Pocket PC vpn to PIX

Discussion in 'Cisco' started by Michael Shiah, Mar 4, 2005.

  1. Hi all,

    I've a PDA(Model: HP iPAQ 2410, s/w: Pocket PC 2003 Premium) and I tried to
    use PDA to vpn to our PIX firewall(Model: 515E-R, software version: 6.3).
    Fortunately, I can connect to PIX through PPTP setting on PDA. After that
    when I tried to connect to an internal website through VPN, no reponse
    replied to me!!

    On the other hand, I can use Windows 2000 Professioanl's built-in VPN
    function( I use PPTP) to connect to PIX as well as the internal website!!
    Windows 2000 works fine!!

    Could anybody tell me how I can resolve this problem about PDA's vpn?

    The following is part of my PIX config:

    interface ethernet0 100full
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password xxxxxx encrypted
    passwd xxxxxxx encrypted
    hostname KD-PIX
    domain-name xx.com
    clock timezone cst -6
    clock summer-time cdt recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no names
    access-list acl-outside deny tcp 67.92.140.0 255.255.255.0 any
    ....... a lot of access lists............

    access-list 101 permit ip 172.16.30.0 255.255.255.0 172.16.39.0
    255.255.255.0
    access-list 101 permit ip 172.16.31.0 255.255.255.0 172.16.39.0
    255.255.255.0
    access-list 101 permit ip 172.16.32.0 255.255.255.0 172.16.39.0
    255.255.255.0
    access-list 101 permit ip 172.16.40.0 255.255.255.0 172.16.39.0
    255.255.255.0
    access-list 102 permit tcp 172.16.39.0 255.255.255.0 172.16.0.0 255.255.0.0
    eq t
    elnet
    access-list 102 permit tcp 172.16.39.0 255.255.255.0 172.16.0.0 255.255.0.0
    eq s
    sh
    access-list 102 permit tcp 172.16.39.0 255.255.255.0 host 172.16.34.11 eq
    www
    access-list 102 permit tcp 172.16.39.0 255.255.255.0 host 172.16.30.11 eq
    www
    access-list 102 permit tcp 172.16.39.0 255.255.255.0 172.16.0.0 255.255.0.0
    eq s
    qlnet
    access-list test permit ip host 211.134.188.188 any
    access-list acl-dma permit tcp any any
    pager lines 24
    logging on
    logging timestamp

    logging buffered warnings
    logging facility 23
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside xxx 255.255.255.248
    ip address inside xxx 255.255.255.0
    ip address dmz xxx 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 172.16.39.1-172.16.39.254
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (dmz,outside) xxx 172.16.34.11 netmask 255.255.255.255 0 0
    static (inside,dmz) 172.16.30.0 172.16.30.0 netmask 255.255.255.0 0 0
    static (dmz,outside) xxx172.16.34.16 netmask 255.255.255.255 0 0
    static (inside,outside) xxx172.16.30.164 netmask 255.255.255.255 0 0
    access-group acl-outside in interface outside
    access-group acl-inside in interface inside
    access-group acl-dmz in interface dmz
    established tcp 119 0 permitto tcp 113 permitfrom tcp 0
    route outside 0.0.0.0 0.0.0.0 xxx 1
    route inside 172.16.31.0 255.255.255.0 172.16.30.254 1
    route inside 172.16.32.0 255.255.255.0 172.16.30.254 1
    route inside 172.16.40.0 255.255.255.0 172.16.30.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 172.16.40.123 uuaiggol timeout 5
    aaa-server LOCAL protocol local
    aaa accounting match 102 outside RADIUS
    snmp-server host inside 172.16.40.123 poll
    no snmp-server location
    no snmp-server contact
    snmp-server community kdpix
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    service resetinbound
    service resetoutside
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client authentication RADIUS
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp client configuration address-pool local vpnpool outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup vpn address-pool vpnpool
    vpngroup vpn dns-server 172.16.30.12
    vpngroup vpn default-domain kangdainfo.com
    vpngroup vpn split-tunnel 101
    vpngroup vpn idle-time 1800
    vpngroup vpn authentication-server RADIUS
    vpngroup vpn password ********
    telnet 172.16.40.123 255.255.255.255 inside
    telnet 172.16.34.11 255.255.255.255 inside
    telnet timeout 5
    ssh 172.16.40.123 255.255.255.255 inside
    ssh 172.16.30.0 255.255.255.0 inside
    ssh 172.16.39.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    vpdn group PPTP accept dialin pptp
    vpdn group PPTP ppp authentication mschap
    vpdn group PPTP ppp encryption mppe 40 required
    vpdn group PPTP client configuration address local vpnpool
    vpdn group PPTP client configuration dns 172.16.30.12
    vpdn group PPTP client authentication aaa RADIUS
    vpdn group PPTP pptp echo 60
    vpdn username PPTP password *********
    vpdn enable outside
    terminal width 80
     
    Michael Shiah, Mar 4, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Richard

    PIX to PIX to PIX meshed VPN

    Richard, Nov 13, 2003, in forum: Cisco
    Replies:
    1
    Views:
    643
    Richard
    Nov 15, 2003
  2. GVB
    Replies:
    1
    Views:
    2,908
    Martin Bilgrav
    Feb 6, 2004
  3. Tom
    Replies:
    4
    Views:
    714
  4. Marko Uusitalo
    Replies:
    1
    Views:
    1,564
    Frank Durham
    Apr 11, 2005
  5. Svenn
    Replies:
    3
    Views:
    774
    Svenn
    Mar 13, 2006
Loading...

Share This Page