Cisco PIX Outbound Issues

Discussion in 'Hardware' started by ShadedNature, Sep 26, 2006.

  1. ShadedNature


    Sep 26, 2006
    I have a Cisco PIX 501 that I use as a VPN endpoint into my network from work. For some reason I can't VPN out of my network into my work network (VPN3000). I've googled and found a few solutions to my problem in this forum with the a few commands but I can't use the fixup protocol esp-ike command according to Cisco because I use my PIX as a vpn endpoint(isakmp enable outside command doesn't co-exist with the fixup protocol esp-ike command). I already have the isakmp nat-traversal 20 command on my PIX. I'm getting a "portmap translation creation failed for protocol 50" error to my sys-log server. I should be able to do this w/o issuing a static command.
    Any thoughts??? Below is my config:

    : Saved
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password *password* encrypted
    passwd *password* encrypted
    hostname ZIM
    domain-name IRKIN
    clock timezone GMT -5
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    access-list 80 permit ip
    pager lines 24
    logging on
    logging trap debugging
    logging host inside
    icmp deny any outside
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside
    ip verify reverse-path interface outside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 80
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    route outside 1
    route inside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set vpnset esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto dynamic-map vpnmap 10 set transform-set vpnset
    crypto dynamic-map vpnmap 10 set security-association lifetime seconds 28800 kilobytes 460800
    crypto map vpnmap 10 ipsec-isakmp dynamic vpnmap
    crypto map vpnmap client configuration address initiate
    crypto map vpnmap client configuration address respond
    crypto map vpnmap interface outside
    isakmp enable outside
    isakmp key ******** address netmask
    isakmp identity address
    isakmp client configuration address-pool local vpnpool outside
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup IrkinInvader address-pool vpnpool
    vpngroup IrkinInvader dns-server
    vpngroup IrkinInvader default-domain Irkin
    vpngroup IrkinInvader split-tunnel 80
    vpngroup IrkinInvader idle-time 1800
    vpngroup IrkinInvader password ********
    telnet inside
    telnet timeout 15
    ssh timeout 15
    console timeout 0
    dhcpd address inside
    dhcpd dns
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain Irkin
    dhcpd enable inside
    terminal width 80
    banner login Unauthorized connections are prohibitied. This connection has been logged!
    : end

    ShadedNature, Sep 26, 2006
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric Sabine

    default outbound rule in a PIX 501

    Eric Sabine, Oct 17, 2003, in forum: Cisco
    Walter Roberson
    Oct 17, 2003
  2. check
    Dec 10, 2003
  3. Rom Lemarchand

    PIX dropping outbound packets?

    Rom Lemarchand, Aug 4, 2004, in forum: Cisco
  4. Kilgore Troute
    Martin Bilgrav
    Aug 26, 2004
  5. Dorian
    Walter Roberson
    Sep 3, 2004