PIX vpn client can't terminal server

01-31-2006

Hi gents I've been fighting two days with this and it seems the pix
is winning this battle.
I want to configure a vpn client so that I can join this network from
one secondary router, so I had to do static routes and some special
things.
Now after cleaning a little my config the vpn client seems to
connect, but I can't terminal server or ssh , maybe the problem is in
the access list, or maybe the isakmp , but I have done lots of changes
and none made it work .

so could you please take a look and tell me what do I have to allow
to achieve this kind of configuration.
thanks thanks thanks to you all

:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ZlGq2vBPmW8hXSpI encrypted
passwd ZlGq2vBPmW8hXSpI encrypted
hostname pixbcn
domain-name vlsd.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.5.0
255.255.255.0
access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.5.0
255.255.255.0
access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.3.0
255.255.255.0
access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.3.0
255.255.255.0
access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.6.0
255.255.255.0
access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.6.0
255.255.255.0
access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.4.0
255.255.255.0
access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.4.0
255.255.255.0
access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.2.0
255.255.255.0
access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.2.0
255.255.255.0
access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 172.16.1.0
255.255.255.0
access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 172.16.1.0
255.255.255.0
access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 host
172.16.1.1
access-list remote_lond_acl permit ip 174.144.1.0 255.255.255.0
174.144.5.0 255.255.255.0
access-list remote_lond_acl permit icmp 174.144.1.0 255.255.255.0
174.144.5.0 255.255.255.0
access-list remote_pose_acl permit ip 174.144.1.0 255.255.255.0
174.144.3.0 255.255.255.0
access-list remote_pose_acl permit icmp 174.144.1.0 255.255.255.0
174.144.3.0 255.255.255.0
access-list remote_posi2_acl permit ip 174.144.1.0 255.255.255.0
174.144.6.0 255.255.255.0
access-list remote_posi2_acl permit icmp 174.144.1.0 255.255.255.0
174.144.6.0 255.255.255.0
access-list remote_gita_acl permit ip 174.144.1.0 255.255.255.0
174.144.4.0 255.255.255.0
access-list remote_gita_acl permit icmp 174.144.1.0 255.255.255.0
174.144.4.0 255.255.255.0
access-list remote_caus_acl permit ip 174.144.1.0 255.255.255.0
174.144.2.0 255.255.255.0
access-list remote_caus_acl permit icmp 174.144.1.0 255.255.255.0
174.144.2.0 255.255.255.0
access-list red_interna permit ip 174.144.1.0 255.255.255.0 any
access-list outside_cryptomap_dyn_21 permit ip any 172.16.1.0
255.255.255.0
access-list split_tunnel_ac permit ip 174.144.1.0 255.255.255.0
172.16.1.0 255.255.255.0
access-list split_tunnel_ac permit icmp 174.144.1.0 255.255.255.0
172.16.1.0 255.255.255.0
access-list split_tunnel_ac permit ip any any
access-list vlsd_tunnel_ac permit ip 174.144.1.0 255.255.255.0 any
access-list vlsd_tunnel_ac permit icmp 174.144.1.0 255.255.255.0 any
access-list vpn2dkm permit ip any any
pager lines 24
logging timestamp
logging trap debugging
logging host inside 174.144.1.26
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 10.200.100.253 255.255.0.0
ip address inside 174.144.1.1 255.255.255.0
ip address intf2 174.144.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpndkm_pool 172.16.1.1
ip local pool vlsd_pool 174.144.1.60
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 174.144.20.0 255.255.255.0 inside
pdm location 10.200.0.0 255.255.0.0 inside
pdm location 174.144.1.50 255.255.255.255 inside
pdm location 174.144.20.20 255.255.255.255 intf2
pdm location 174.144.5.0 255.255.255.0 outside
pdm location 80.38.105.29 255.255.255.255 outside
pdm location 174.144.2.0 255.255.255.0 outside
pdm location 174.144.3.0 255.255.255.0 outside
pdm location 174.144.4.0 255.255.255.0 outside
pdm location 174.144.6.0 255.255.255.0 outside
pdm location 174.144.2.0 255.255.255.0 intf2
pdm location 174.144.3.0 255.255.255.0 intf2
pdm location 174.144.4.0 255.255.255.0 intf2
pdm location 174.144.5.0 255.255.255.0 intf2
pdm location 174.144.6.0 255.255.255.0 intf2
pdm location 174.144.1.26 255.255.255.255 inside
pdm location 172.16.1.0 255.255.255.0 outside
pdm location 62.43.200.194 255.255.255.255 outside
pdm location 80.224.56.90 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (intf2) 1 interface
nat (inside) 0 access-list nonat_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.200.100.250 1
route outside 62.43.200.194 255.255.255.255 10.200.100.190 1
route outside 80.38.105.29 255.255.255.255 10.200.100.190 1
route outside 80.224.56.90 255.255.255.255 10.200.100.190 1
timeout xlate 3:00:00
timeout conn 2:00:00 half-closed 0:10:00 udp 2:00:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 2:00:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.200.0.0 255.255.0.0 outside
http 174.144.1.0 255.255.255.0 inside
http 172.16.1.1 255.255.255.255 inside
http 174.144.20.0 255.255.255.0 intf2
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address remote_lond_acl
crypto map newmap 10 set peer 10.201.100.253
crypto map newmap 10 set transform-set myset
crypto map newmap 11 ipsec-isakmp
crypto map newmap 11 match address remote_pose_acl
crypto map newmap 11 set peer 10.202.100.253
crypto map newmap 11 set transform-set myset
crypto map newmap 12 ipsec-isakmp
crypto map newmap 12 match address remote_posi2_acl
crypto map newmap 12 set peer 10.205.100.253
crypto map newmap 12 set transform-set myset
crypto map newmap 13 ipsec-isakmp
crypto map newmap 13 match address remote_gita_acl
crypto map newmap 13 set peer 10.203.100.253
crypto map newmap 13 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address remote_caus_acl
crypto map newmap 20 set peer 80.38.105.29
crypto map newmap 20 set transform-set myset
crypto map newmap 21 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 80.38.105.29 netmask 255.255.255.255
no-xauth no-config-mode
isakmp key ******** address 10.201.100.253 netmask 255.255.255.255
no-xauth no-config-mode
isakmp key ******** address 10.203.100.253 netmask 255.255.255.255
no-xauth no-config-mode
isakmp key ******** address 10.202.100.253 netmask 255.255.255.255
no-xauth no-config-mode
isakmp key ******** address 10.205.100.253 netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup vpndkm address-pool vpndkm_pool
vpngroup vpndkm dns-server 174.144.1.15
vpngroup vpndkm default-domain vlsd.net
vpngroup vpndkm split-tunnel vpn2dkm
vpngroup vpndkm idle-time 1800
vpngroup vpndkm password ********
vpngroup vlsd address-pool vlsd_pool
vpngroup vlsd split-tunnel vlsd_tunnel_ac
vpngroup vlsd idle-time 1800
vpngroup vlsd password ********
telnet timeout 5
ssh 10.200.0.0 255.255.0.0 outside
ssh 172.16.1.1 255.255.255.255 outside
ssh 174.144.1.0 255.255.255.0 inside
ssh 174.144.20.0 255.255.255.0 intf2
ssh timeout 30
console timeout 0
dhcpd address 174.144.1.100-174.144.1.250 inside
dhcpd dns 174.144.1.15 174.144.1.16
dhcpd lease 1048575
dhcpd ping_timeout 750
dhcpd domain vlsd.net
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:ab2e9ab3f3b0a44b4d0f7a492a5281a4
: end

01-31-2006

Sako wrote:
> Hi gents I've been fighting two days with this and it seems the pix
> is winning this battle.
> I want to configure a vpn client so that I can join this network from
> one secondary router,

first, can you please clarify if the issue is not being able to access a
machine for term services tcp 3389 and ssh tcp 22, on the network behind
pixbcn, from a vpnclient connection terminating on pixbcn? if so, which
vpngroup are you connecting to?

also, just, curious why you have tunnels to devices on a private
network, i.e. 10.x.x.x outside addresses?

so I had to do static routes and some special
> things.
> Now after cleaning a little my config the vpn client seems to
> connect, but I can't terminal server or ssh , maybe the problem is in
> the access list, or maybe the isakmp , but I have done lots of changes
> and none made it work .
>
> so could you please take a look and tell me what do I have to allow
> to achieve this kind of configuration.
> thanks thanks thanks to you all
>
>
> :
> PIX Version 6.3(4)
> interface ethernet0 100full
> interface ethernet1 100full
> interface ethernet2 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 intf2 security4
> enable password ZlGq2vBPmW8hXSpI encrypted
> passwd ZlGq2vBPmW8hXSpI encrypted
> hostname pixbcn
> domain-name vlsd.net
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list outside_access_in permit icmp any any
> access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.5.0
> 255.255.255.0
> access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.5.0
> 255.255.255.0
> access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.3.0
> 255.255.255.0
> access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.3.0
> 255.255.255.0
> access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.6.0
> 255.255.255.0
> access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.6.0
> 255.255.255.0
> access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.4.0
> 255.255.255.0
> access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.4.0
> 255.255.255.0
> access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.2.0
> 255.255.255.0
> access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.2.0
> 255.255.255.0
> access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 172.16.1.0
> 255.255.255.0
> access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 172.16.1.0
> 255.255.255.0
> access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 host
> 172.16.1.1
> access-list remote_lond_acl permit ip 174.144.1.0 255.255.255.0
> 174.144.5.0 255.255.255.0
> access-list remote_lond_acl permit icmp 174.144.1.0 255.255.255.0
> 174.144.5.0 255.255.255.0
> access-list remote_pose_acl permit ip 174.144.1.0 255.255.255.0
> 174.144.3.0 255.255.255.0
> access-list remote_pose_acl permit icmp 174.144.1.0 255.255.255.0
> 174.144.3.0 255.255.255.0
> access-list remote_posi2_acl permit ip 174.144.1.0 255.255.255.0
> 174.144.6.0 255.255.255.0
> access-list remote_posi2_acl permit icmp 174.144.1.0 255.255.255.0
> 174.144.6.0 255.255.255.0
> access-list remote_gita_acl permit ip 174.144.1.0 255.255.255.0
> 174.144.4.0 255.255.255.0
> access-list remote_gita_acl permit icmp 174.144.1.0 255.255.255.0
> 174.144.4.0 255.255.255.0
> access-list remote_caus_acl permit ip 174.144.1.0 255.255.255.0
> 174.144.2.0 255.255.255.0
> access-list remote_caus_acl permit icmp 174.144.1.0 255.255.255.0
> 174.144.2.0 255.255.255.0
> access-list red_interna permit ip 174.144.1.0 255.255.255.0 any
> access-list outside_cryptomap_dyn_21 permit ip any 172.16.1.0
> 255.255.255.0
> access-list split_tunnel_ac permit ip 174.144.1.0 255.255.255.0
> 172.16.1.0 255.255.255.0
> access-list split_tunnel_ac permit icmp 174.144.1.0 255.255.255.0
> 172.16.1.0 255.255.255.0
> access-list split_tunnel_ac permit ip any any
> access-list vlsd_tunnel_ac permit ip 174.144.1.0 255.255.255.0 any
> access-list vlsd_tunnel_ac permit icmp 174.144.1.0 255.255.255.0 any
> access-list vpn2dkm permit ip any any
> pager lines 24
> logging timestamp
> logging trap debugging
> logging host inside 174.144.1.26
> mtu outside 1500
> mtu inside 1500
> mtu intf2 1500
> ip address outside 10.200.100.253 255.255.0.0
> ip address inside 174.144.1.1 255.255.255.0
> ip address intf2 174.144.20.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool vpndkm_pool 172.16.1.1
> ip local pool vlsd_pool 174.144.1.60
> pdm location 0.0.0.0 0.0.0.0 outside
> pdm location 174.144.20.0 255.255.255.0 inside
> pdm location 10.200.0.0 255.255.0.0 inside
> pdm location 174.144.1.50 255.255.255.255 inside
> pdm location 174.144.20.20 255.255.255.255 intf2
> pdm location 174.144.5.0 255.255.255.0 outside
> pdm location 80.38.105.29 255.255.255.255 outside
> pdm location 174.144.2.0 255.255.255.0 outside
> pdm location 174.144.3.0 255.255.255.0 outside
> pdm location 174.144.4.0 255.255.255.0 outside
> pdm location 174.144.6.0 255.255.255.0 outside
> pdm location 174.144.2.0 255.255.255.0 intf2
> pdm location 174.144.3.0 255.255.255.0 intf2
> pdm location 174.144.4.0 255.255.255.0 intf2
> pdm location 174.144.5.0 255.255.255.0 intf2
> pdm location 174.144.6.0 255.255.255.0 intf2
> pdm location 174.144.1.26 255.255.255.255 inside
> pdm location 172.16.1.0 255.255.255.0 outside
> pdm location 62.43.200.194 255.255.255.255 outside
> pdm location 80.224.56.90 255.255.255.255 outside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> global (intf2) 1 interface
> nat (inside) 0 access-list nonat_acl
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
> access-group outside_access_in in interface outside
> route outside 0.0.0.0 0.0.0.0 10.200.100.250 1
> route outside 62.43.200.194 255.255.255.255 10.200.100.190 1
> route outside 80.38.105.29 255.255.255.255 10.200.100.190 1
> route outside 80.224.56.90 255.255.255.255 10.200.100.190 1
> timeout xlate 3:00:00
> timeout conn 2:00:00 half-closed 0:10:00 udp 2:00:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 2:00:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> http server enable
> http 10.200.0.0 255.255.0.0 outside
> http 174.144.1.0 255.255.255.0 inside
> http 172.16.1.1 255.255.255.255 inside
> http 174.144.20.0 255.255.255.0 intf2
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set myset esp-des esp-md5-hmac
> crypto dynamic-map dynmap 30 set transform-set myset
> crypto map newmap 10 ipsec-isakmp
> crypto map newmap 10 match address remote_lond_acl
> crypto map newmap 10 set peer 10.201.100.253
> crypto map newmap 10 set transform-set myset
> crypto map newmap 11 ipsec-isakmp
> crypto map newmap 11 match address remote_pose_acl
> crypto map newmap 11 set peer 10.202.100.253
> crypto map newmap 11 set transform-set myset
> crypto map newmap 12 ipsec-isakmp
> crypto map newmap 12 match address remote_posi2_acl
> crypto map newmap 12 set peer 10.205.100.253
> crypto map newmap 12 set transform-set myset
> crypto map newmap 13 ipsec-isakmp
> crypto map newmap 13 match address remote_gita_acl
> crypto map newmap 13 set peer 10.203.100.253
> crypto map newmap 13 set transform-set myset
> crypto map newmap 20 ipsec-isakmp
> crypto map newmap 20 match address remote_caus_acl
> crypto map newmap 20 set peer 80.38.105.29
> crypto map newmap 20 set transform-set myset
> crypto map newmap 21 ipsec-isakmp dynamic dynmap
> crypto map newmap interface outside
> isakmp enable outside
> isakmp key ******** address 80.38.105.29 netmask 255.255.255.255
> no-xauth no-config-mode
> isakmp key ******** address 10.201.100.253 netmask 255.255.255.255
> no-xauth no-config-mode
> isakmp key ******** address 10.203.100.253 netmask 255.255.255.255
> no-xauth no-config-mode
> isakmp key ******** address 10.202.100.253 netmask 255.255.255.255
> no-xauth no-config-mode
> isakmp key ******** address 10.205.100.253 netmask 255.255.255.255
> no-xauth no-config-mode
> isakmp identity address
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption des
> isakmp policy 20 hash md5
> isakmp policy 20 group 1
> isakmp policy 20 lifetime 86400
> vpngroup vpndkm address-pool vpndkm_pool
> vpngroup vpndkm dns-server 174.144.1.15
> vpngroup vpndkm default-domain vlsd.net
> vpngroup vpndkm split-tunnel vpn2dkm
> vpngroup vpndkm idle-time 1800
> vpngroup vpndkm password ********
> vpngroup vlsd address-pool vlsd_pool
> vpngroup vlsd split-tunnel vlsd_tunnel_ac
> vpngroup vlsd idle-time 1800
> vpngroup vlsd password ********
> telnet timeout 5
> ssh 10.200.0.0 255.255.0.0 outside
> ssh 172.16.1.1 255.255.255.255 outside
> ssh 174.144.1.0 255.255.255.0 inside
> ssh 174.144.20.0 255.255.255.0 intf2
> ssh timeout 30
> console timeout 0
> dhcpd address 174.144.1.100-174.144.1.250 inside
> dhcpd dns 174.144.1.15 174.144.1.16
> dhcpd lease 1048575
> dhcpd ping_timeout 750
> dhcpd domain vlsd.net
> dhcpd auto_config outside
> dhcpd enable inside
> terminal width 80
> Cryptochecksum:ab2e9ab3f3b0a44b4d0f7a492a5281a4
> : end
>

01-31-2006

sorry , I'll try to explain better , my company has a private virtual
network between different cities, in addition to this we use vpn
tunnels with cisco PIX because one of the cities isn't on the other
private network.
so that's working propperly , the main building has 2 routers connected
to interenet, so one connects to the virtual network and the other to
internet .
To the router connected to internet we have a route in the pix , so we
can connect via vpn to other city.

So , the fact is : I wan't a person, who's public address I know, to
connect tcp 3389 or 22 (any) to the inside interface of our pix, as the
other vpn tunnels do. To achieve this I configured a vpn group, and I
configured correctly the vpn client, and it closes the lock (it seems
to connect)
But I can't do anything to ping / connect 3389 to the inside hosts.

Any way to help me ?
thanks

01-31-2006

Hey again, glad to see you RA tunnel works now. Are you getting any
traffic across the interface? As previously asked, what remote profile
are you using, vpndkm or vlsd? I noticed your SSH for 172.16.1.1 is
set for the outside interface. There may be some issues with your
access list but you need to see if you're getting traffic out and
returned first. To do this, connect the VPN Client. Then right click
on the icon (closed lock on the bottom right) and select "statistics".
Try a ping, surf to an internal web page or anything to see how your
traffic counters change. Report back and we can try to help more.

01-31-2006

I'm working hard on it! thanks gents, you give me HOPE!
I spect to use the vpndkm because I want the pool to get bigger once
I'm sure it works with one host .The other is using a free ip on my
network.
Unluckily I coudn't surf any internal web page or ssh when it
pointed the inside interface (as you say that it should) , the client
connects by the same router as
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address remote_caus_acl
That is working
correctly . I've tried to connect to the machine with the vpn client
but I lost connection with terminal server ... I'll look the stadistics
and report them as soon as I can.

I've tried to change the access-list wich take care of 172.16.1.1
but I can't ping from inside to the vpnclient or from the vpn client
see anything from the inside.

I'll keep working hard a couple of hours to see if I can solve .
Thanks very much indeed .

02-01-2006

Ok thanks to your indications, I can see , In the stadistics :
Bytes recived: 0 ; Bytes Sent : 20974
Packets
Encrypted 135, Decrypted :0
Discarded : 77
Encription DES , authentication HMAC-MD5
Local Lan Disabled (I don't know how to enable yet)
Compression None.

So it seems I don't recive any information.
I'm not quite sure of what does this mean, I'll try to look to the log
but I report it to you to see if you can help.
Thanks

This is the log of one connection
Cisco Systems VPN Client Version 4.6.00.0045
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

167 11:25:13.011 02/01/06 Sev=Info/4 CM/0x63100002
Begin connection process

168 11:25:13.026 02/01/06 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

169 11:25:13.026 02/01/06 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet

170 11:25:13.026 02/01/06 Sev=Info/4 CM/0x63100024
Attempt connection with server "83.175.207.82"

171 11:25:14.026 02/01/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
VID(Nat-T), VID(Frag), VID(Unity)) to 83.175.207.82

172 11:25:14.026 02/01/06 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

173 11:25:14.026 02/01/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

174 11:25:14.307 02/01/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity),
VID(?), KE, ID, NON, HASH) from 83.175.207.82

175 11:25:14.307 02/01/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT,
VID(?), VID(Unity)) to 83.175.207.82

176 11:25:14.307 02/01/06 Sev=Info/4 IKE/0x63000082
IKE Port in use - Local Port = 0x01F4, Remote Port = 0x01F4

177 11:25:14.307 02/01/06 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated
IKE SA in the system

178 11:25:14.307 02/01/06 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated
IKE SA in the system

179 11:25:14.323 02/01/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 83.175.207.82

180 11:25:14.417 02/01/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from
83.175.207.82

181 11:25:14.432 02/01/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 83.175.207.82

182 11:25:14.432 02/01/06 Sev=Info/4 IKE/0xA3000015
MODE_CFG_REPLY: Received MODECFG_UNITY_SPLIT_INCLUDE attribute with no
data

183 11:25:14.432 02/01/06 Sev=Info/4 IKE/0xA3000015
MODE_CFG_REPLY: Received MODECFG_UNITY_SPLIT_INCLUDE attribute with no
data

184 11:25:14.432 02/01/06 Sev=Info/4 CM/0x63100019
Mode Config data received

185 11:25:14.448 02/01/06 Sev=Info/4 IKE/0x63000055
Received a key request from Driver: Local IP = 172.16.1.1, GW IP =
83.175.207.82, Remote IP = 0.0.0.0

186 11:25:14.448 02/01/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 83.175.207.82

187 11:25:14.589 02/01/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID,
NOTIFY:STATUS_RESP_LIFETIME) from 83.175.207.82

188 11:25:14.589 02/01/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to 83.175.207.82

189 11:25:15.120 02/01/06 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=172.16.1.1/255.255.0.0
DNS=192.168.1.15,0.0.0.0
WINS=0.0.0.0,0.0.0.0
Domain=valdisme.net
Split DNS Names=

190 11:25:15.229 02/01/06 Sev=Info/4 CM/0x6310001A
One secure connection established

191 11:25:15.307 02/01/06 Sev=Info/4 CM/0x63100038
Address watch added for 192.168.3.114. Current address(es):
172.16.1.1, 192.168.3.114.

192 11:25:15.323 02/01/06 Sev=Info/4 CM/0x63100038
Address watch added for 172.16.1.1. Current address(es): 172.16.1.1,
192.168.3.114.

193 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

194 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x63700010
Created a new key structure

195 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x3c962dbc into key list

196 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x63700010
Created a new key structure

197 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xe729bba9 into key list

198 11:25:15.323 02/01/06 Sev=Info/4 IPSEC/0x6370002E
Assigned VA private interface addr 172.16.1.1

199 11:25:24.417 02/01/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY

PD_REQUEST) to
83.175.207.82

200 11:25:24.526 02/01/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY

PD_ACK) from
83.175.207.82

201 11:25:35.416 02/01/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY

PD_REQUEST) to
83.175.207.82

202 11:25:35.573 02/01/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY

PD_ACK) from
83.175.207.82

203 11:25:45.916 02/01/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY

PD_REQUEST) to
83.175.207.82

204 11:25:46.026 02/01/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY

PD_ACK) from
83.175.207.82

205 11:26:01.416 02/01/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY

PD_REQUEST) to
83.175.207.82

206 11:26:01.619 02/01/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY

PD_ACK) from
83.175.207.82

207 11:26:11.916 02/01/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY

PD_REQUEST) to
83.175.207.82

208 11:26:12.932 02/01/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY

PD_ACK) from
83.175.207.82

209 11:26:23.416 02/01/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY

PD_REQUEST) to
83.175.207.82

210 11:26:23.525 02/01/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY

PD_ACK) from
83.175.207.82

211 11:26:33.916 02/01/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY

PD_REQUEST) to
83.175.207.82

212 11:26:34.088 02/01/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY

PD_ACK) from
83.175.207.82

213 11:26:44.087 02/01/06 Sev=Info/4 CM/0x6310000A
Secure connections terminated

214 11:26:44.087 02/01/06 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

215 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 83.175.207.82

216 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x63000048
Discarding IPsec SA negotiation, MsgID=A74DB14B

217 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=1DF97BFDFD3055A6
R_Cookie=4C694B7469F7AC26) reason = DEL_REASON_RESET_SADB

218 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 83.175.207.82

219 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=1DF97BFDFD3055A6
R_Cookie=4C694B7469F7AC26) reason = DEL_REASON_RESET_SADB

220 11:26:44.103 02/01/06 Sev=Info/4 CM/0x63100013
Phase 1 SA deleted cause by DEL_REASON_RESET_SADB. 0 Crypto Active IKE
SA, 0 User Authenticated IKE SA in the system

221 11:26:44.103 02/01/06 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

222 11:26:44.119 02/01/06 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

223 11:26:45.618 02/01/06 Sev=Info/4 CM/0x63100035
The Virtual Adapter was disabled

224 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x63700013
Delete internal key with SPI=0xe729bba9

225 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x6370000C
Key deleted by SPI 0xe729bba9

226 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x63700013
Delete internal key with SPI=0x3c962dbc

227 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x6370000C
Key deleted by SPI 0x3c962dbc

228 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

229 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

230 11:26:45.618 02/01/06 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

231 11:26:45.634 02/01/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
PIX 515 - can Use VPN300 Client and PIX-to-PIX VPN at the same time?	Stephen M	Cisco	1	11-14-2006 02:03 PM
VPN PIX-_static PIX ; PIX-dynamic_PIX ; VPN Client	Svenn	Cisco	3	03-13-2006 09:25 AM
Pix-to-Pix and Client-to-Pix VPN	AlanP	Cisco	3	04-07-2004 05:06 AM
PIX to PIX VPN and VPN Client to PIX Config Example?	GVB	Cisco	1	02-06-2004 07:44 PM