PIX to PIX plus VPN Client Cisco Problem

Discussion in 'Cisco' started by meme, Feb 11, 2004.

  1. meme

    meme Guest

    Hello all,

    I configured two VPN, one between two PIX 501 (6.3(1)) and one between a PIX
    and a Cisco VPN Client 4.0.3 (C).

    Well, the VPN between PIX works fine, while the VPN between the Cisco VPN
    Client and the PIX doesn't works. The PIX assigns the IP address (in the
    pool) to my remote PC but I cannot ping the internal interface of the PIX
    (192.168.50.100).

    Thank you in advance for the answer.



    Bye.

    Meme







    : Saved
    : Written by enable_15 at 23:32:45.392 CEST Tue Feb 10 2004
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password *** encrypted
    passwd *** encrypted
    hostname test
    domain-name test
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    no names
    access-list 101 permit ip host 192.168.50.1 10.0.0.0 255.255.255.0
    access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.50.144
    255.255.255.240
    access-list 104 permit udp any any eq tftp
    access-list 103 permit tcp any any eq ssh
    pager lines 24
    icmp deny any outside
    mtu outside 1500
    mtu inside 1500
    ip address outside *** 255.255.255.255 pppoe
    ip address inside 192.168.50.100 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool1 192.168.50.151-192.168.50.159
    no pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 *** 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    fragment chain 1
    sysopt connection permit-ipsec
    crypto ipsec transform-set nometrans esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set VpnClientSet esp-aes-256 esp-sha-hmac
    crypto dynamic-map dynmap1 30 set transform-set VpnClientSet
    crypto map transam 1 ipsec-isakmp
    crypto map transam 1 match address 101
    crypto map transam 1 set peer ***
    crypto map transam 1 set transform-set nometrans
    crypto map transam 20 ipsec-isakmp dynamic dynmap1
    crypto map transam interface outside
    isakmp enable outside
    isakmp key *** address *** netmask 255.255.255.255
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption aes-256
    isakmp policy 1 hash md5
    isakmp policy 1 group 5
    isakmp policy 1 lifetime 1000
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption aes-256
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 1000
    vpngroup testg address-pool vpnpool1
    vpngroup testg split-tunnel 101
    vpngroup testg idle-time 1800
    vpngroup testg password ***
    telnet timeout 60
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 60
    management-access outside
    console timeout 0
    vpdn group pppoe-sbc request dialout pppoe
    vpdn group pppoe-sbc localname ***
    vpdn group pppoe-sbc ppp authentication pap
    vpdn username *** password ***
    vpdn enable inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    terminal width 100
    Cryptochecksum:306eb9ab906724fdab9dffa404c4f230
    : end
     
    meme, Feb 11, 2004
    #1
    1. Advertising

  2. meme

    meme Guest

    More help...
    I removed the VPN site-to-site configuration and the VPN between Cisco VPN
    Client and PIX works fine, together they don't work.
    Thank a lot in advance.
    Bye


    > I configured two VPN, one between two PIX 501 (6.3(1)) and one between a

    PIX
    > and a Cisco VPN Client 4.0.3 (C).
    >
    > Well, the VPN between PIX works fine, while the VPN between the Cisco VPN
    > Client and the PIX doesn't works. The PIX assigns the IP address (in the
    > pool) to my remote PC but I cannot ping the internal interface of the PIX
    > (192.168.50.100).
    >
    > Thank you in advance for the answer.
     
    meme, Feb 12, 2004
    #2
    1. Advertising

  3. meme

    GuenTech

    Joined:
    May 21, 2009
    Messages:
    6
    I have the same problem.

    I have an IPSec tunnel between my PIX 515E and a remote office via their ISP's VPN concentrator. this this tunnel up, my cisco VPN clients can connect but NOT pass traffic.

    I have the following related access-list entries (101 is for my VPNGroup using cisco VPN client. DalVPN is for my IPSec tunnel between our PIX 515E and the VPN concentrator):

    access-list 101 permit ip 10.1.150.0 255.255.255.0 10.1.250.0 255.255.255.0
    access-list DalVPN permit ip 10.1.150.0 255.255.255.0 10.0.1.0 255.255.255.0

    IF I use:

    nat (inside) 0 access-list 101

    THEN my Cisco VPN clients work great, but my IPSEC tunnel to Dallas dies.

    IF I use:

    nat (inside) 0 access-list DalVPN

    THEN my IPSec tunnel to Dallas works great, but Cisco VPN clients can not pass traffic.



    What are we missing... this is very frustrating. Any ideas anyone?

    :dontknow:
     
    GuenTech, May 23, 2009
    #3
  4. meme

    GuenTech

    Joined:
    May 21, 2009
    Messages:
    6
    My solution

    I have solved the problem:

    Added the following to my 101 access-list to except traffic from the NAT process:

    access-list 101 permit ip 10.1.150.0 255.255.255.0 10.0.1.0 255.255.255.0

    Poof! now both the PIX to Concentrator IPSec tunnel and the Cisco VPN Clients pass data back and forth properly.
     
    GuenTech, May 27, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MP
    Replies:
    2
    Views:
    12,427
  2. GVB
    Replies:
    1
    Views:
    2,911
    Martin Bilgrav
    Feb 6, 2004
  3. jarcar
    Replies:
    0
    Views:
    674
    jarcar
    Feb 12, 2004
  4. Nick
    Replies:
    2
    Views:
    2,487
  5. Ned
    Replies:
    0
    Views:
    599
Loading...

Share This Page