Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN - Easy VPN Server (PIX 515) and Hardware Client (831 Router)

Reply
Thread Tools

VPN - Easy VPN Server (PIX 515) and Hardware Client (831 Router)

 
 
Al
Guest
Posts: n/a
 
      02-16-2005
I'm hoping someone can help me solve a problem I've been trying to
resolve for the last several days.

Environment: PIX 515 - IOS 6.3(4)
Cisco 831 Router - IOS 12.3(2)XA


Goal: I want to setup a VPN between a Cisco 831 Router (Hardware
Client) and a PIX 515 (Easy VPN Server)

Problem: No traffic is able to pass beyond the outside interfaces
between the two devices.

Background: I have successfully terminated both software VPN clients
(VPN Client 4.6) and Site-to-Site VPN clients to the PIX 515 in
question. I can pass data in either of these configurations.

In regard to the PIX 515 and the 831, the tunnel is actually
successfully established. I can successfully ping the outsite
interface of each device. However, when I try to ping any resources
(192.168.0.0) behind the inside interface of the PIX from the 831
router, no traffic will pass. I cannot go the other way either.

HELP!!

I have included the configs from both the PIX 515 and 831. I've only
included the code which I thought might be relevant.


PIX 515

interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 100basetx
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

access-list acl-out permit tcp any host 198.67.37.148 eq smtp
access-list acl-out deny ip any any
access-list acl-in permit ip any any
access-list acl-vpn permit ip 192.168.0.0 255.255.0.0 172.16.2.0
255.255.255.0
access-list acl-vpn permit ip 192.168.0.0 255.255.0.0 10.10.10.0
255.255.255.0
access-list IDXSupport permit ip host 198.67.37.147 198.114.170.8
255.255.255.248
access-list IDXECommerce permit ip host 198.67.37.147 204.165.247.0
255.255.255.0
access-list acl-ipsec-protect permit ip 192.168.0.0 255.255.0.0
172.16.2.0 255.255.255.0
access-list homenet permit ip 192.168.0.0 255.255.0.0 10.10.10.0
255.255.255.0
ip address outside 198.67.37.146 255.255.255.240
ip address inside 192.168.15.2 255.255.255.0
ip address dmz 10.240.240.1 255.255.255.0
ip local pool vpn-ipsec 172.16.2.1-172.16.2.254
global (outside) 1 198.67.37.156 netmask 255.255.255.240
nat (inside) 0 access-list acl-vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl-out in interface outside
access-group acl-in in interface inside
route outside 0.0.0.0 0.0.0.0 198.168.36.145 1
route inside 192.168.0.0 255.255.0.0 192.168.15.2 1
aaa-server RADIUS protocol radius
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 192.168.15.15 ******
sysopt connection permit-ipsec
crypto ipsec transform-set TRIPLEDES esp-3des esp-sha-hmac
crypto ipsec transform-set VendorTransform esp-3des esp-sha-hmac
crypto dynamic-map RemoteAccess 99 set transform-set TRIPLEDES
crypto map VPN 10 ipsec-isakmp
crypto map VPN 10 match address IDXECommerce
crypto map VPN 10 set peer 204.165.246.197
crypto map VPN 10 set transform-set VendorTransform
crypto map VPN 20 ipsec-isakmp
crypto map VPN 20 match address IDXSupport
crypto map VPN 20 set peer 192.107.146.7
crypto map VPN 20 set transform-set VendorTransform
crypto map VPN 99 ipsec-isakmp dynamic RemoteAccess
crypto map VPN client authentication AuthInbound
crypto map VPN interface outside
isakmp enable outside
isakmp key ***** address 192.107.146.7 netmask 255.255.255.255
no-config-mode no-xauth
isakmp key ***** address 204.165.246.197 netmask 255.255.255.255
no-config-mode no-xauth
isakmp identity address
isakmp client configuration address-pool local vpn-ipsec outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 3000
isakmp policy 99 authentication pre-share
isakmp policy 99 encryption 3des
isakmp policy 99 hash sha
isakmp policy 99 group 2
isakmp policy 99 lifetime 3000
vpngroup default address-pool vpn-ipsec
vpngroup default dns-server 192.168.15.10
vpngroup default wins-server 192.168.15.11
vpngroup default default-domain pioneermedicalgroup.local
vpngroup default split-tunnel acl-ipsec-protect
vpngroup default split-dns 204.97.212.10 204.117.214.10
vpngroup default idle-time 1800
vpngroup default max-time 3600
vpngroup default password *****
vpngroup hw-client address-pool vpn-ipsec
vpngroup hw-client dns-server 192.168.15.10
vpngroup hw-client wins-server 192.168.15.11
vpngroup hw-client default-domain pioneermedicalgroup.local
vpngroup hw-client split-tunnel homenet
vpngroup hw-client split-dns 204.97.212.10 204.117.214.10
vpngroup hw-client idle-time 86400
vpngroup hw-client password *****



831

ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100

crypto ipsec client ezvpn RemoteAccess
connect auto
group hw-client key *****
mode network-extension
peer 198.67.37.146
username ***** password *****

interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
crypto ipsec client ezvpn RemoteAccess inside

interface Ethernet1
ip address dhcp client-id Ethernet1
ip access-group 111 in
ip nat outside
ip inspect myfw out
crypto ipsec client ezvpn RemoteAccess

ip nat inside source list 102 interface Ethernet1 overload

access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 111 permit tcp any any eq www
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Easy VPN - client doesn't get config from server psychogenic Cisco 3 04-12-2006 07:00 PM
VPN 3002 Hardware client DHCP Server Richard Simmons Cisco 0 03-15-2006 07:54 PM
Cannot VPN to 1721 through Easy VPN Client mack Cisco 0 10-13-2004 01:15 PM
External DHCP for Easy Vpn Server 1712 VPN Client POL Cisco 0 09-10-2004 10:12 AM
Easy VPN Server and Cisco VPN Client 4.0.3 Masud Reza Cisco 2 10-20-2003 06:12 PM



Advertisments