Pix 506e - Easy VPN - Connected, Almost There, Need Help :(

Discussion in 'Cisco' started by Guest, Mar 11, 2010.

  1. Guest

    Guest Guest

    I've spent weeks now trying to implement a Pix to Pix VPN. I thought I would post this in hopes someone could help me.

    I am using a PIX 506e Easy VPN Server for both PIX and Windows clients.

    Both the Windows client and the Pix client get the same results when connected.

    I can get my Pix 501 to open a tunnel or to the Pix 506e. These are both on separate ISPs.

    I can ping from the Pix 501 console to the Pix 506e Inside Interface IP.

    I cannot ping from the Pix 506e console to the Pix 501 Inside Interface IP.

    I cannot ping hosts on either PIX beyond the Inside interface.

    With logging console 7 activated, I receive the following error when pinging a host on 172.16.55.x from the console on the Pix 501.
    ----------------------------------------------
    305005: No translation group found for icmp src outside:100.1.1.10 dst inside:172.16.55.254 (type 8, code 0)
    ----------------------------------------------

    Also this error continually rolls across the screen every 10 seconds:
    ----------------------------------------------
    crypto_isakmp_process_block:src:100.1.1.10, dest:200.1.1.10 spt:500 dpt:500
    ISAKMP (0): processing NOTIFY payload 36136 protocol 1
    spi 0, message ID = 847215159
    ISAMKP (0): received DPD_R_U_THERE from peer 100.1.1.10
    ISAKMP (0): sending NOTIFY message 36137 protocol 1
    return status is IKMP_NO_ERR_NO_TRANS
    ----------------------------------------------

    For privacy reasons, I have changed the IP addresses and passwords.

    PIX506e Outside (ISP1): 200.1.1.10
    ISP1 Gateway: 200.1.1.1

    PIX501 Outside (ISP): 100.1.1.10
    ISP2 Gateway: 100.1.1.1

    Here are my configurations:

    Pix 506e (Server)
    ----------------------------------------------
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ******** encrypted
    passwd ******** encrypted
    hostname vpnserver
    domain-name mydomain.com
    clock timezone CST -6
    clock summer-time CDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list NONAT permit ip 172.16.55.0 255.255.255.0 192.168.6.0 255.255.255.0
    access-list 110 permit ip 172.16.55.0 255.255.255.0 192.168.6.0 255.255.255.0
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside 200.1.1.10 255.255.255.128
    ip address inside 172.16.55.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 192.168.1.100-192.168.1.110
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group 110 in interface inside
    route outside 0.0.0.0 0.0.0.0 200.1.1.1 1
    route inside 172.16.2.0 255.255.255.0 172.16.55.254 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client authentication LOCAL
    crypto map mymap interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup mygroup address-pool vpnpool
    vpngroup mygroup dns-server 172.16.2.1
    vpngroup mygroup default-domain mydomain.com
    vpngroup mygroup idle-time 1800
    vpngroup mygroup password ********
    vpngroup idle-time idle-time 1800
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    vpdn username myuser password *********
    vpdn enable outside
    username myuser password ******** encrypted privilege 2
    terminal width 80
    ----------------------------------------------

    Pix 501 (Client)
    ----------------------------------------------
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ******** encrypted
    passwd ******** encrypted
    hostname vpnclient
    domain-name mydomain.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 17
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    pager lines 24
    logging on
    logging monitor debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside 100.1.1.10 255.255.255.0
    ip address inside 192.168.6.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 100.1.1.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.6.0 255.255.255.0 inside
    telnet timeout 30
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 30
    management-access inside
    console timeout 0
    dhcpd address 192.168.6.20-192.168.6.200 inside
    dhcpd dns 172.16.2.1 172.16.2.2
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd enable inside
    vpnclient server 200.1.1.10
    vpnclient mode client-mode
    vpnclient vpngroup mygroup password ********
    vpnclient username myuser password ********
    vpnclient enable
    terminal width 80
    ----------------------------------------------
    Guest, Mar 11, 2010
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    2
    Views:
    2,670
  2. Kai
    Replies:
    0
    Views:
    7,599
  3. Evolution
    Replies:
    2
    Views:
    2,378
    Walter Roberson
    Apr 11, 2006
  4. Mari-Anne in Montana

    Need help - almost there

    Mari-Anne in Montana, Dec 15, 2007, in forum: Wireless Networking
    Replies:
    5
    Views:
    374
    Mari-Anne in Montana
    Dec 16, 2007
  5. Laurent
    Replies:
    2
    Views:
    556
    Laurent
    Mar 1, 2008
Loading...

Share This Page