpn address-pool ciscovpn
> vpngroup ctvpn dns-server x.x.226.13
> vpngroup ctvpn split-tunnel 201
> vpngroup ctvpn idle-time 7200
> vpngroup ctvpn password ********
> vpngroup pgmr address-pool ciscovpn
> vpngroup pgmr dns-server x.x.226.13
> vpngroup pgmr idle-time 1800
> vpngroup pgmr password ********
> telnet 192.168.2.0 255.255.255.0 outside
> telnet 192.168.2.0 255.255.255.0 inside
> telnet 192.168.1.0 255.255.255.0 inside
> telnet 192.168.1.1 255.255.255.255 inside
> telnet timeout 5
> ssh timeout 5
> vpdn group 1 accept dialin pptp
> vpdn group 1 ppp authentication pap
> vpdn group 1 ppp authentication chap
> vpdn group 1 ppp authentication mschap
> vpdn group 1 ppp encryption mppe 40
> vpdn group 1 client configuration address local pptp-pool
> vpdn group 1 pptp echo 60
> vpdn group 1 client authentication local
> vpdn username scsadmin password ********
> vpdn username cisco password ********
> vpdn username gkurcon password ********
> vpdn enable outside
> vpdn enable inside
> username cisco password 2J6.dR4Av1kpERLo encrypted privilege 2
> terminal width 80
> Cryptochecksum:e62274b3c71e69f4fe95b9693b1ad1b4



 
Reply With Quote
 
 
 
 
GKurcon
Guest
Posts: n/a
 
      12-31-2003
Thanks for the tip. I added this line to the config but still no
luck. A consultant that I work with suggested that I add this:

static (inside,outside) 172.168.101.0 192.168.1.0 netmask
255.255.255.0 0 0

But when I add this, the only result is all devices on the 192.168.1.0
subnet are unable to get out to the internet, I have to reboot the PIX
and also the remote PIX.

I tried removing this line, but it didn't seem to make a difference
either:


nat (inside) 1 172.16.0.0 255.255.254.0 0 0

This seems like it should be a relatively easy thing to set up, any
ideas of what I am missing? Thanks.

"scott enwright" <(E-Mail Removed)0spam.net.au> wrote in message news:<WxeIb.70433$(E-Mail Removed)>...
> G'day,
>
> I assume when you connect using PPTP you receive an address from the pool
> pptp-pool (172.16.101.1-172.16.101.14)? This pool is not being excluded
> from the NAT process so it's being translated. To correct this you need to
> make access-list 111 the following:
>
> access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> 255.255.255.0
> access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
> access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
> 255.255.255.0
>
> The last line is new and stops pptp traffic from being natted.
>
> Scott.
>
>
> "GKurcon" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > I need to connect to a PIX 501 running 6.2(2)with either the Cisco VPN
> > client or a Windows built in PPTP client. I can connect with either
> > of these clients, but am not able to access anything on the inside
> > subnet (192.168.1.x). We do have a site to site VPN established with
> > another PIX 501 as well, which works fine. Right now it is not
> > necessary for me to access the remote side (192.168.2.x), as I have
> > read that there are issues with attempting to do so. I just want to
> > connect to the PIX and get to the 192.168.1.x resources. What do I
> > need to change in the config to accomplish this?? (I realize that I
> > am a few versions behind...one step at a time )
> >
> > PIX Version 6.2(2)
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > enable password 4R3vD8XGO4lVLaq6 encrypted
> > passwd 2KFQnbNIdI.2KYOU encrypted
> > hostname PIX1
> > domain-name ciscopix.com
> > fixup protocol ftp 21
> > fixup protocol http 80
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol ils 389
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > fixup protocol sip 5060
> > fixup protocol skinny 2000
> > names
> > access-list acl_out permit icmp any any
> > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> > 255.255.255.0
> > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> > 255.255.255.0
> > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
> > access-list 200 permit tcp any host x.x.185.50 eq 5632
> > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> > 255.255.255.0
> > pager lines 24
> > logging on
> > interface ethernet0 10baset
> > interface ethernet1 10full
> > icmp deny any outside
> > mtu outside 1500
> > mtu inside 1500
> > ip address outside x.x.185.50 255.255.255.252
> > ip address inside 192.168.1.1 255.255.255.0
> > ip audit info action alarm
> > ip audit attack action alarm
> > ip local pool ciscovpn 172.16.1.1-172.16.1.20
> > ip local pool pptp-pool 172.16.101.1-172.16.101.14
> > pdm location 192.168.1.11 255.255.255.255 inside
> > pdm location 192.168.2.0 255.255.255.0 inside
> > pdm location 172.16.1.0 255.255.255.0 outside
> > pdm location 192.168.2.0 255.255.255.0 outside
> > pdm location 172.16.0.0 255.255.254.0 inside
> > pdm logging informational 100
> > pdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 0 access-list 111
> > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
> > pcanywhere-da
> > ta netmask 255.255.255.255 0 20
> > static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
> > 255.255.255
> > .255 0 0
> > access-group 200 in interface outside
> > route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
> > timeout xlate 0:05:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> > 0:05:00 si
> > p 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server RADIUS protocol radius
> > aaa-server LOCAL protocol local
> > http server enable
> > http 192.168.1.0 255.255.255.0 inside
> > no snmp-server location
> > no snmp-server contact
> > snmp-server community public
> > no snmp-server enable traps
> > floodguard enable
> > sysopt connection permit-ipsec
> > sysopt connection permit-pptp
> > no sysopt route dnat
> > crypto ipsec transform-set cityset esp-des esp-md5-hmac
> > crypto dynamic-map dynmap 10 set transform-set cityset
> > crypto map citymap 1 ipsec-isakmp
> > crypto map citymap 1 set peer x.x.184.146
> > crypto map citymap 1 set transform-set cityset
> > crypto map citymap 2 ipsec-isakmp
> > crypto map citymap 2 set transform-set cityset
> > crypto map mymap 10 ipsec-isakmp dynamic dynmap
> > crypto map mymap client configuration address initiate
> > crypto map mymap client configuration address respond
> > crypto map mymap interface outside
> > isakmp enable outside
> > isakmp key ******** address x.x.184.146 netmask 255.255.255.255
> > no-xauth no-co
> > nfig-mode
> > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> > isakmp identity address
> > isakmp client configuration address-pool local ciscovpn outside
> > isakmp policy 8 authentication pre-share
> > isakmp policy 8 encryption des
> > isakmp policy 8 hash md5
> > isakmp policy 8 group 1
> > isakmp policy 8 lifetime 86400
> > isakmp policy 10 authentication pre-share
> > isakmp policy 10 encryption des
> > isakmp policy 10 hash md5
> > isakmp policy 10 group 2
> > isakmp policy 10 lifetime 86400
> > vpngroup ctvpn address-pool ciscovpn
> > vpngroup ctvpn dns-server x.x.226.13
> > vpngroup ctvpn split-tunnel 201
> > vpngroup ctvpn idle-time 7200
> > vpngroup ctvpn password ********
> > vpngroup pgmr address-pool ciscovpn
> > vpngroup pgmr dns-server x.x.226.13
> > vpngroup pgmr idle-time 1800
> > vpngroup pgmr password ********
> > telnet 192.168.2.0 255.255.255.0 outside
> > telnet 192.168.2.0 255.255.255.0 inside
> > telnet 192.168.1.0 255.255.255.0 inside
> > telnet 192.168.1.1 255.255.255.255 inside
> > telnet timeout 5
> > ssh timeout 5
> > vpdn group 1 accept dialin pptp
> > vpdn group 1 ppp authentication pap
> > vpdn group 1 ppp authentication chap
> > vpdn group 1 ppp authentication mschap
> > vpdn group 1 ppp encryption mppe 40
> > vpdn group 1 client configuration address local pptp-pool
> > vpdn group 1 pptp echo 60
> > vpdn group 1 client authentication local
> > vpdn username scsadmin password ********
> > vpdn username cisco password ********
> > vpdn username gkurcon password ********
> > vpdn enable outside
> > vpdn enable inside
> > username cisco password 2J6.dR4Av1kpERLo encrypted privilege 2
> > terminal width 80
> > Cryptochecksum:e62274b3c71e69f4fe95b9693b1ad1b4

 
Reply With Quote
 
scott enwright
Guest
Posts: n/a
 
      01-01-2004
G'day,

I've just been through the configuration again with and compared it to both
a working configuration and to a sample Cisco configuration
(http://www.cisco.com/en/US/products/...s_configuratio
n_example09186a0080093f89.shtml). With that new line I suggested it should
just work - could you do a 'clear xlate' on the box and test it again - the
clear xlate command will kill all connections that are active on the unit.

If this doesnt work can you repost the new configuration maybe there is
something else stopping it now that wasnt there in your previous post.

Regards,

Scott.

"GKurcon" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Thanks for the tip. I added this line to the config but still no
> luck. A consultant that I work with suggested that I add this:
>
> static (inside,outside) 172.168.101.0 192.168.1.0 netmask
> 255.255.255.0 0 0
>
> But when I add this, the only result is all devices on the 192.168.1.0
> subnet are unable to get out to the internet, I have to reboot the PIX
> and also the remote PIX.
>
> I tried removing this line, but it didn't seem to make a difference
> either:
>
>
> nat (inside) 1 172.16.0.0 255.255.254.0 0 0
>
> This seems like it should be a relatively easy thing to set up, any
> ideas of what I am missing? Thanks.
>
> "scott enwright" <(E-Mail Removed)0spam.net.au> wrote in

message news:<WxeIb.70433$(E-Mail Removed)>...
> > G'day,
> >
> > I assume when you connect using PPTP you receive an address from the

pool
> > pptp-pool (172.16.101.1-172.16.101.14)? This pool is not being excluded
> > from the NAT process so it's being translated. To correct this you need

to
> > make access-list 111 the following:
> >
> > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> > 255.255.255.0
> > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0

255.255.255.0
> > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
> > 255.255.255.0
> >
> > The last line is new and stops pptp traffic from being natted.
> >
> > Scott.
> >
> >
> > "GKurcon" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed) om...
> > > I need to connect to a PIX 501 running 6.2(2)with either the Cisco VPN
> > > client or a Windows built in PPTP client. I can connect with either
> > > of these clients, but am not able to access anything on the inside
> > > subnet (192.168.1.x). We do have a site to site VPN established with
> > > another PIX 501 as well, which works fine. Right now it is not
> > > necessary for me to access the remote side (192.168.2.x), as I have
> > > read that there are issues with attempting to do so. I just want to
> > > connect to the PIX and get to the 192.168.1.x resources. What do I
> > > need to change in the config to accomplish this?? (I realize that I
> > > am a few versions behind...one step at a time )
> > >
> > > PIX Version 6.2(2)
> > > nameif ethernet0 outside security0
> > > nameif ethernet1 inside security100
> > > enable password 4R3vD8XGO4lVLaq6 encrypted
> > > passwd 2KFQnbNIdI.2KYOU encrypted
> > > hostname PIX1
> > > domain-name ciscopix.com
> > > fixup protocol ftp 21
> > > fixup protocol http 80
> > > fixup protocol h323 h225 1720
> > > fixup protocol h323 ras 1718-1719
> > > fixup protocol ils 389
> > > fixup protocol rsh 514
> > > fixup protocol rtsp 554
> > > fixup protocol smtp 25
> > > fixup protocol sqlnet 1521
> > > fixup protocol sip 5060
> > > fixup protocol skinny 2000
> > > names
> > > access-list acl_out permit icmp any any
> > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> > > 255.255.255.0
> > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> > > 255.255.255.0
> > > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
> > > access-list 200 permit tcp any host x.x.185.50 eq 5632
> > > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> > > 255.255.255.0
> > > pager lines 24
> > > logging on
> > > interface ethernet0 10baset
> > > interface ethernet1 10full
> > > icmp deny any outside
> > > mtu outside 1500
> > > mtu inside 1500
> > > ip address outside x.x.185.50 255.255.255.252
> > > ip address inside 192.168.1.1 255.255.255.0
> > > ip audit info action alarm
> > > ip audit attack action alarm
> > > ip local pool ciscovpn 172.16.1.1-172.16.1.20
> > > ip local pool pptp-pool 172.16.101.1-172.16.101.14
> > > pdm location 192.168.1.11 255.255.255.255 inside
> > > pdm location 192.168.2.0 255.255.255.0 inside
> > > pdm location 172.16.1.0 255.255.255.0 outside
> > > pdm location 192.168.2.0 255.255.255.0 outside
> > > pdm location 172.16.0.0 255.255.254.0 inside
> > > pdm logging informational 100
> > > pdm history enable
> > > arp timeout 14400
> > > global (outside) 1 interface
> > > nat (inside) 0 access-list 111
> > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
> > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
> > > pcanywhere-da
> > > ta netmask 255.255.255.255 0 20
> > > static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
> > > 255.255.255
> > > .255 0 0
> > > access-group 200 in interface outside
> > > route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
> > > timeout xlate 0:05:00
> > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> > > 0:05:00 si
> > > p 0:30:00 sip_media 0:02:00
> > > timeout uauth 0:05:00 absolute
> > > aaa-server TACACS+ protocol tacacs+
> > > aaa-server RADIUS protocol radius
> > > aaa-server LOCAL protocol local
> > > http server enable
> > > http 192.168.1.0 255.255.255.0 inside
> > > no snmp-server location
> > > no snmp-server contact
> > > snmp-server community public
> > > no snmp-server enable traps
> > > floodguard enable
> > > sysopt connection permit-ipsec
> > > sysopt connection permit-pptp
> > > no sysopt route dnat
> > > crypto ipsec transform-set cityset esp-des esp-md5-hmac
> > > crypto dynamic-map dynmap 10 set transform-set cityset
> > > crypto map citymap 1 ipsec-isakmp
> > > crypto map citymap 1 set peer x.x.184.146
> > > crypto map citymap 1 set transform-set cityset
> > > crypto map citymap 2 ipsec-isakmp
> > > crypto map citymap 2 set transform-set cityset
> > > crypto map mymap 10 ipsec-isakmp dynamic dynmap
> > > crypto map mymap client configuration address initiate
> > > crypto map mymap client configuration address respond
> > > crypto map mymap interface outside
> > > isakmp enable outside
> > > isakmp key ******** address x.x.184.146 netmask 255.255.255.255
> > > no-xauth no-co
> > > nfig-mode
> > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> > > isakmp identity address
> > > isakmp client configuration address-pool local ciscovpn outside
> > > isakmp policy 8 authentication pre-share
> > > isakmp policy 8 encryption des
> > > isakmp policy 8 hash md5
> > > isakmp policy 8 group 1
> > > isakmp policy 8 lifetime 86400
> > > isakmp policy 10 authentication pre-share
> > > isakmp policy 10 encryption des
> > > isakmp policy 10 hash md5
> > > isakmp policy 10 group 2
> > > isakmp policy 10 lifetime 86400
> > > vpngroup ctvpn address-pool ciscovpn
> > > vpngroup ctvpn dns-server x.x.226.13
> > > vpngroup ctvpn split-tunnel 201
> > > vpngroup ctvpn idle-time 7200
> > > vpngroup ctvpn password ********
> > > vpngroup pgmr address-pool ciscovpn
> > > vpngroup pgmr dns-server x.x.226.13
> > > vpngroup pgmr idle-time 1800
> > > vpngroup pgmr password ********
> > > telnet 192.168.2.0 255.255.255.0 outside
> > > telnet 192.168.2.0 255.255.255.0 inside
> > > telnet 192.168.1.0 255.255.255.0 inside
> > > telnet 192.168.1.1 255.255.255.255 inside
> > > telnet timeout 5
> > > ssh timeout 5
> > > vpdn group 1 accept dialin pptp
> > > vpdn group 1 ppp authentication pap
> > > vpdn group 1 ppp authentication chap
> > > vpdn group 1 ppp authentication mschap
> > > vpdn group 1 ppp encryption mppe 40
> > > vpdn group 1 client configuration address local pptp-pool
> > > vpdn group 1 pptp echo 60
> > > vpdn group 1 client authentication local
> > > vpdn username scsadmin password ********
> > > vpdn username cisco password ********
> > > vpdn username gkurcon password ********
> > > vpdn enable outside
> > > vpdn enable inside
> > > username cisco password 2J6.dR4Av1kpERLo encrypted privilege 2
> > > terminal width 80
> > > Cryptochecksum:e62274b3c71e69f4fe95b9693b1ad1b4



 
Reply With Quote
 
GKurcon
Guest
Posts: n/a
 
      01-06-2004
Ok, tried the clear xlate command, it killed all connections but I
still was not able to get to the 192.168.1.x subnet. I am still able
to connect with either the VPN client (ver 3.6) or the Windows built
in dialer, but not able to route over to the 192.168.1.x network.
Here is the current config. Thanks for the continued support:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 4R3vD8XGO4lVLaq6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname newburghcityhall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_out permit icmp any any
access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
255.255.255.0
access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
255.255.255.0
access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
access-list 200 permit tcp any host x.x.185.50 eq 5632
access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
255.255.255.0
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.185.50 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ciscovpn 172.16.1.1-172.16.1.20
ip local pool pptp-pool 172.16.101.1-172.16.101.14
pdm location 192.168.1.11 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 172.16.1.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 172.16.0.0 255.255.254.0 inside
pdm location 172.16.101.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 111
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
pcanywhere-da
ta netmask 255.255.255.255 0 20
static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
255.255.255
..255 0 0
access-group 200 in interface outside
route outside 0.0.0.0 0.0.0.0 24.97.185.49 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set cityset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set cityset
crypto map citymap 1 ipsec-isakmp
crypto map citymap 1 set peer x.x.184.146
crypto map citymap 1 set transform-set cityset
crypto map citymap 2 ipsec-isakmp
crypto map citymap 2 set transform-set cityset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address x.x.184.146 netmask 255.255.255.255
no-xauth no-co
nfig-mode
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local ciscovpn outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup ctvpn address-pool ciscovpn
vpngroup ctvpn dns-server x.x.226.13
vpngroup ctvpn split-tunnel 201
vpngroup ctvpn idle-time 7200
vpngroup ctvpn password ********
vpngroup pgmr address-pool ciscovpn
vpngroup pgmr dns-server x.x.226.13
vpngroup pgmr idle-time 1800
vpngroup pgmr password ********
vpngroup testvpn address-pool ciscovpn
vpngroup testvpn idle-time 1800
vpngroup testvpn password ********
telnet 192.168.2.0 255.255.255.0 outside
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.1.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 192.168.1.11
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username scsadmin password ********
vpdn username cityhall password ********
vpdn username gkurcon password ********
vpdn enable outside
vpdn enable inside
username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
terminal width 80
Cryptochecksum:9d077096c3b18daec412525f083931d9

"scott enwright" <(E-Mail Removed)0spam.net.au> wrote in message news:<etQIb.72741$(E-Mail Removed)>...
> G'day,
>
> I've just been through the configuration again with and compared it to both
> a working configuration and to a sample Cisco configuration
> (http://www.cisco.com/en/US/products/...s_configuratio
> n_example09186a0080093f89.shtml). With that new line I suggested it should
> just work - could you do a 'clear xlate' on the box and test it again - the
> clear xlate command will kill all connections that are active on the unit.
>
> If this doesnt work can you repost the new configuration maybe there is
> something else stopping it now that wasnt there in your previous post.
>
> Regards,
>
> Scott.
>
> "GKurcon" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > Thanks for the tip. I added this line to the config but still no
> > luck. A consultant that I work with suggested that I add this:
> >
> > static (inside,outside) 172.168.101.0 192.168.1.0 netmask
> > 255.255.255.0 0 0
> >
> > But when I add this, the only result is all devices on the 192.168.1.0
> > subnet are unable to get out to the internet, I have to reboot the PIX
> > and also the remote PIX.
> >
> > I tried removing this line, but it didn't seem to make a difference
> > either:
> >
> >
> > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
> >
> > This seems like it should be a relatively easy thing to set up, any
> > ideas of what I am missing? Thanks.
> >
> > "scott enwright" <(E-Mail Removed)0spam.net.au> wrote in

> message news:<WxeIb.70433$(E-Mail Removed)>...
> > > G'day,
> > >
> > > I assume when you connect using PPTP you receive an address from the

> pool
> > > pptp-pool (172.16.101.1-172.16.101.14)? This pool is not being excluded
> > > from the NAT process so it's being translated. To correct this you need

> to
> > > make access-list 111 the following:
> > >
> > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> > > 255.255.255.0
> > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0

> 255.255.255.0
> > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
> > > 255.255.255.0
> > >
> > > The last line is new and stops pptp traffic from being natted.
> > >
> > > Scott.
> > >
> > >
> > > "GKurcon" <(E-Mail Removed)> wrote in message
> > > news:(E-Mail Removed) om...
> > > > I need to connect to a PIX 501 running 6.2(2)with either the Cisco VPN
> > > > client or a Windows built in PPTP client. I can connect with either
> > > > of these clients, but am not able to access anything on the inside
> > > > subnet (192.168.1.x). We do have a site to site VPN established with
> > > > another PIX 501 as well, which works fine. Right now it is not
> > > > necessary for me to access the remote side (192.168.2.x), as I have
> > > > read that there are issues with attempting to do so. I just want to
> > > > connect to the PIX and get to the 192.168.1.x resources. What do I
> > > > need to change in the config to accomplish this?? (I realize that I
> > > > am a few versions behind...one step at a time )
> > > >
> > > > PIX Version 6.2(2)
> > > > nameif ethernet0 outside security0
> > > > nameif ethernet1 inside security100
> > > > enable password 4R3vD8XGO4lVLaq6 encrypted
> > > > passwd 2KFQnbNIdI.2KYOU encrypted
> > > > hostname PIX1
> > > > domain-name ciscopix.com
> > > > fixup protocol ftp 21
> > > > fixup protocol http 80
> > > > fixup protocol h323 h225 1720
> > > > fixup protocol h323 ras 1718-1719
> > > > fixup protocol ils 389
> > > > fixup protocol rsh 514
> > > > fixup protocol rtsp 554
> > > > fixup protocol smtp 25
> > > > fixup protocol sqlnet 1521
> > > > fixup protocol sip 5060
> > > > fixup protocol skinny 2000
> > > > names
> > > > access-list acl_out permit icmp any any
> > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> > > > 255.255.255.0
> > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> > > > 255.255.255.0
> > > > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
> > > > access-list 200 permit tcp any host x.x.185.50 eq 5632
> > > > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> > > > 255.255.255.0
> > > > pager lines 24
> > > > logging on
> > > > interface ethernet0 10baset
> > > > interface ethernet1 10full
> > > > icmp deny any outside
> > > > mtu outside 1500
> > > > mtu inside 1500
> > > > ip address outside x.x.185.50 255.255.255.252
> > > > ip address inside 192.168.1.1 255.255.255.0
> > > > ip audit info action alarm
> > > > ip audit attack action alarm
> > > > ip local pool ciscovpn 172.16.1.1-172.16.1.20
> > > > ip local pool pptp-pool 172.16.101.1-172.16.101.14
> > > > pdm location 192.168.1.11 255.255.255.255 inside
> > > > pdm location 192.168.2.0 255.255.255.0 inside
> > > > pdm location 172.16.1.0 255.255.255.0 outside
> > > > pdm location 192.168.2.0 255.255.255.0 outside
> > > > pdm location 172.16.0.0 255.255.254.0 inside
> > > > pdm logging informational 100
> > > > pdm history enable
> > > > arp timeout 14400
> > > > global (outside) 1 interface
> > > > nat (inside) 0 access-list 111
> > > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
> > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
> > > > pcanywhere-da
> > > > ta netmask 255.255.255.255 0 20
> > > > static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
> > > > 255.255.255
> > > > .255 0 0
> > > > access-group 200 in interface outside
> > > > route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
> > > > timeout xlate 0:05:00
> > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> > > > 0:05:00 si
> > > > p 0:30:00 sip_media 0:02:00
> > > > timeout uauth 0:05:00 absolute
> > > > aaa-server TACACS+ protocol tacacs+
> > > > aaa-server RADIUS protocol radius
> > > > aaa-server LOCAL protocol local
> > > > http server enable
> > > > http 192.168.1.0 255.255.255.0 inside
> > > > no snmp-server location
> > > > no snmp-server contact
> > > > snmp-server community public
> > > > no snmp-server enable traps
> > > > floodguard enable
> > > > sysopt connection permit-ipsec
> > > > sysopt connection permit-pptp
> > > > no sysopt route dnat
> > > > crypto ipsec transform-set cityset esp-des esp-md5-hmac
> > > > crypto dynamic-map dynmap 10 set transform-set cityset
> > > > crypto map citymap 1 ipsec-isakmp
> > > > crypto map citymap 1 set peer x.x.184.146
> > > > crypto map citymap 1 set transform-set cityset
> > > > crypto map citymap 2 ipsec-isakmp
> > > > crypto map citymap 2 set transform-set cityset
> > > > crypto map mymap 10 ipsec-isakmp dynamic dynmap
> > > > crypto map mymap client configuration address initiate
> > > > crypto map mymap client configuration address respond
> > > > crypto map mymap interface outside
> > > > isakmp enable outside
> > > > isakmp key ******** address x.x.184.146 netmask 255.255.255.255
> > > > no-xauth no-co
> > > > nfig-mode
> > > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> > > > isakmp identity address
> > > > isakmp client configuration address-pool local ciscovpn outside
> > > > isakmp policy 8 authentication pre-share
> > > > isakmp policy 8 encryption des
> > > > isakmp policy 8 hash md5
> > > > isakmp policy 8 group 1
> > > > isakmp policy 8 lifetime 86400
> > > > isakmp policy 10 authentication pre-share
> > > > isakmp policy 10 encryption des
> > > > isakmp policy 10 hash md5
> > > > isakmp policy 10 group 2
> > > > isakmp policy 10 lifetime 86400
> > > > vpngroup ctvpn address-pool ciscovpn
> > > > vpngroup ctvpn dns-server x.x.226.13
> > > > vpngroup ctvpn split-tunnel 201
> > > > vpngroup ctvpn idle-time 7200
> > > > vpngroup ctvpn password ********
> > > > vpngroup pgmr address-pool ciscovpn
> > > > vpngroup pgmr dns-server x.x.226.13
> > > > vpngroup pgmr idle-time 1800
> > > > vpngroup pgmr password ********
> > > > telnet 192.168.2.0 255.255.255.0 outside
> > > > telnet 192.168.2.0 255.255.255.0 inside
> > > > telnet 192.168.1.0 255.255.255.0 inside
> > > > telnet 192.168.1.1 255.255.255.255 inside
> > > > telnet timeout 5
> > > > ssh timeout 5
> > > > vpdn group 1 accept dialin pptp
> > > > vpdn group 1 ppp authentication pap
> > > > vpdn group 1 ppp authentication chap
> > > > vpdn group 1 ppp authentication mschap
> > > > vpdn group 1 ppp encryption mppe 40
> > > > vpdn group 1 client configuration address local pptp-pool
> > > > vpdn group 1 pptp echo 60
> > > > vpdn group 1 client authentication local
> > > > vpdn username scsadmin password ********
> > > > vpdn username cisco password ********
> > > > vpdn username gkurcon password ********
> > > > vpdn enable outside
> > > > vpdn enable inside
> > > > username cisco password 2J6.dR4Av1kpERLo encrypted privilege 2
> > > > terminal width 80
> > > > Cryptochecksum:e62274b3c71e69f4fe95b9693b1ad1b4

 
Reply With Quote
 
scott enwright
Guest
Posts: n/a
 
      01-07-2004

Try this configuration I have noted the changes where needed. Dont just cut
and paste it in as I dont have all the passwords etc. Please dont save this
configuration just test it and let me know how it goes. If it doesnt work
please trun on the following debugs and enable "terminal monitor" (and maybe
"logging monitor debugging") so we can what going on with the following
debuging options enabled:

debug ppp io
debug ppp error
debug vpdn error
debug vpdn packet
debug vpdn events
debug ppp uauth

Please repost the ocnfiguration before losing it so we can see *definately*
what it was.

------------------------------------------------------------

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 4R3vD8XGO4lVLaq6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname newburghcityhall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_out permit icmp any any
!--- Access list 110 added - please change the <desitnation subnet> to
!--- suite the site-to-site connection. This connection must be broken
at the moment or
!--- it is being initialed deom the other end.
access-list 110 permit ip 192.168.1.0 255.255.255.0 <destination subnet>
255.255.255.0
!-- end of newly added lines
access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
255.255.255.0
access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
access-list 200 permit tcp any host x.x.185.50 eq 5632
access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside x.x.185.50 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ciscovpn 172.16.1.1-172.16.1.20
ip local pool pptp-pool 172.16.101.1-172.16.101.14
pdm location 192.168.1.11 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 172.16.1.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 172.16.0.0 255.255.254.0 inside
pdm location 172.16.101.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 111
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
pcanywhere-data netmask 255.255.255.255 0 20
static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
255.255.255.255 0 0
access-group 200 in interface outside
route outside 0.0.0.0 0.0.0.0 24.97.185.49 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set cityset esp-des esp-md5-hmac
!------------ Changes made in here ----------------------
crypto dynamic-map dynmap 30 set transform-set cityset
crypto map citymap 10 ipsec-isakmp
crypto map citymap 10 match address 110
crypto map citymap 10 set peer x.x.184.146
crypto map citymap 10 set transform-set cityset
crypto map citymap 20 ipsec-isakmp dynamic dynmap
crypto map citymap interface outside
!----------- end of changes - note some lines deleted as well
isakmp enable outside
isakmp key ******** address x.x.184.146 netmask 255.255.255.255 no-xauth
no-config-mode
!--- The line below is not needed please remove it
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local ciscovpn outside
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup ctvpn address-pool ciscovpn
vpngroup ctvpn dns-server x.x.226.13
vpngroup ctvpn split-tunnel 201
vpngroup ctvpn idle-time 7200
vpngroup ctvpn password ********
vpngroup pgmr address-pool ciscovpn
vpngroup pgmr dns-server x.x.226.13
vpngroup pgmr idle-time 1800
vpngroup pgmr password ********
vpngroup testvpn address-pool ciscovpn
vpngroup testvpn idle-time 1800
vpngroup testvpn password ********
telnet 192.168.2.0 255.255.255.0 outside
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.1.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
!--- The line below is not needed please remove it
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 192.168.1.11
!--- The line below is not needed please remove it
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username scsadmin password ********
vpdn username cityhall password ********
vpdn username gkurcon password ********
vpdn enable outside
!--- The line below is not needed please remove it
vpdn enable inside
username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
terminal width 80





Regards,

Scott.
\|/
(o o)
---------------------oOOO--(_)--OOOo----------------------
Out the 100Base-T, off the firewall, through the router, down
the T1, over the leased line, off the bridge, nothing but Net.
(Use ROT13 to see my email address)
.oooO Oooo.
----------------------( )---( )-----------------------
\ ( ) /
\_) (_/


"GKurcon" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> Ok, tried the clear xlate command, it killed all connections but I
> still was not able to get to the 192.168.1.x subnet. I am still able
> to connect with either the VPN client (ver 3.6) or the Windows built
> in dialer, but not able to route over to the 192.168.1.x network.
> Here is the current config. Thanks for the continued support:
>
> PIX Version 6.2(2)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password 4R3vD8XGO4lVLaq6 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname newburghcityhall
> domain-name ciscopix.com
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> access-list acl_out permit icmp any any
> access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> 255.255.255.0
> access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> 255.255.255.0
> access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
> 255.255.255.0
> access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
> access-list 200 permit tcp any host x.x.185.50 eq 5632
> access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> 255.255.255.0
> pager lines 24
> logging on
> interface ethernet0 10baset
> interface ethernet1 10full
> icmp deny any outside
> mtu outside 1500
> mtu inside 1500
> ip address outside x.x.185.50 255.255.255.252
> ip address inside 192.168.1.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool ciscovpn 172.16.1.1-172.16.1.20
> ip local pool pptp-pool 172.16.101.1-172.16.101.14
> pdm location 192.168.1.11 255.255.255.255 inside
> pdm location 192.168.2.0 255.255.255.0 inside
> pdm location 172.16.1.0 255.255.255.0 outside
> pdm location 192.168.2.0 255.255.255.0 outside
> pdm location 172.16.0.0 255.255.254.0 inside
> pdm location 172.16.101.0 255.255.255.0 outside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list 111
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
> pcanywhere-da
> ta netmask 255.255.255.255 0 20
> static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
> 255.255.255
> .255 0 0
> access-group 200 in interface outside
> route outside 0.0.0.0 0.0.0.0 24.97.185.49 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 si
> p 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> http server enable
> http 192.168.1.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> sysopt connection permit-pptp
> no sysopt route dnat
> crypto ipsec transform-set cityset esp-des esp-md5-hmac
> crypto dynamic-map dynmap 10 set transform-set cityset
> crypto map citymap 1 ipsec-isakmp
> crypto map citymap 1 set peer x.x.184.146
> crypto map citymap 1 set transform-set cityset
> crypto map citymap 2 ipsec-isakmp
> crypto map citymap 2 set transform-set cityset
> crypto map mymap 10 ipsec-isakmp dynamic dynmap
> crypto map mymap client configuration address initiate
> crypto map mymap client configuration address respond
> crypto map mymap interface outside
> isakmp enable outside
> isakmp key ******** address x.x.184.146 netmask 255.255.255.255
> no-xauth no-co
> nfig-mode
> isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> isakmp identity address
> isakmp client configuration address-pool local ciscovpn outside
> isakmp policy 8 authentication pre-share
> isakmp policy 8 encryption des
> isakmp policy 8 hash md5
> isakmp policy 8 group 1
> isakmp policy 8 lifetime 86400
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption des
> isakmp policy 10 hash m5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> vpngroup ctvpn address-pool ciscovpn
> vpngroup ctvpn dns-server x.x.226.13
> vpngroup ctvpn split-tunnel 201
> vpngroup ctvpn idle-time 7200
> vpngroup ctvpn password ********
> vpngroup pgmr address-pool ciscovpn
> vpngroup pgmr dns-server x.x.226.13
> vpngroup pgmr idle-time 1800
> vpngroup pgmr password ********
> vpngroup testvpn address-pool ciscovpn
> vpngroup testvpn idle-time 1800
> vpngroup testvpn password ********
> telnet 192.168.2.0 255.255.255.0 outside
> telnet 192.168.2.0 255.255.255.0 inside
> telnet 192.168.1.0 255.255.255.0 inside
> telnet 192.168.1.1 255.255.255.255 inside
> telnet timeout 5
> ssh timeout 5
> vpdn group 1 accept dialin pptp
> vpdn group 1 ppp authentication pap
> vpdn group 1 ppp authentication chap
> vpdn group 1 ppp authentication mschap
> vpdn group 1 ppp encryption mppe 40
> vpdn group 1 client configuration address local pptp-pool
> vpdn group 1 client configuration dns 192.168.1.11
> vpdn group 1 pptp echo 60
> vpdn group 1 client authentication local
> vpdn username scsadmin password ********
> vpdn username cityhall password ********
> vpdn username gkurcon password ********
> vpdn enable outside
> vpdn enable inside
> username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
> terminal width 80
> Cryptochecksum:9d077096c3b18daec412525f083931d9
>
> "scott enwright" <(E-Mail Removed)0spam.net.au> wrote in

message news:<etQIb.72741$(E-Mail Removed)>...
> > G'day,
> >
> > I've just been through the configuration again with and compared it to

both
> > a working configuration and to a sample Cisco configuration
> >

(http://www.cisco.com/en/US/products/...s_configuratio
> > n_example09186a0080093f89.shtml). With that new line I suggested it

should
> > just work - could you do a 'clear xlate' on the box and test it again -

the
> > clear xlate command will kill all connections that are active on the

unit.
> >
> > If this doesnt work can you repost the new configuration maybe there is
> > something else stopping it now that wasnt there in your previous post.
> >
> > Regards,
> >
> > Scott.
> >
> > "GKurcon" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed) om...
> > > Thanks for the tip. I added this line to the config but still no
> > > luck. A consultant that I work with suggested that I add this:
> > >
> > > static (inside,outside) 172.168.101.0 192.168.1.0 netmask
> > > 255.255.255.0 0 0
> > >
> > > But when I add this, the only result is all devices on the 192.168.1.0
> > > subnet are unable to get out to the internet, I have to reboot the PIX
> > > and also the remote PIX.
> > >
> > > I tried removing this line, but it didn't seem to make a difference
> > > either:
> > >
> > >
> > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
> > >
> > > This seems like it should be a relatively easy thing to set up, any
> > > ideas of what I am missing? Thanks.
> > >
> > > "scott enwright" <(E-Mail Removed)0spam.net.au> wrote in

> > message news:<WxeIb.70433$(E-Mail Removed)>...
> > > > G'day,
> > > >
> > > > I assume when you connect using PPTP you receive an address from the

> > pool
> > > > pptp-pool (172.16.101.1-172.16.101.14)? This pool is not being

excluded
> > > > from the NAT process so it's being translated. To correct this you

need
> > to
> > > > make access-list 111 the following:
> > > >
> > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> > > > 255.255.255.0
> > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0

> > 255.255.255.0
> > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
> > > > 255.255.255.0
> > > >
> > > > The last line is new and stops pptp traffic from being natted.
> > > >
> > > > Scott.
> > > >
> > > >
> > > > "GKurcon" <(E-Mail Removed)> wrote in message
> > > > news:(E-Mail Removed) om...
> > > > > I need to connect to a PIX 501 running 6.2(2)with either the Cisco

VPN
> > > > > client or a Windows built in PPTP client. I can connect with

either
> > > > > of these clients, but am not able to access anything on the inside
> > > > > subnet (192.168.1.x). We do have a site to site VPN established

with
> > > > > another PIX 501 as well, which works fine. Right now it is not
> > > > > necessary for me to access the remote side (192.168.2.x), as I

have
> > > > > read that there are issues with attempting to do so. I just want

to
> > > > > connect to the PIX and get to the 192.168.1.x resources. What do

I
> > > > > need to change in the config to accomplish this?? (I realize that

I
> > > > > am a few versions behind...one step at a time )
> > > > >
> > > > > PIX Version 6.2(2)
> > > > > nameif ethernet0 outside security0
> > > > > nameif ethernet1 inside security100
> > > > > enable password 4R3vD8XGO4lVLaq6 encrypted
> > > > > passwd 2KFQnbNIdI.2KYOU encrypted
> > > > > hostname PIX1
> > > > > domain-name ciscopix.com
> > > > > fixup protocol ftp 21
> > > > > fixup protocol http 80
> > > > > fixup protocol h323 h225 1720
> > > > > fixup protocol h323 ras 1718-1719
> > > > > fixup protocol ils 389
> > > > > fixup protocol rsh 514
> > > > > fixup protocol rtsp 554
> > > > > fixup protocol smtp 25
> > > > > fixup protocol sqlnet 1521
> > > > > fixup protocol sip 5060
> > > > > fixup protocol skinny 2000
> > > > > names
> > > > > access-list acl_out permit icmp any any
> > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> > > > > 255.255.255.0
> > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> > > > > 255.255.255.0
> > > > > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
> > > > > access-list 200 permit tcp any host x.x.185.50 eq 5632
> > > > > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> > > > > 255.255.255.0
> > > > > pager lines 24
> > > > > logging on
> > > > > interface ethernet0 10baset
> > > > > interface ethernet1 10full
> > > > > icmp deny any outside
> > > > > mtu outside 1500
> > > > > mtu inside 1500
> > > > > ip address outside x.x.185.50 255.255.255.252
> > > > > ip address inside 192.168.1.1 255.255.255.0
> > > > > ip audit info action alarm
> > > > > ip audit attack action alarm
> > > > > ip local pool ciscovpn 172.16.1.1-172.16.1.20
> > > > > ip local pool pptp-pool 172.16.101.1-172.16.101.14
> > > > > pdm location 192.168.1.11 255.255.255.255 inside
> > > > > pdm location 192.168.2.0 255.255.255.0 inside
> > > > > pdm location 172.16.1.0 255.255.255.0 outside
> > > > > pdm location 192.168.2.0 255.255.255.0 outside
> > > > > pdm location 172.16.0.0 255.255.254.0 inside
> > > > > pdm logging informational 100
> > > > > pdm history enable
> > > > > arp timeout 14400
> > > > > global (outside) 1 interface
> > > > > nat (inside) 0 access-list 111
> > > > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
> > > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > > > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
> > > > > pcanywhere-da
> > > > > ta netmask 255.255.255.255 0 20
> > > > > static (inside,outside) tcp interface 5632 192.168.1.11 5632

netmask
> > > > > 255.255.255
> > > > > .255 0 0
> > > > > access-group 200 in interface outside
> > > > > route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
> > > > > timeout xlate 0:05:00
> > > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00

h323
> > > > > 0:05:00 si
> > > > > p 0:30:00 sip_media 0:02:00
> > > > > timeout uauth 0:05:00 absolute
> > > > > aaa-server TACACS+ protocol tacacs+
> > > > > aaa-server RADIUS protocol radius
> > > > > aaa-server LOCAL protocol local
> > > > > http server enable
> > > > > http 192.168.1.0 255.255.255.0 inside
> > > > > no snmp-server location
> > > > > no snmp-server contact
> > > > > snmp-server community public
> > > > > no snmp-server enable traps
> > > > > floodguard enable
> > > > > sysopt connection permit-ipsec
> > > > > sysopt connection permit-pptp
> > > > > no sysopt route dnat
> > > > > crypto ipsec transform-set cityset esp-des esp-md5-hmac
> > > > > crypto dynamic-map dynmap 10 set transform-set cityset
> > > > > crypto map citymap 1 ipsec-isakmp
> > > > > crypto map citymap 1 set peer x.x.184.146
> > > > > crypto map citymap 1 set transform-set cityset
> > > > > crypto map citymap 2 ipsec-isakmp
> > > > > crypto map citymap 2 set transform-set cityset
> > > > > crypto map mymap 10 ipsec-isakmp dynamic dynmap
> > > > > crypto map mymap client configuration address initiate
> > > > > crypto map mymap client configuration address respond
> > > > > crypto map mymap interface outside
> > > > > isakmp enable outside
> > > > > isakmp key ******** address x.x.184.146 netmask 255.255.255.255
> > > > > no-xauth no-co
> > > > > nfig-mode
> > > > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> > > > > isakmp identity address
> > > > > isakmp client configuration address-pool local ciscovpn outside
> > > > > isakmp policy 8 authentication pre-share
> > > > > isakmp policy 8 encryption des
> > > > > isakmp policy 8 hash md5
> > > > > isakmp policy 8 group 1
> > > > > isakmp policy 8 lifetime 86400
> > > > > isakmp policy 10 authentication pre-share
> > > > > isakmp policy 10 encryption des
> > > > > isakmp policy 10 hash md5
> > > > > isakmp policy 10 group 2
> > > > > isakmp policy 10 lifetime 86400
> > > > > vpngroup ctvpn address-pool ciscovpn
> > > > > vpngroup ctvpn dns-server x.x.226.13
> > > > > vpngroup ctvpn split-tunnel 201
> > > > > vpngroup ctvpn idle-time 7200
> > > > > vpngroup ctvpn password ********
> > > > > vpngroup pgmr address-pool ciscovpn
> > > > > vpngroup pgmr dns-server x.x.226.13
> > > > > vpngroup pgmr idle-time 1800
> > > > > vpngroup pgmr password ********
> > > > > telnet 192.168.2.0 255.255.255.0 outside
> > > > > telnet 192.168.2.0 255.255.255.0 inside
> > > > > telnet 192.168.1.0 255.255.255.0 inside
> > > > > telnet 192.168.1.1 255.255.255.255 inside
> > > > > telnet timeout 5
> > > > > ssh timeout 5
> > > > > vpdn group 1 accept dialin pptp
> > > > > vpdn group 1 ppp authentication pap
> > > > > vpdn group 1 ppp authentication chap
> > > > > vpdn group 1 ppp authentication mschap
> > > > > vpdn group 1 ppp encryption mppe 40
> > > > > vpdn group 1 client configuration address local pptp-pool
> > > > > vpdn group 1 pptp echo 60
> > > > > vpdn group 1 client authentication local
> > > > > vpdn username scsadmin password ********
> > > > > vpdn username cisco password ********
> > > > > vpdn username gkurcon password ********
> > > > > vpdn enable outside
> > > > > vpdn enable inside
> > > > > username cisco password 2J6.dR4Av1kpERLo encrypted privilege 2
> > > > > terminal width 80
> > > > > Cryptochecksum:e62274b3c71e69f4fe95b9693b1ad1b4



 
Reply With Quote
 
GKurcon
Guest
Posts: n/a
 
      01-08-2004
How do I remove the line:

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

Thanks!


"scott enwright" <(E-Mail Removed)> wrote in message news:<8_SKb.81897$(E-Mail Removed)>...
> Try this configuration I have noted the changes where needed. Dont just cut
> and paste it in as I dont have all the passwords etc. Please dont save this
> configuration just test it and let me know how it goes. If it doesnt work
> please trun on the following debugs and enable "terminal monitor" (and maybe
> "logging monitor debugging") so we can what going on with the following
> debuging options enabled:
>
> debug ppp io
> debug ppp error
> debug vpdn error
> debug vpdn packet
> debug vpdn events
> debug ppp uauth
>
> Please repost the ocnfiguration before losing it so we can see *definately*
> what it was.
>
> ------------------------------------------------------------
>
> PIX Version 6.2(2)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password 4R3vD8XGO4lVLaq6 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname newburghcityhall
> domain-name ciscopix.com
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> access-list acl_out permit icmp any any
> !--- Access list 110 added - please change the <desitnation subnet> to
> !--- suite the site-to-site connection. This connection must be broken
> at the moment or
> !--- it is being initialed deom the other end.
> access-list 110 permit ip 192.168.1.0 255.255.255.0 <destination subnet>
> 255.255.255.0
> !-- end of newly added lines
> access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> 255.255.255.0
> access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
> access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
> 255.255.255.0
> access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
> access-list 200 permit tcp any host x.x.185.50 eq 5632
> access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
> pager lines 24
> logging on
> interface ethernet0 10baset
> interface ethernet1 10full
> icmp deny any outside
> mtu outside 1500
> mtu inside 1500
> ip address outside x.x.185.50 255.255.255.252
> ip address inside 192.168.1.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool ciscovpn 172.16.1.1-172.16.1.20
> ip local pool pptp-pool 172.16.101.1-172.16.101.14
> pdm location 192.168.1.11 255.255.255.255 inside
> pdm location 192.168.2.0 255.255.255.0 inside
> pdm location 172.16.1.0 255.255.255.0 outside
> pdm location 192.168.2.0 255.255.255.0 outside
> pdm location 172.16.0.0 255.255.254.0 inside
> pdm location 172.16.101.0 255.255.255.0 outside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list 111
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
> pcanywhere-data netmask 255.255.255.255 0 20
> static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
> 255.255.255.255 0 0
> access-group 200 in interface outside
> route outside 0.0.0.0 0.0.0.0 24.97.185.49 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> http server enable
> http 192.168.1.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> sysopt connection permit-pptp
> no sysopt route dnat
> crypto ipsec transform-set cityset esp-des esp-md5-hmac
> !------------ Changes made in here ----------------------
> crypto dynamic-map dynmap 30 set transform-set cityset
> crypto map citymap 10 ipsec-isakmp
> crypto map citymap 10 match address 110
> crypto map citymap 10 set peer x.x.184.146
> crypto map citymap 10 set transform-set cityset
> crypto map citymap 20 ipsec-isakmp dynamic dynmap
> crypto map citymap interface outside
> !----------- end of changes - note some lines deleted as well
> isakmp enable outside
> isakmp key ******** address x.x.184.146 netmask 255.255.255.255 no-xauth
> no-config-mode
> !--- The line below is not needed please remove it
> isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> isakmp identity address
> isakmp client configuration address-pool local ciscovpn outside
> isakmp policy 8 authentication pre-share
> isakmp policy 8 encryption des
> isakmp policy 8 hash md5
> isakmp policy 8 group 1
> isakmp policy 8 lifetime 86400
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> vpngroup ctvpn address-pool ciscovpn
> vpngroup ctvpn dns-server x.x.226.13
> vpngroup ctvpn split-tunnel 201
> vpngroup ctvpn idle-time 7200
> vpngroup ctvpn password ********
> vpngroup pgmr address-pool ciscovpn
> vpngroup pgmr dns-server x.x.226.13
> vpngroup pgmr idle-time 1800
> vpngroup pgmr password ********
> vpngroup testvpn address-pool ciscovpn
> vpngroup testvpn idle-time 1800
> vpngroup testvpn password ********
> telnet 192.168.2.0 255.255.255.0 outside
> telnet 192.168.2.0 255.255.255.0 inside
> telnet 192.168.1.0 255.255.255.0 inside
> telnet 192.168.1.1 255.255.255.255 inside
> telnet timeout 5
> ssh timeout 5
> vpdn group 1 accept dialin pptp
> vpdn group 1 ppp authentication pap
> vpdn group 1 ppp authentication chap
> vpdn group 1 ppp authentication mschap
> !--- The line below is not needed please remove it
> vpdn group 1 ppp encryption mppe 40
> vpdn group 1 client configuration address local pptp-pool
> vpdn group 1 client configuration dns 192.168.1.11
> !--- The line below is not needed please remove it
> vpdn group 1 pptp echo 60
> vpdn group 1 client authentication local
> vpdn username scsadmin password ********
> vpdn username cityhall password ********
> vpdn username gkurcon password ********
> vpdn enable outside
> !--- The line below is not needed please remove it
> vpdn enable inside
> username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
> terminal width 80
>
>
>
>
>
> Regards,
>
> Scott.
> \|/
> (o o)
> ---------------------oOOO--(_)--OOOo----------------------
> Out the 100Base-T, off the firewall, through the router, down
> the T1, over the leased line, off the bridge, nothing but Net.
> (Use ROT13 to see my email address)
> .oooO Oooo.
> ----------------------( )---( )-----------------------
> \ ( ) /
> \_) (_/
>
>
> "GKurcon" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) m...
> > Ok, tried the clear xlate command, it killed all connections but I
> > still was not able to get to the 192.168.1.x subnet. I am still able
> > to connect with either the VPN client (ver 3.6) or the Windows built
> > in dialer, but not able to route over to the 192.168.1.x network.
> > Here is the current config. Thanks for the continued support:
> >
> > PIX Version 6.2(2)
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > enable password 4R3vD8XGO4lVLaq6 encrypted
> > passwd 2KFQnbNIdI.2KYOU encrypted
> > hostname newburghcityhall
> > domain-name ciscopix.com
> > fixup protocol ftp 21
> > fixup protocol http 80
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol ils 389
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > fixup protocol sip 5060
> > fixup protocol skinny 2000
> > names
> > access-list acl_out permit icmp any any
> > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> > 255.255.255.0
> > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> > 255.255.255.0
> > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
> > 255.255.255.0
> > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
> > access-list 200 permit tcp any host x.x.185.50 eq 5632
> > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> > 255.255.255.0
> > pager lines 24
> > logging on
> > interface ethernet0 10baset
> > interface ethernet1 10full
> > icmp deny any outside
> > mtu outside 1500
> > mtu inside 1500
> > ip address outside x.x.185.50 255.255.255.252
> > ip address inside 192.168.1.1 255.255.255.0
> > ip audit info action alarm
> > ip audit attack action alarm
> > ip local pool ciscovpn 172.16.1.1-172.16.1.20
> > ip local pool pptp-pool 172.16.101.1-172.16.101.14
> > pdm location 192.168.1.11 255.255.255.255 inside
> > pdm location 192.168.2.0 255.255.255.0 inside
> > pdm location 172.16.1.0 255.255.255.0 outside
> > pdm location 192.168.2.0 255.255.255.0 outside
> > pdm location 172.16.0.0 255.255.254.0 inside
> > pdm location 172.16.101.0 255.255.255.0 outside
> > pdm logging informational 100
> > pdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 0 access-list 111
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
> > pcanywhere-da
> > ta netmask 255.255.255.255 0 20
> > static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
> > 255.255.255
> > .255 0 0
> > access-group 200 in interface outside
> > route outside 0.0.0.0 0.0.0.0 24.97.185.49 1
> > timeout xlate 0:05:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> > 0:05:00 si
> > p 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server RADIUS protocol radius
> > aaa-server LOCAL protocol local
> > http server enable
> > http 192.168.1.0 255.255.255.0 inside
> > no snmp-server location
> > no snmp-server contact
> > snmp-server community public
> > no snmp-server enable traps
> > floodguard enable
> > sysopt connection permit-ipsec
> > sysopt connection permit-pptp
> > no sysopt route dnat
> > crypto ipsec transform-set cityset esp-des esp-md5-hmac
> > crypto dynamic-map dynmap 10 set transform-set cityset
> > crypto map citymap 1 ipsec-isakmp
> > crypto map citymap 1 set peer x.x.184.146
> > crypto map citymap 1 set transform-set cityset
> > crypto map citymap 2 ipsec-isakmp
> > crypto map citymap 2 set transform-set cityset
> > crypto map mymap 10 ipsec-isakmp dynamic dynmap
> > crypto map mymap client configuration address initiate
> > crypto map mymap client configuration address respond
> > crypto map mymap interface outside
> > isakmp enable outside
> > isakmp key ******** address x.x.184.146 netmask 255.255.255.255
> > no-xauth no-co
> > nfig-mode
> > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> > isakmp identity address
> > isakmp client configuration address-pool local ciscovpn outside
> > isakmp policy 8 authentication pre-share
> > isakmp policy 8 encryption des
> > isakmp policy 8 hash md5
> > isakmp policy 8 group 1
>> isakmp policy 8 lifetime 86400
> > isakmp policy 10 authentication pre-share
> > isakmp policy 10 encryption des
> > isakmp policy 10 hash md5
> > isakmp policy 10 group 2
> > isakmp policy 10 lifetime 86400
> > vpngroup ctvpn address-pool ciscovpn
> > vpngroup ctvpn dns-server x.x.226.13
> > vpngroup ctvpn split-tunnel 201
> > vpngroup ctvpn idle-time 7200
> > vpngroup ctvpn password ********
> > vpngroup pgmr address-pool ciscovpn
> > vpngroup pgmr dns-server x.x.226.13
> > vpngroup pgmr idle-time 1800
> > vpngroup pgmr password ********
> > vpngroup testvpn address-pool ciscovpn
> > vpngroup testvpn idle-time 1800
> > vpngroup testvpn password ********
> > telnet 192.168.2.0 255.255.255.0 outside
> > telnet 192.168.2.0 255.255.255.0 inside
> > telnet 192.168.1.0 255.255.255.0 inside
> > telnet 192.168.1.1 255.255.255.255 inside
> > telnet timeout 5
> > ssh timeout 5
> > vpdn group 1 accept dialin pptp
> > vpdn group 1 ppp authentication pap
> > vpdn group 1 ppp authentication chap
> > vpdn group 1 ppp authentication mschap
> > vpdn group 1 ppp encryption mppe 40
> > vpdn group 1 client configuration address local pptp-pool
> > vpdn group 1 client configuration dns 192.168.1.11
> > vpdn group 1 pptp echo 60
> > vpdn group 1 client authentication local
> > vpdn username scsadmin password ********
> > vpdn username cityhall password ********
> > vpdn username gkurcon password ********
> > vpdn enable outside
> > vpdn enable inside
> > username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
> > terminal width 80
> > Cryptochecksum:9d077096c3b18daec412525f083931d9
> >
> > "scott enwright" <(E-Mail Removed)0spam.net.au> wrote in

> message news:<etQIb.72741$(E-Mail Removed)>...
> > > G'day,
> > >
> > > I've just been through the configuration again with and compared it to

> both
> > > a working configuration and to a sample Cisco configuration
> > >

> (http://www.cisco.com/en/US/products/...s_configuratio
> > > n_example09186a0080093f89.shtml). With that new line I suggested it

> should
> > > just work - could you do a 'clear xlate' on the box and test it again -

> the
> > > clear xlate command will kill all connections that are active on the

> unit.
> > >
> > > If this doesnt work can you repost the new configuration maybe there is
> > > something else stopping it now that wasnt there in your previous post.
> > >
> > > Regards,
> > >
> > > Scott.
> > >
> > > "GKurcon" <(E-Mail Removed)> wrote in message
> > > news:(E-Mail Removed) om...
> > > > Thanks for the tip. I added this line to the config but still no
> > > > luck. A consultant that I work with suggested that I add this:
> > > >
> > > > static (inside,outside) 172.168.101.0 192.168.1.0 netmask
> > > > 255.255.255.0 0 0
> > > >
> > > > But when I add this, the only result is all devices on the 192.168.1.0
> > > > subnet are unable to get out to the internet, I have to reboot the PIX
> > > > and also the remote PIX.
> > > >
> > > > I tried removing this line, but it didn't seem to make a difference
> > > > either:
> > > >
> > > >
> > > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
> > > >
> > > > This seems like it should be a relatively easy thing to set up, any
> > > > ideas of what I am missing? Thanks.
> > > >
> > > > "scott enwright" <(E-Mail Removed)0spam.net.au> wrote in

> message news:<WxeIb.70433$(E-Mail Removed)>...
> > > > > G'day,
> > > > >
> > > > > I assume when you connect using PPTP you receive an address from the

> pool
> > > > > pptp-pool (172.16.101.1-172.16.101.14)? This pool is not being

> excluded
> > > > > from the NAT process so it's being translated. To correct this you

> need
> to
> > > > > make access-list 111 the following:
> > > > >
> > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> > > > > 255.255.255.0
> > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0

> 255.255.255.0
> > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
> > > > > 255.255.255.0
> > > > >
> > > > > The last line is new and stops pptp traffic from being natted.
> > > > >
> > > > > Scott.
> > > > >
> > > > >
> > > > > "GKurcon" <(E-Mail Removed)> wrote in message
> > > > > news:(E-Mail Removed) om...
> > > > > > I need to connect to a PIX 501 running 6.2(2)with either the Cisco

> VPN
> > > > > > client or a Windows built in PPTP client. I can connect with

> either
> > > > > > of these clients, but am not able to access anything on the inside
> > > > > > subnet (192.168.1.x). We do have a site to site VPN established

> with
> > > > > > another PIX 501 as well, which works fine. Right now it is not
> > > > > > necessary for me to access the remote side (192.168.2.x), as I

> have
> > > > > > read that there are issues with attempting to do so. I just want

> to
> > > > > > connect to the PIX and get to the 192.168.1.x resources. What do

> I
> > > > > > need to change in the config to accomplish this?? (I realize that

> I
> > > > > > am a few versions behind...one step at a time )
> > > > > >
> > > > > > PIX Version 6.2(2)
> > > > > > nameif ethernet0 outside security0
> > > > > > nameif ethernet1 inside security100
> > > > > > enable password 4R3vD8XGO4lVLaq6 encrypted
> > > > > > passwd 2KFQnbNIdI.2KYOU encrypted
> > > > > > hostname PIX1
> > > > > > domain-name ciscopix.com
> > > > > > fixup protocol ftp 21
> > > > > > fixup protocol http 80
> > > > > > fixup protocol h323 h225 1720
> > > > > > fixup protocol h323 ras 1718-1719
> > > > > > fixup protocol ils 389
> > > > > > fixup protocol rsh 514
> > > > > > fixup protocol rtsp 554
> > > > > > fixup protocol smtp 25
> > > > > > fixup protocol sqlnet 1521
> > > > > > fixup protocol sip 5060
> > > > > > fixup protocol skinny 2000
> > > > > > names
> > > > > > access-list acl_out permit icmp any any
> > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> > > > > > 255.255.255.0
> > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> > > > > > 255.255.255.0
> > > > > > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
> > > > > > access-list 200 permit tcp any host x.x.185.50 eq 5632
> > > > > > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> > > > > > 255.255.255.0
> > > > > > pager lines 24
> > > > > > logging on
> > > > > > interface ethernet0 10baset
> > > > > > interface ethernet1 10full
> > > > > > icmp deny any outside
> > > > > > mtu outside 1500
> > > > > > mtu inside 1500
> > > > > > ip address outside x.x.185.50 255.255.255.252
> > > > > > ip address inside 192.168.1.1 255.255.255.0
> > > > > > ip audit info action alarm
> > > > > > ip audit attack action alarm
> > > > > > ip local pool ciscovpn 172.16.1.1-172.16.1.20
> > > > > > ip local pool pptp-pool 172.16.101.1-172.16.101.14
> > > > > > pdm location 192.168.1.11 255.255.255.255 inside
> > > > > > pdm location 192.168.2.0 255.255.255.0 inside
> > > > > > pdm location 172.16.1.0 255.255.255.0 outside
> > > > > > pdm location 192.168.2.0 255.255.255.0 outside
> > > > > > pdm location 172.16.0.0 255.255.254.0 inside
> > > > > > pdm logging informational 100
> > > > > > pdm history enable
> > > > > > arp timeout 14400
> > > > > > global (outside) 1 interface
> > > > > > nat (inside) 0 access-list 111
> > > > > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
> > > > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > > > > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
> > > > > > pcanywhere-da
> > > > > > ta netmask 255.255.255.255 0 20
> > > > > > static (inside,outside) tcp interface 5632 192.168.1.11 5632

> netmask
> > > > > > 255.255.255
> > > > > > .255 0 0
> > > > > > access-group 200 in interface outside
> > > > > > route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
> > > > > > timeout xlate 0:05:00
> > > > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00

> h323
> > > > > > 0:05:00 si
> > > > > > p 0:30:00 sip_media 0:02:00
> > > > > > timeout uauth 0:05:00 absolute
> > > > > > aaa-server TACACS+ protocol tacacs+
> > > > > > aaa-server RADIUS protocol radius
> > > > > > aaa-server LOCAL protocol local
> > > > > > http server enable
> > > > > > http 192.168.1.0 255.255.255.0 inside
> > > > > > no snmp-server location
> > > > > > no snmp-server contact
> > > > > > snmp-server community public
> > > > > > no snmp-server enable traps
> > > > > > floodguard enable
> > > > > > sysopt connection permit-ipsec
> > > > > > sysopt connection permit-pptp
> > > > > > no sysopt route dnat
> > > > > > crypto ipsec transform-set cityset esp-des esp-md5-hmac
> > > > > > crypto dynamic-map dynmap 10 set transform-set cityset
> > > > > > crypto map citymap 1 ipsec-isakmp
> > > > > > crypto map citymap 1 set peer x.x.184.146
> > > > > > crypto map citymap 1 set transform-set cityset
> > > > > > crypto map citymap 2 ipsec-isakmp
> > > > > > crypto map citymap 2 set transform-set cityset
> > > > > > crypto map mymap 10 ipsec-isakmp dynamic dynmap
> > > > > > crypto map mymap client configuration address initiate
> > > > > > crypto map mymap client configuration address respond
> > > > > > crypto map mymap interface outside
> > > > > > isakmp enable outside
> > > > > > isakmp key ******** address x.x.184.146 netmask 255.255.255.255
> > > > > > no-xauth no-co
> > > > > > nfig-mode
> > > > > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> > > > > > isakmp identity address
> > > > > > isakmp client configuration address-pool local ciscovpn outside
> > > > > > isakmp policy 8 authentication pre-share
> > > > > > isakmp policy 8 encryption des
> > > > > > isakmp policy 8 hash md5
> > > > > > isakmp policy 8 group 1
> > > > > > isakmp policy 8 lifetime 86400
> > > > > > isakmp policy 10 authentication pre-share
> > > > > > isakmp policy 10 encryption des
> > > > > > isakmp policy 10 hash md5
> > > > > > isakmp policy 10 group 2
> > > > > > isakmp policy 10 lifetime 86400
> > > > > > vpngroup ctvpn address-pool ciscovpn
> > > > > > vpngroup ctvpn dns-server x.x.226.13
> > > > > > vpngroup ctvpn split-tunnel 201
> > > > > > vpngroup ctvpn idle-time 7200
> > > > > > vpngroup ctvpn password ********
> > > > > > vpngroup pgmr address-pool ciscovpn
> > > > > > vpngroup pgmr dns-server x.x.226.13
> > > > > > vpngroup pgmr idle-time 1800
> > > > > > vpngroup pgmr password ********
> > > > > > telnet 192.168.2.0 255.255.255.0 outside
> > > > > > telnet 192.168.2.0 255.255.255.0 inside
> > > > > > telnet 192.168.1.0 255.255.255.0 inside
> > > > > > telnet 192.168.1.1 255.255.255.255 inside
> > > > > > telnet timeout 5
> > > > > > ssh timeout 5
> > > > > > vpdn group 1 accept dialin pptp
> > > > > > vpdn group 1 ppp authentication pap
> > > > > > vpdn group 1 ppp authentication chap
> > > > > > vpdn group 1 ppp authentication mschap
> > > > > > vpdn group 1 ppp encryption mppe 40
> > > > > > vpdn group 1 client configuration address local pptp-pool
> > > > > > vpdn group 1 pptp echo 60
> > > > > > vpdn group 1 client authentication local
> > > > > > vpdn username scsadmin password ********
> > > > > > vpdn username cisco password ********
> > > > > > vpdn username gkurcon password ********
> > > > > > vpdn enable outside
> > > > > > vpdn enable inside
> > > > > > username cisco password 2J6.dR4Av1kpERLo encrypted privilege 2
> > > > > > terminal width 80
> > > > > > Cryptochecksum:e62274b3c71e69f4fe95b9693b1ad1b4

 
Reply With Quote
 
scott enwright
Guest
Posts: n/a
 
      01-09-2004
just put a no in front like so:

no isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

Regards,

Scott.
\|/
(o o)
---------------------oOOO--(_)--OOOo----------------------
Out the 100Base-T, off the firewall, through the router, down
the T1, over the leased line, off the bridge, nothing but Net.
(Use ROT13 to see my email address)
.oooO Oooo.
----------------------( )---( )-----------------------
\ ( ) /
\_) (_/


"GKurcon" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> How do I remove the line:
>
> isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
>
> Thanks!
>
>
> "scott enwright" <(E-Mail Removed)> wrote in message

news:<8_SKb.81897$(E-Mail Removed)>...
> > Try this configuration I have noted the changes where needed. Dont just

cut
> > and paste it in as I dont have all the passwords etc. Please dont save

this
> > configuration just test it and let me know how it goes. If it doesnt

work
> > please trun on the following debugs and enable "terminal monitor" (and

maybe
> > "logging monitor debugging") so we can what going on with the following
> > debuging options enabled:
> >
> > debug ppp io
> > debug ppp error
> > debug vpdn error
> > debug vpdn packet
> > debug vpdn events
> > debug ppp uauth
> >
> > Please repost the ocnfiguration before losing it so we can see

*definately*
> > what it was.
> >
> > ------------------------------------------------------------
> >
> > PIX Version 6.2(2)
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > enable password 4R3vD8XGO4lVLaq6 encrypted
> > passwd 2KFQnbNIdI.2KYOU encrypted
> > hostname newburghcityhall
> > domain-name ciscopix.com
> > fixup protocol ftp 21
> > fixup protocol http 80
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol ils 389
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > fixup protocol sip 5060
> > fixup protocol skinny 2000
> > names
> > access-list acl_out permit icmp any any
> > !--- Access list 110 added - please change the <desitnation subnet> to
> > !--- suite the site-to-site connection. This connection must be

broken
> > at the moment or
> > !--- it is being initialed deom the other end.
> > access-list 110 permit ip 192.168.1.0 255.255.255.0 <destination subnet>
> > 255.255.255.0
> > !-- end of newly added lines
> > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> > 255.255.255.0
> > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0

255.255.255.0
> > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
> > 255.255.255.0
> > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
> > access-list 200 permit tcp any host x.x.185.50 eq 5632
> > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0

255.255.255.0
> > pager lines 24
> > logging on
> > interface ethernet0 10baset
> > interface ethernet1 10full
> > icmp deny any outside
> > mtu outside 1500
> > mtu inside 1500
> > ip address outside x.x.185.50 255.255.255.252
> > ip address inside 192.168.1.1 255.255.255.0
> > ip audit info action alarm
> > ip audit attack action alarm
> > ip local pool ciscovpn 172.16.1.1-172.16.1.20
> > ip local pool pptp-pool 172.16.101.1-172.16.101.14
> > pdm location 192.168.1.11 255.255.255.255 inside
> > pdm location 192.168.2.0 255.255.255.0 inside
> > pdm location 172.16.1.0 255.255.255.0 outside
> > pdm location 192.168.2.0 255.255.255.0 outside
> > pdm location 172.16.0.0 255.255.254.0 inside
> > pdm location 172.16.101.0 255.255.255.0 outside
> > pdm logging informational 100
> > pdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 0 access-list 111
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
> > pcanywhere-data netmask 255.255.255.255 0 20
> > static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
> > 255.255.255.255 0 0
> > access-group 200 in interface outside
> > route outside 0.0.0.0 0.0.0.0 24.97.185.49 1
> > timeout xlate 0:05:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> > 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server RADIUS protocol radius
> > aaa-server LOCAL protocol local
> > http server enable
> > http 192.168.1.0 255.255.255.0 inside
> > no snmp-server location
> > no snmp-server contact
> > snmp-server community public
> > no snmp-server enable traps
> > floodguard enable
> > sysopt connection permit-ipsec
> > sysopt connection permit-pptp
> > no sysopt route dnat
> > crypto ipsec transform-set cityset esp-des esp-md5-hmac
> > !------------ Changes made in here ----------------------
> > crypto dynamic-map dynmap 30 set transform-set cityset
> > crypto map citymap 10 ipsec-isakmp
> > crypto map citymap 10 match address 110
> > crypto map citymap 10 set peer x.x.184.146
> > crypto map citymap 10 set transform-set cityset
> > crypto map citymap 20 ipsec-isakmp dynamic dynmap
> > crypto map citymap interface outside
> > !----------- end of changes - note some lines deleted as well
> > isakmp enable outside
> > isakmp key ******** address x.x.184.146 netmask 255.255.255.255 no-xauth
> > no-config-mode
> > !--- The line below is not needed please remove it
> > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> > isakmp identity address
> > isakmp client configuration address-pool local ciscovpn outside
> > isakmp policy 8 authentication pre-share
> > isakmp policy 8 encryption des
> > isakmp policy 8 hash md5
> > isakmp policy 8 group 1
> > isakmp policy 8 lifetime 86400
> > isakmp policy 10 authentication pre-share
> > isakmp policy 10 encryption des
> > isakmp policy 10 hash md5
> > isakmp policy 10 group 2
> > isakmp policy 10 lifetime 86400
> > vpngroup ctvpn address-pool ciscovpn
> > vpngroup ctvpn dns-server x.x.226.13
> > vpngroup ctvpn split-tunnel 201
> > vpngroup ctvpn idle-time 7200
> > vpngroup ctvpn password ********
> > vpngroup pgmr address-pool ciscovpn
> > vpngroup pgmr dns-server x.x.226.13
> > vpngroup pgmr idle-time 1800
> > vpngroup pgmr password ********
> > vpngroup testvpn address-pool ciscovpn
> > vpngroup testvpn idle-time 1800
> > vpngroup testvpn password ********
> > telnet 192.168.2.0 255.255.255.0 outside
> > telnet 192.168.2.0 255.255.255.0 inside
> > telnet 192.168.1.0 255.255.255.0 inside
> > telnet 192.168.1.1 255.255.255.255 inside
> > telnet timeout 5
> > ssh timeout 5
> > vpdn group 1 accept dialin pptp
> > vpdn group 1 ppp authentication pap
> > vpdn group 1 ppp authentication chap
> > vpdn group 1 ppp authentication mschap
> > !--- The line below is not needed please remove it
> > vpdn group 1 ppp encryption mppe 40
> > vpdn group 1 client configuration address local pptp-pool
> > vpdn group 1 client configuration dns 192.168.1.11
> > !--- The line below is not needed please remove it
> > vpdn group 1 pptp echo 60
> > vpdn group 1 client authentication local
> > vpdn username scsadmin password ********
> > vpdn username cityhall password ********
> > vpdn username gkurcon password ********
> > vpdn enable outside
> > !--- The line below is not needed please remove it
> > vpdn enable inside
> > username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
> > terminal width 80
> >
> >
> >
> >
> >
> > Regards,
> >
> > Scott.
> > \|/
> > (o o)
> > ---------------------oOOO--(_)--OOOo----------------------
> > Out the 100Base-T, off the firewall, through the router, down
> > the T1, over the leased line, off the bridge, nothing but Net.
> > (Use ROT13 to see my email address)
> > .oooO Oooo.
> > ----------------------( )---( )-----------------------
> > \ ( ) /
> > \_) (_/
> >
> >
> > "GKurcon" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed) m...
> > > Ok, tried the clear xlate command, it killed all connections but I
> > > still was not able to get to the 192.168.1.x subnet. I am still able
> > > to connect with either the VPN client (ver 3.6) or the Windows built
> > > in dialer, but not able to route over to the 192.168.1.x network.
> > > Here is the current config. Thanks for the continued support:
> > >
> > > PIX Version 6.2(2)
> > > nameif ethernet0 outside security0
> > > nameif ethernet1 inside security100
> > > enable password 4R3vD8XGO4lVLaq6 encrypted
> > > passwd 2KFQnbNIdI.2KYOU encrypted
> > > hostname newburghcityhall
> > > domain-name ciscopix.com
> > > fixup protocol ftp 21
> > > fixup protocol http 80
> > > fixup protocol h323 h225 1720
> > > fixup protocol h323 ras 1718-1719
> > > fixup protocol ils 389
> > > fixup protocol rsh 514
> > > fixup protocol rtsp 554
> > > fixup protocol smtp 25
> > > fixup protocol sqlnet 1521
> > > fixup protocol sip 5060
> > > fixup protocol skinny 2000
> > > names
> > > access-list acl_out permit icmp any any
> > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> > > 255.255.255.0
> > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> > > 255.255.255.0
> > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
> > > 255.255.255.0
> > > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
> > > access-list 200 permit tcp any host x.x.185.50 eq 5632
> > > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> > > 255.255.255.0
> > > pager lines 24
> > > logging on
> > > interface ethernet0 10baset
> > > interface ethernet1 10full
> > > icmp deny any outside
> > > mtu outside 1500
> > > mtu inside 1500
> > > ip address outside x.x.185.50 255.255.255.252
> > > ip address inside 192.168.1.1 255.255.255.0
> > > ip audit info action alarm
> > > ip audit attack action alarm
> > > ip local pool ciscovpn 172.16.1.1-172.16.1.20
> > > ip local pool pptp-pool 172.16.101.1-172.16.101.14
> > > pdm location 192.168.1.11 255.255.255.255 inside
> > > pdm location 192.168.2.0 255.255.255.0 inside
> > > pdm location 172.16.1.0 255.255.255.0 outside
> > > pdm location 192.168.2.0 255.255.255.0 outside
> > > pdm location 172.16.0.0 255.255.254.0 inside
> > > pdm location 172.16.101.0 255.255.255.0 outside
> > > pdm logging informational 100
> > > pdm history enable
> > > arp timeout 14400
> > > global (outside) 1 interface
> > > nat (inside) 0 access-list 111
> > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
> > > pcanywhere-da
> > > ta netmask 255.255.255.255 0 20
> > > static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
> > > 255.255.255
> > > .255 0 0
> > > access-group 200 in interface outside
> > > route outside 0.0.0.0 0.0.0.0 24.97.185.49 1
> > > timeout xlate 0:05:00
> > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> > > 0:05:00 si
> > > p 0:30:00 sip_media 0:02:00
> > > timeout uauth 0:05:00 absolute
> > > aaa-server TACACS+ protocol tacacs+
> > > aaa-server RADIUS protocol radius
> > > aaa-server LOCAL protocol local
> > > http server enable
> > > http 192.168.1.0 255.255.255.0 inside
> > > no snmp-server location
> > > no snmp-server contact
> > > snmp-server community public
> > > no snmp-server enable traps
> > > floodguard enable
> > > sysopt connection permit-ipsec
> > > sysopt connection permit-pptp
> > > no sysopt route dnat
> > > crypto ipsec transform-set cityset esp-des esp-md5-hmac
> > > crypto dynamic-map dynmap 10 set transform-set cityset
> > > crypto map citymap 1 ipsec-isakmp
> > > crypto map citymap 1 set peer x.x.184.146
> > > crypto map citymap 1 set transform-set cityset
> > > crypto map citymap 2 ipsec-isakmp
> > > crypto map citymap 2 set transform-set cityset
> > > crypto map mymap 10 ipsec-isakmp dynamic dynmap
> > > crypto map mymap client configuration address initiate
> > > crypto map mymap client configuration address respond
> > > crypto map mymap interface outside
> > > isakmp enable outside
> > > isakmp key ******** address x.x.184.146 netmask 255.255255.255
> > > no-xauth no-co
> > > nfig-mode
> > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> > > isakmp identity address
> > > isakmp client configuration address-pool local ciscovpn outside
> > > isakmp policy 8 authentication pre-share
> > > isakmp policy 8 encryption des
> > > isakmp policy 8 hash md5
> > > isakmp policy 8 group 1
> > > isakmp policy 8 lifetime 86400
> > > isakmp policy 10 authentication pre-share
> > > isakmp policy 10 encryption des
> > > isakmp policy 10 hash md5
> > > isakmp policy 10 group 2
> > > isakmp policy 10 lifetime 86400
> > > vpngroup ctvpn address-pool ciscovpn
> > > vpngroup ctvpn dns-server x.x.226.13
> > > vpngroup ctvpn split-tunnel 201
> > > vpngroup ctvpn idle-time 7200
> > > vpngroup ctvpn password ********
> > > vpngroup pgmr address-pool ciscovpn
> > > vpngroup pgmr dns-server x.x.226.13
> > > vpngroup pgmr idle-time 1800
> > > vpngroup pgmr password ********
> > > vpngroup testvpn address-pool ciscovpn
> > > vpngroup testvpn idle-time 1800
> > > vpngroup testvpn password ********
> > > telnet 192.168.2.0 255.255.255.0 outside
> > > telnet 192.168.2.0 255.255.255.0 inside
> > > telnet 192.168.1.0 255.255.255.0 inside
> > > telnet 192.168.1.1 255.255.255.255 inside
> > > telnet timeout 5
> > > ssh timeout 5
> > > vpdn group 1 accept dialin pptp
> > > vpdn group 1 ppp authentication pap
> > > vpdn group 1 ppp authentication chap
> > > vpdn group 1 ppp authentication mschap
> > > vpdn group 1 ppp encryption mppe 40
> > > vpdn group 1 client configuration address local pptp-pool
> > > vpdn group 1 client configuration dns 192.168.1.11
> > > vpdn group 1 pptp echo 60
> > > vpdn group 1 client authentication local
> > > vpdn username scsadmin password ********
> > > vpdn username cityhall password ********
> > > vpdn username gkurcon password ********
> > > vpdn enable outside
> > > vpdn enable inside
> > > username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
> > > terminal width 80
> > > Cryptochecksum:9d077096c3b18daec412525f083931d9
> > >
> > > "scott enwright" <(E-Mail Removed)0spam.net.au> wrote in

> > message news:<etQIb.72741$(E-Mail Removed)>...
> > > > G'day,
> > > >
> > > > I've just been through the configuration again with and compared it

to
> > both
> > > > a working configuration and to a sample Cisco configuration
> > > >

> >

(http://www.cisco.com/en/US/products/...s_configuratio
> > > > n_example09186a0080093f89.shtml). With that new line I suggested it

> > should
> > > > just work - could you do a 'clear xlate' on the box and test it

again -
> > the
> > > > clear xlate command will kill all connections that are active on the

> > unit.
> > > >
> > > > If this doesnt work can you repost the new configuration maybe there

is
> > > > something else stopping it now that wasnt there in your previous

post.
> > > >
> > > > Regards,
> > > >
> > > > Scott.
> > > >
> > > > "GKurcon" <(E-Mail Removed)> wrote in message
> > > > news:(E-Mail Removed) om...
> > > > > Thanks for the tip. I added this line to the config but still no
> > > > > luck. A consultant that I work with suggested that I add this:
> > > > >
> > > > > static (inside,outside) 172.168.101.0 192.168.1.0 netmask
> > > > > 255.255.255.0 0 0
> > > > >
> > > > > But when I add this, the only result is all devices on the

192.168.1.0
> > > > > subnet are unable to get out to the internet, I have to reboot the

PIX
> > > > > and also the remote PIX.
> > > > >
> > > > > I tried removing this line, but it didn't seem to make a

difference
> > > > > either:
> > > > >
> > > > >
> > > > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
> > > > >
> > > > > This seems like it should be a relatively easy thing to set up,

any
> > > > > ideas of what I am missing? Thanks.
> > > > >
> > > > > "scott enwright" <(E-Mail Removed)0spam.net.au>

wrote in
> > message news:<WxeIb.70433$(E-Mail Removed)>...
> > > > > > G'day,
> > > > > >
> > > > > > I assume when you connect using PPTP you receive an address from

the
> > pool
> > > > > > pptp-pool (172.16.101.1-172.16.101.14)? This pool is not being

> > excluded
> > > > > > from the NAT process so it's being translated. To correct this

you
> > need
> > to
> > > > > > make access-list 111 the following:
> > > > > >
> > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> > > > > > 255.255.255.0
> > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0

> > 255.255.255.0
> > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
> > > > > > 255.255.255.0
> > > > > >
> > > > > > The last line is new and stops pptp traffic from being natted.
> > > > > >
> > > > > > Scott.
> > > > > >
> > > > > >
> > > > > > "GKurcon" <(E-Mail Removed)> wrote in message
> > > > > > news:(E-Mail Removed) om...
> > > > > > > I need to connect to a PIX 501 running 6.2(2)with either the

Cisco
> > VPN
> > > > > > > client or a Windows built in PPTP client. I can connect with

> > either
> > > > > > > of these clients, but am not able to access anything on the

inside
> > > > > > > subnet (192.168.1.x). We do have a site to site VPN

established
> > with
> > > > > > > another PIX 501 as well, which works fine. Right now it is

not
> > > > > > > necessary for me to access the remote side (192.168.2.x), as I

> > have
> > > > > > > read that there are issues with attempting to do so. I just

want
> > to
> > > > > > > connect to the PIX and get to the 192.168.1.x resources. What

do
> > I
> > > > > > > need to change in the config to accomplish this?? (I realize

that
> > I
> > > > > > > am a few versions behind...one step at a time )
> > > > > > >
> > > > > > > PIX Version 6.2(2)
> > > > > > > nameif ethernet0 outside security0
> > > > > > > nameif ethernet1 inside security100
> > > > > > > enable password 4R3vD8XGO4lVLaq6 encrypted
> > > > > > > passwd 2KFQnbNIdI.2KYOU encrypted
> > > > > > > hostname PIX1
> > > > > > > domain-name ciscopix.com
> > > > > > > fixup protocol ftp 21
> > > > > > > fixup protocol http 80
> > > > > > > fixup protocol h323 h225 1720
> > > > > > > fixup protocol h323 ras 1718-1719
> > > > > > > fixup protocol ils 389
> > > > > > > fixup protocol rsh 514
> > > > > > > fixup protocol rtsp 554
> > > > > > > fixup protocol smtp 25
> > > > > > > fixup protocol sqlnet 1521
> > > > > > > fixup protocol sip 5060
> > > > > > > fixup protocol skinny 2000
> > > > > > > names
> > > > > > > access-list acl_out permit icmp any any
> > > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0

192.168.2.0
> > > > > > > 255.255.255.0
> > > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> > > > > > > 255.255.255.0
> > > > > > > access-list 200 permit tcp any host x.x.185.50 eq

pcanywhere-data
> > > > > > > access-list 200 permit tcp any host x.x.185.50 eq 5632
> > > > > > > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
> > > > > > > 255.255.255.0
> > > > > > > pager lines 24
> > > > > > > logging on
> > > > > > > interface ethernet0 10baset
> > > > > > > interface ethernet1 10full
> > > > > > > icmp deny any outside
> > > > > > > mtu outside 1500
> > > > > > > mtu inside 1500
> > > > > > > ip address outside x.x.185.50 255.255.255.252
> > > > > > > ip address inside 192.168.1.1 255.255.255.0
> > > > > > > ip audit info action alarm
> > > > > > > ip audit attack action alarm
> > > > > > > ip local pool ciscovpn 172.16.1.1-172.16.1.20
> > > > > > > ip local pool pptp-pool 172.16.101.1-172.16.101.14
> > > > > > > pdm location 192.168.1.11 255.255.255.255 inside
> > > > > > > pdm location 192.168.2.0 255.255.255.0 inside
> > > > > > > pdm location 172.16.1.0 255.255.255.0 outside
> > > > > > > pdm location 192.168.2.0 255.255.255.0 outside
> > > > > > > pdm location 172.16.0.0 255.255.254.0 inside
> > > > > > > pdm logging informational 100
> > > > > > > pdm history enable
> > > > > > > arp timeout 14400
> > > > > > > global (outside) 1 interface
> > > > > > > nat (inside) 0 access-list 111
> > > > > > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
> > > > > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > > > > > static (inside,outside) tcp interface pcanywhere-data

192.168.1.11
> > > > > > > pcanywhere-da
> > > > > > > ta netmask 255.255.255.255 0 20
> > > > > > > static (inside,outside) tcp interface 5632 192.168.1.11 5632

> > netmask
> > > > > > > 255.255.255
> > > > > > > .255 0 0
> > > > > > > access-group 200 in interface outside
> > > > > > > route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
> > > > > > > timeout xlate 0:05:00
> > > > > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc

0:10:00
> > h323
> > > > > > > 0:05:00 si
> > > > > > > p 0:30:00 sip_media 0:02:00
> > > > > > > timeout uauth 0:05:00 absolute
> > > > > > > aaa-server TACACS+ protocol tacacs+
> > > > > > > aaa-server RADIUS protocol radius
> > > > > > > aaa-server LOCAL protocol local
> > > > > > > http server enable
> > > > > > > http 192.168.1.0 255.255.255.0 inside
> > > > > > > no snmp-server location
> > > > > > > no snmp-server contact
> > > > > > > snmp-server community public
> > > > > > > no snmp-server enable traps
> > > > > > > floodguard enable
> > > > > > > sysopt connection permit-ipsec
> > > > > > > sysopt connection permit-pptp
> > > > > > > no sysopt route dnat
> > > > > > > crypto ipsec transform-set cityset esp-des esp-md5-hmac
> > > > > > > crypto dynamic-map dynmap 10 set transform-set cityset
> > > > > > > crypto map citymap 1 ipsec-isakmp
> > > > > > > crypto map citymap 1 set peer x.x.184.146
> > > > > > > crypto map citymap 1 set transform-set cityset
> > > > > > > crypto map citymap 2 ipsec-isakmp
> > > > > > > crypto map citymap 2 set transform-set cityset
> > > > > > > crypto map mymap 10 ipsec-isakmp dynamic dynmap
> > > > > > > crypto map mymap client configuration address initiate
> > > > > > > crypto map mymap client configuration address respond
> > > > > > > crypto map mymap interface outside
> > > > > > > isakmp enable outside
> > > > > > > isakmp key ******** address x.x.184.146 netmask

255.255.255.255
> > > > > > > no-xauth no-co
> > > > > > > nfig-mode
> > > > > > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> > > > > > > isakmp identity address
> > > > > > > isakmp client configuration address-pool local ciscovpn

outside
> > > > > > > isakmp policy 8 authentication pre-share
> > > > > > > isakmp policy 8 encryption des
> > > > > > > isakmp policy 8 hash md5
> > > > > > > isakmp policy 8 group 1
> > > > > > > isakmp policy 8 lifetime 86400
> > > > > > > isakmp policy 10 authentication pre-share
> > > > > > > isakmp policy 10 encryption des
> > > > > > > isakmp policy 10 hash md5
> > > > > > > isakmp policy 10 group 2
> > > > > > > isakmp policy 10 lifetime 86400
> > > > > > > vpngroup ctvpn address-pool ciscovpn
> > > > > > > vpngroup ctvpn dns-server x.x.226.13
> > > > > > > vpngroup ctvpn split-tunnel 201
> > > > > > > vpngroup ctvpn idle-time 7200
> > > > > > > vpngroup ctvpn password ********
> > > > > > > vpngroup pgmr address-pool ciscovpn
> > > > > > > vpngroup pgmr dns-server x.x.226.13
> > > > > > > vpngroup pgmr idle-time 1800
> > > > > > > vpngroup pgmr password ********
> > > > > > > telnet 192.168.2.0 255.255.255.0 outside
> > > > > > > telnet 192.168.2.0 255.255.255.0 inside
> > > > > > > telnet 192.168.1.0 255.255.255.0 inside
> > > > > > > telnet 192.168.1.1 255.255.255.255 inside
> > > > > > > telnet timeout 5
> > > > > > > ssh timeout 5
> > > > > > > vpdn group 1 accept dialin pptp
> > > > > > > vpdn group 1 ppp authentication pap
> > > > > > > vpdn group 1 ppp authentication chap
> > > > > > > vpdn group 1 ppp authentication mschap
> > > > > > > vpdn group 1 ppp encryption mppe 40
> > > > > > > vpdn group 1 client configuration address local pptp-pool
> > > > > > > vpdn group 1 pptp echo 60
> > > > > > > vpdn group 1 client authentication local
> > > > > > > vpdn username scsadmin password ********
> > > > > > > vpdn username cisco password ********
> > > > > > > vpdn username gkurcon password ********
> > > > > > > vpdn enable outside
> > > > > > > vpdn enable inside
> > > > > > > username cisco password 2J6.dR4Av1kpERLo encrypted privilege 2
> > > > > > > terminal width 80
> > > > > > > Cryptochecksum:e62274b3c71e69f4fe95b9693b1ad1b4



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 515 - can Use VPN300 Client and PIX-to-PIX VPN at the same time? Stephen M Cisco 1 11-14-2006 02:03 PM
VPN PIX-_static PIX ; PIX-dynamic_PIX ; VPN Client Svenn Cisco 3 03-13-2006 09:25 AM
PIX 501 VPN client to VPN client connections Nick Cisco 2 12-14-2005 04:33 PM
Pix-to-Pix and Client-to-Pix VPN AlanP Cisco 3 04-07-2004 05:06 AM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM



Advertisments