«

Hi all,

I have a 2600 router setup as a ezvpn server and a pix501 set up as a
client. The client end can ping my public interface and I can ping
their's but they can't receive the configuration from us. Here are the
configs of our devices:

These are ip ranges are just examples...

My network: 192.168.0.0/24
My DMZ: 192.168.1.0/24

2600 Router as Server

hostname Router2600
!
boot-start-marker
boot-end-marker
!
card type t3 1
logging buffered 51200 debugging
logging console critical
enable secret
!
aaa new-model
!
!
aaa authentication login localuser local
aaa authorization network groupvpn local
!
aaa session-id common
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip subnet-zero
!
!
no ip dhcp use vrf connected
!
!
ip cef
ip flow-cache timeout active 1
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ip ips deny-action ips-interface
!
!
username admin password 7
username ezvpn-user secret 5 TESTING123
!
!
controller T3 1/0
cablelength 10
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 90 12
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group groupvpn
key TESTING
dns 192.168.0.2 192.168.0.1
wins 192.168.0.1 192.168.0.2
domain testing.com
pool vpn-pool
acl 104
save-password
!
!
crypto ipsec transform-set VPNTRANSF esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set VPNTRANSF
reverse-route
!
!
crypto map dynmap client authentication list localuser
crypto map dynmap isakmp authorization list groupvpn
crypto map dynmap client configuration address respond
crypto map dynmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
description
!
no mop enabled
!
interface FastEthernet0/1
description PUBLIC INTERFACE
ip address 10.32.152.1 255.255.255.0
ip route-cache flow
speed 100
full-duplex
crypto map dynmap
!
interface Serial1/0
!
ip local pool vpn-pool 192.168.0.150 192.168.0.160
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
ip flow-export source FastEthernet0/1
ip flow-export version 5
ip flow-export destination 192.168.0.57 9996
!
ip http server
ip http secure-server
ip nat inside source list insideout interface Serial1/0 overload
!
!
logging trap debugging
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip x.x.x.x 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.0.0 0.0.3.255 any
access-list 101 permit icmp any host 65.194.75.2 echo-reply
access-list 101 permit icmp any host 65.194.75.2 time-exceeded
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 permit tcp any host x.x.x.x eq ftp
access-list 102 permit tcp any host x.x.x.x eq ftp-data
access-list 103 deny tcp any host x.x.x.x eq ftp
access-list 103 deny tcp any host x.x.x.x eq ftp-data
access-list 103 permit tcp any any
access-list 104 remark VPN Traffic
access-list 104 permit ip any 192.168.1.0 0.0.0.255
access-list 104 permit tcp any 192.168.1.0 0.0.0.255
snmp-server ifindex persist
!
!
control-plane
!
!
!
end


pix501 as Client

> > > > vpnclient server 10.32.152.1
> > > > vpnclient mode network-extension-mode
> > > > vpnclient vpngroup groupvpn password TESTING
> > > > vpnclient username ezvpn-user password TESTING123
> > > > vpnclient management tunnel 192.168.0.56 255.255.255.248
> > > > vpnclient enable

I told them to add just that block into their PIX. ACL 104 (I think)
should direct the traffic to 192.168.1.0/24 which is my DMZ.

Thanks.

Can you be more specific? Does to ezvpn client connection? Do you see
active SA's for the connection? If is makes a connection then it should
download all of the isakmp policies. If not, then you have something
else wrong with the configuration. Please send me more information and
I will help you as best as I can.


--
joeblack

Thanks,
JoeBlack
------------------------------------------------------------------------
joeblack's Profile: http://www.CertificationChat.com/member.php?userid=9
View this thread: http://www.CertificationChat.com/showthread.php?t=8054

I'm not sure what other info you need. It's my first time setting this
up (you may have seen other posts I have made here about it) and I'm
trying to do Easy VPN between myself and a remote site. Not using the
easy vpn software.

And I didn't see any active SA's. One of the big problems is I'm here
in the U.S. and the remote site is over in Thailand. I'm going to check
again tonight and see my router shows anything. In the meantime though,
i want to make sure my config is right.

joeblack wrote:
> Can you be more specific? Does to ezvpn client connection? Do you see
> active SA's for the connection? If is makes a connection then it should
> download all of the isakmp policies. If not, then you have something
> else wrong with the configuration. Please send me more information and
> I will help you as best as I can.
>
>
> --
> joeblack
>
> Thanks,
> JoeBlack
> ------------------------------------------------------------------------
> joeblack's Profile: http://www.CertificationChat.com/member.php?userid=9
> View this thread: http://www.CertificationChat.com/showthread.php?t=8054

I should also add that the router also includes ACLs for FTP testing
incase you get a little confused why I have certain things in ACLs
100-103.

---------- Forwarded message ----------
From: psychogenic
Date: 12 Apr 2006 11:42:10 -0700
Subject: Re: Easy VPN - client doesn't get config from server
To:

I'm not sure what other info you need. It's my first time setting this
up (you may have seen other posts I have made here about it) and I'm
trying to do Easy VPN between myself and a remote site. Not using the
easy vpn software.

And I didn't see any active SA's. One of the big problems is I'm here
in the U.S. and the remote site is over in Thailand. I'm going to check
again tonight and see my router shows anything. In the meantime though,
i want to make sure my config is right.

joeblack wrote:
> Can you be more specific? Does to ezvpn client connection? Do you see
> active SA's for the connection? If is makes a connection then it should
> download all of the isakmp policies. If not, then you have something
> else wrong with the configuration. Please send me more information and
> I will help you as best as I can.
>
>
> --
> joeblack
>
> Thanks,
> JoeBlack
> ------------------------------------------------------------------------
> joeblack's Profile: http://www.CertificationChat.com/member.php?userid=9
> View this thread: http://www.CertificationChat.com/showthread.php?t=8054