VPN Client to PIX

Discussion in 'Cisco' started by GKurcon, Dec 29, 2003.

  1. GKurcon

    GKurcon Guest

    I need to connect to a PIX 501 running 6.2(2)with either the Cisco VPN
    client or a Windows built in PPTP client. I can connect with either
    of these clients, but am not able to access anything on the inside
    subnet (192.168.1.x). We do have a site to site VPN established with
    another PIX 501 as well, which works fine. Right now it is not
    necessary for me to access the remote side (192.168.2.x), as I have
    read that there are issues with attempting to do so. I just want to
    connect to the PIX and get to the 192.168.1.x resources. What do I
    need to change in the config to accomplish this?? (I realize that I
    am a few versions behind...one step at a time :) )

    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 4R3vD8XGO4lVLaq6 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname PIX1
    domain-name ciscopix.com
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    access-list acl_out permit icmp any any
    access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    255.255.255.0
    access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    access-list 200 permit tcp any host x.x.185.50 eq 5632
    access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    255.255.255.0
    pager lines 24
    logging on
    interface ethernet0 10baset
    interface ethernet1 10full
    icmp deny any outside
    mtu outside 1500
    mtu inside 1500
    ip address outside x.x.185.50 255.255.255.252
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ciscovpn 172.16.1.1-172.16.1.20
    ip local pool pptp-pool 172.16.101.1-172.16.101.14
    pdm location 192.168.1.11 255.255.255.255 inside
    pdm location 192.168.2.0 255.255.255.0 inside
    pdm location 172.16.1.0 255.255.255.0 outside
    pdm location 192.168.2.0 255.255.255.0 outside
    pdm location 172.16.0.0 255.255.254.0 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 111
    nat (inside) 1 172.16.0.0 255.255.254.0 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    pcanywhere-da
    ta netmask 255.255.255.255 0 20
    static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
    255.255.255
    ..255 0 0
    access-group 200 in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 si
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    no sysopt route dnat
    crypto ipsec transform-set cityset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set cityset
    crypto map citymap 1 ipsec-isakmp
    crypto map citymap 1 set peer x.x.184.146
    crypto map citymap 1 set transform-set cityset
    crypto map citymap 2 ipsec-isakmp
    crypto map citymap 2 set transform-set cityset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client configuration address initiate
    crypto map mymap client configuration address respond
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address x.x.184.146 netmask 255.255.255.255
    no-xauth no-co
    nfig-mode
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp client configuration address-pool local ciscovpn outside
    isakmp policy 8 authentication pre-share
    isakmp policy 8 encryption des
    isakmp policy 8 hash md5
    isakmp policy 8 group 1
    isakmp policy 8 lifetime 86400
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup ctvpn address-pool ciscovpn
    vpngroup ctvpn dns-server x.x.226.13
    vpngroup ctvpn split-tunnel 201
    vpngroup ctvpn idle-time 7200
    vpngroup ctvpn password ********
    vpngroup pgmr address-pool ciscovpn
    vpngroup pgmr dns-server x.x.226.13
    vpngroup pgmr idle-time 1800
    vpngroup pgmr password ********
    telnet 192.168.2.0 255.255.255.0 outside
    telnet 192.168.2.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 192.168.1.1 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe 40
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username scsadmin password ********
    vpdn username cisco password ********
    vpdn username gkurcon password ********
    vpdn enable outside
    vpdn enable inside
    username cisco password 2J6.dR4Av1kpERLo encrypted privilege 2
    terminal width 80
    Cryptochecksum:e62274b3c71e69f4fe95b9693b1ad1b4
     
    GKurcon, Dec 29, 2003
    #1
    1. Advertising

  2. G'day,

    I assume when you connect using PPTP you receive an address from the pool
    pptp-pool (172.16.101.1-172.16.101.14)? This pool is not being excluded
    from the NAT process so it's being translated. To correct this you need to
    make access-list 111 the following:

    access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
    access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
    255.255.255.0

    The last line is new and stops pptp traffic from being natted.

    Scott.


    "GKurcon" <> wrote in message
    news:...
    > I need to connect to a PIX 501 running 6.2(2)with either the Cisco VPN
    > client or a Windows built in PPTP client. I can connect with either
    > of these clients, but am not able to access anything on the inside
    > subnet (192.168.1.x). We do have a site to site VPN established with
    > another PIX 501 as well, which works fine. Right now it is not
    > necessary for me to access the remote side (192.168.2.x), as I have
    > read that there are issues with attempting to do so. I just want to
    > connect to the PIX and get to the 192.168.1.x resources. What do I
    > need to change in the config to accomplish this?? (I realize that I
    > am a few versions behind...one step at a time :) )
    >
    > PIX Version 6.2(2)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password 4R3vD8XGO4lVLaq6 encrypted
    > passwd 2KFQnbNIdI.2KYOU encrypted
    > hostname PIX1
    > domain-name ciscopix.com
    > fixup protocol ftp 21
    > fixup protocol http 80
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol sip 5060
    > fixup protocol skinny 2000
    > names
    > access-list acl_out permit icmp any any
    > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > 255.255.255.0
    > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > 255.255.255.0
    > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    > access-list 200 permit tcp any host x.x.185.50 eq 5632
    > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > 255.255.255.0
    > pager lines 24
    > logging on
    > interface ethernet0 10baset
    > interface ethernet1 10full
    > icmp deny any outside
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside x.x.185.50 255.255.255.252
    > ip address inside 192.168.1.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool ciscovpn 172.16.1.1-172.16.1.20
    > ip local pool pptp-pool 172.16.101.1-172.16.101.14
    > pdm location 192.168.1.11 255.255.255.255 inside
    > pdm location 192.168.2.0 255.255.255.0 inside
    > pdm location 172.16.1.0 255.255.255.0 outside
    > pdm location 192.168.2.0 255.255.255.0 outside
    > pdm location 172.16.0.0 255.255.254.0 inside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 111
    > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    > pcanywhere-da
    > ta netmask 255.255.255.255 0 20
    > static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
    > 255.255.255
    > .255 0 0
    > access-group 200 in interface outside
    > route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > 0:05:00 si
    > p 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > no sysopt route dnat
    > crypto ipsec transform-set cityset esp-des esp-md5-hmac
    > crypto dynamic-map dynmap 10 set transform-set cityset
    > crypto map citymap 1 ipsec-isakmp
    > crypto map citymap 1 set peer x.x.184.146
    > crypto map citymap 1 set transform-set cityset
    > crypto map citymap 2 ipsec-isakmp
    > crypto map citymap 2 set transform-set cityset
    > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > crypto map mymap client configuration address initiate
    > crypto map mymap client configuration address respond
    > crypto map mymap interface outside
    > isakmp enable outside
    > isakmp key ******** address x.x.184.146 netmask 255.255.255.255
    > no-xauth no-co
    > nfig-mode
    > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > isakmp identity address
    > isakmp client configuration address-pool local ciscovpn outside
    > isakmp policy 8 authentication pre-share
    > isakmp policy 8 encryption des
    > isakmp policy 8 hash md5
    > isakmp policy 8 group 1
    > isakmp policy 8 lifetime 86400
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption des
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    > vpngroup ctvpn address-pool ciscovpn
    > vpngroup ctvpn dns-server x.x.226.13
    > vpngroup ctvpn split-tunnel 201
    > vpngroup ctvpn idle-time 7200
    > vpngroup ctvpn password ********
    > vpngroup pgmr address-pool ciscovpn
    > vpngroup pgmr dns-server x.x.226.13
    > vpngroup pgmr idle-time 1800
    > vpngroup pgmr password ********
    > telnet 192.168.2.0 255.255.255.0 outside
    > telnet 192.168.2.0 255.255.255.0 inside
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet 192.168.1.1 255.255.255.255 inside
    > telnet timeout 5
    > ssh timeout 5
    > vpdn group 1 accept dialin pptp
    > vpdn group 1 ppp authentication pap
    > vpdn group 1 ppp authentication chap
    > vpdn group 1 ppp authentication mschap
    > vpdn group 1 ppp encryption mppe 40
    > vpdn group 1 client configuration address local pptp-pool
    > vpdn group 1 pptp echo 60
    > vpdn group 1 client authentication local
    > vpdn username scsadmin password ********
    > vpdn username cisco password ********
    > vpdn username gkurcon password ********
    > vpdn enable outside
    > vpdn enable inside
    > username cisco password 2J6.dR4Av1kpERLo encrypted privilege 2
    > terminal width 80
    > Cryptochecksum:e62274b3c71e69f4fe95b9693b1ad1b4
     
    scott enwright, Dec 30, 2003
    #2
    1. Advertising

  3. GKurcon

    GKurcon Guest

    Thanks for the tip. I added this line to the config but still no
    luck. A consultant that I work with suggested that I add this:

    static (inside,outside) 172.168.101.0 192.168.1.0 netmask
    255.255.255.0 0 0

    But when I add this, the only result is all devices on the 192.168.1.0
    subnet are unable to get out to the internet, I have to reboot the PIX
    and also the remote PIX.

    I tried removing this line, but it didn't seem to make a difference
    either:


    nat (inside) 1 172.16.0.0 255.255.254.0 0 0

    This seems like it should be a relatively easy thing to set up, any
    ideas of what I am missing? Thanks.

    "scott enwright" <0spam.net.au> wrote in message news:<WxeIb.70433$>...
    > G'day,
    >
    > I assume when you connect using PPTP you receive an address from the pool
    > pptp-pool (172.16.101.1-172.16.101.14)? This pool is not being excluded
    > from the NAT process so it's being translated. To correct this you need to
    > make access-list 111 the following:
    >
    > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > 255.255.255.0
    > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
    > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
    > 255.255.255.0
    >
    > The last line is new and stops pptp traffic from being natted.
    >
    > Scott.
    >
    >
    > "GKurcon" <> wrote in message
    > news:...
    > > I need to connect to a PIX 501 running 6.2(2)with either the Cisco VPN
    > > client or a Windows built in PPTP client. I can connect with either
    > > of these clients, but am not able to access anything on the inside
    > > subnet (192.168.1.x). We do have a site to site VPN established with
    > > another PIX 501 as well, which works fine. Right now it is not
    > > necessary for me to access the remote side (192.168.2.x), as I have
    > > read that there are issues with attempting to do so. I just want to
    > > connect to the PIX and get to the 192.168.1.x resources. What do I
    > > need to change in the config to accomplish this?? (I realize that I
    > > am a few versions behind...one step at a time :) )
    > >
    > > PIX Version 6.2(2)
    > > nameif ethernet0 outside security0
    > > nameif ethernet1 inside security100
    > > enable password 4R3vD8XGO4lVLaq6 encrypted
    > > passwd 2KFQnbNIdI.2KYOU encrypted
    > > hostname PIX1
    > > domain-name ciscopix.com
    > > fixup protocol ftp 21
    > > fixup protocol http 80
    > > fixup protocol h323 h225 1720
    > > fixup protocol h323 ras 1718-1719
    > > fixup protocol ils 389
    > > fixup protocol rsh 514
    > > fixup protocol rtsp 554
    > > fixup protocol smtp 25
    > > fixup protocol sqlnet 1521
    > > fixup protocol sip 5060
    > > fixup protocol skinny 2000
    > > names
    > > access-list acl_out permit icmp any any
    > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > > 255.255.255.0
    > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > > 255.255.255.0
    > > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    > > access-list 200 permit tcp any host x.x.185.50 eq 5632
    > > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > > 255.255.255.0
    > > pager lines 24
    > > logging on
    > > interface ethernet0 10baset
    > > interface ethernet1 10full
    > > icmp deny any outside
    > > mtu outside 1500
    > > mtu inside 1500
    > > ip address outside x.x.185.50 255.255.255.252
    > > ip address inside 192.168.1.1 255.255.255.0
    > > ip audit info action alarm
    > > ip audit attack action alarm
    > > ip local pool ciscovpn 172.16.1.1-172.16.1.20
    > > ip local pool pptp-pool 172.16.101.1-172.16.101.14
    > > pdm location 192.168.1.11 255.255.255.255 inside
    > > pdm location 192.168.2.0 255.255.255.0 inside
    > > pdm location 172.16.1.0 255.255.255.0 outside
    > > pdm location 192.168.2.0 255.255.255.0 outside
    > > pdm location 172.16.0.0 255.255.254.0 inside
    > > pdm logging informational 100
    > > pdm history enable
    > > arp timeout 14400
    > > global (outside) 1 interface
    > > nat (inside) 0 access-list 111
    > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
    > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    > > pcanywhere-da
    > > ta netmask 255.255.255.255 0 20
    > > static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
    > > 255.255.255
    > > .255 0 0
    > > access-group 200 in interface outside
    > > route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
    > > timeout xlate 0:05:00
    > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > > 0:05:00 si
    > > p 0:30:00 sip_media 0:02:00
    > > timeout uauth 0:05:00 absolute
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server RADIUS protocol radius
    > > aaa-server LOCAL protocol local
    > > http server enable
    > > http 192.168.1.0 255.255.255.0 inside
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server community public
    > > no snmp-server enable traps
    > > floodguard enable
    > > sysopt connection permit-ipsec
    > > sysopt connection permit-pptp
    > > no sysopt route dnat
    > > crypto ipsec transform-set cityset esp-des esp-md5-hmac
    > > crypto dynamic-map dynmap 10 set transform-set cityset
    > > crypto map citymap 1 ipsec-isakmp
    > > crypto map citymap 1 set peer x.x.184.146
    > > crypto map citymap 1 set transform-set cityset
    > > crypto map citymap 2 ipsec-isakmp
    > > crypto map citymap 2 set transform-set cityset
    > > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > > crypto map mymap client configuration address initiate
    > > crypto map mymap client configuration address respond
    > > crypto map mymap interface outside
    > > isakmp enable outside
    > > isakmp key ******** address x.x.184.146 netmask 255.255.255.255
    > > no-xauth no-co
    > > nfig-mode
    > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > > isakmp identity address
    > > isakmp client configuration address-pool local ciscovpn outside
    > > isakmp policy 8 authentication pre-share
    > > isakmp policy 8 encryption des
    > > isakmp policy 8 hash md5
    > > isakmp policy 8 group 1
    > > isakmp policy 8 lifetime 86400
    > > isakmp policy 10 authentication pre-share
    > > isakmp policy 10 encryption des
    > > isakmp policy 10 hash md5
    > > isakmp policy 10 group 2
    > > isakmp policy 10 lifetime 86400
    > > vpngroup ctvpn address-pool ciscovpn
    > > vpngroup ctvpn dns-server x.x.226.13
    > > vpngroup ctvpn split-tunnel 201
    > > vpngroup ctvpn idle-time 7200
    > > vpngroup ctvpn password ********
    > > vpngroup pgmr address-pool ciscovpn
    > > vpngroup pgmr dns-server x.x.226.13
    > > vpngroup pgmr idle-time 1800
    > > vpngroup pgmr password ********
    > > telnet 192.168.2.0 255.255.255.0 outside
    > > telnet 192.168.2.0 255.255.255.0 inside
    > > telnet 192.168.1.0 255.255.255.0 inside
    > > telnet 192.168.1.1 255.255.255.255 inside
    > > telnet timeout 5
    > > ssh timeout 5
    > > vpdn group 1 accept dialin pptp
    > > vpdn group 1 ppp authentication pap
    > > vpdn group 1 ppp authentication chap
    > > vpdn group 1 ppp authentication mschap
    > > vpdn group 1 ppp encryption mppe 40
    > > vpdn group 1 client configuration address local pptp-pool
    > > vpdn group 1 pptp echo 60
    > > vpdn group 1 client authentication local
    > > vpdn username scsadmin password ********
    > > vpdn username cisco password ********
    > > vpdn username gkurcon password ********
    > > vpdn enable outside
    > > vpdn enable inside
    > > username cisco password 2J6.dR4Av1kpERLo encrypted privilege 2
    > > terminal width 80
    > > Cryptochecksum:e62274b3c71e69f4fe95b9693b1ad1b4
     
    GKurcon, Dec 31, 2003
    #3
  4. G'day,

    I've just been through the configuration again with and compared it to both
    a working configuration and to a sample Cisco configuration
    (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuratio
    n_example09186a0080093f89.shtml). With that new line I suggested it should
    just work - could you do a 'clear xlate' on the box and test it again - the
    clear xlate command will kill all connections that are active on the unit.

    If this doesnt work can you repost the new configuration maybe there is
    something else stopping it now that wasnt there in your previous post.

    Regards,

    Scott.

    "GKurcon" <> wrote in message
    news:...
    > Thanks for the tip. I added this line to the config but still no
    > luck. A consultant that I work with suggested that I add this:
    >
    > static (inside,outside) 172.168.101.0 192.168.1.0 netmask
    > 255.255.255.0 0 0
    >
    > But when I add this, the only result is all devices on the 192.168.1.0
    > subnet are unable to get out to the internet, I have to reboot the PIX
    > and also the remote PIX.
    >
    > I tried removing this line, but it didn't seem to make a difference
    > either:
    >
    >
    > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
    >
    > This seems like it should be a relatively easy thing to set up, any
    > ideas of what I am missing? Thanks.
    >
    > "scott enwright" <0spam.net.au> wrote in

    message news:<WxeIb.70433$>...
    > > G'day,
    > >
    > > I assume when you connect using PPTP you receive an address from the

    pool
    > > pptp-pool (172.16.101.1-172.16.101.14)? This pool is not being excluded
    > > from the NAT process so it's being translated. To correct this you need

    to
    > > make access-list 111 the following:
    > >
    > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > > 255.255.255.0
    > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0

    255.255.255.0
    > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
    > > 255.255.255.0
    > >
    > > The last line is new and stops pptp traffic from being natted.
    > >
    > > Scott.
    > >
    > >
    > > "GKurcon" <> wrote in message
    > > news:...
    > > > I need to connect to a PIX 501 running 6.2(2)with either the Cisco VPN
    > > > client or a Windows built in PPTP client. I can connect with either
    > > > of these clients, but am not able to access anything on the inside
    > > > subnet (192.168.1.x). We do have a site to site VPN established with
    > > > another PIX 501 as well, which works fine. Right now it is not
    > > > necessary for me to access the remote side (192.168.2.x), as I have
    > > > read that there are issues with attempting to do so. I just want to
    > > > connect to the PIX and get to the 192.168.1.x resources. What do I
    > > > need to change in the config to accomplish this?? (I realize that I
    > > > am a few versions behind...one step at a time :) )
    > > >
    > > > PIX Version 6.2(2)
    > > > nameif ethernet0 outside security0
    > > > nameif ethernet1 inside security100
    > > > enable password 4R3vD8XGO4lVLaq6 encrypted
    > > > passwd 2KFQnbNIdI.2KYOU encrypted
    > > > hostname PIX1
    > > > domain-name ciscopix.com
    > > > fixup protocol ftp 21
    > > > fixup protocol http 80
    > > > fixup protocol h323 h225 1720
    > > > fixup protocol h323 ras 1718-1719
    > > > fixup protocol ils 389
    > > > fixup protocol rsh 514
    > > > fixup protocol rtsp 554
    > > > fixup protocol smtp 25
    > > > fixup protocol sqlnet 1521
    > > > fixup protocol sip 5060
    > > > fixup protocol skinny 2000
    > > > names
    > > > access-list acl_out permit icmp any any
    > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > > > 255.255.255.0
    > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > > > 255.255.255.0
    > > > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    > > > access-list 200 permit tcp any host x.x.185.50 eq 5632
    > > > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > > > 255.255.255.0
    > > > pager lines 24
    > > > logging on
    > > > interface ethernet0 10baset
    > > > interface ethernet1 10full
    > > > icmp deny any outside
    > > > mtu outside 1500
    > > > mtu inside 1500
    > > > ip address outside x.x.185.50 255.255.255.252
    > > > ip address inside 192.168.1.1 255.255.255.0
    > > > ip audit info action alarm
    > > > ip audit attack action alarm
    > > > ip local pool ciscovpn 172.16.1.1-172.16.1.20
    > > > ip local pool pptp-pool 172.16.101.1-172.16.101.14
    > > > pdm location 192.168.1.11 255.255.255.255 inside
    > > > pdm location 192.168.2.0 255.255.255.0 inside
    > > > pdm location 172.16.1.0 255.255.255.0 outside
    > > > pdm location 192.168.2.0 255.255.255.0 outside
    > > > pdm location 172.16.0.0 255.255.254.0 inside
    > > > pdm logging informational 100
    > > > pdm history enable
    > > > arp timeout 14400
    > > > global (outside) 1 interface
    > > > nat (inside) 0 access-list 111
    > > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
    > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    > > > pcanywhere-da
    > > > ta netmask 255.255.255.255 0 20
    > > > static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
    > > > 255.255.255
    > > > .255 0 0
    > > > access-group 200 in interface outside
    > > > route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
    > > > timeout xlate 0:05:00
    > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > > > 0:05:00 si
    > > > p 0:30:00 sip_media 0:02:00
    > > > timeout uauth 0:05:00 absolute
    > > > aaa-server TACACS+ protocol tacacs+
    > > > aaa-server RADIUS protocol radius
    > > > aaa-server LOCAL protocol local
    > > > http server enable
    > > > http 192.168.1.0 255.255.255.0 inside
    > > > no snmp-server location
    > > > no snmp-server contact
    > > > snmp-server community public
    > > > no snmp-server enable traps
    > > > floodguard enable
    > > > sysopt connection permit-ipsec
    > > > sysopt connection permit-pptp
    > > > no sysopt route dnat
    > > > crypto ipsec transform-set cityset esp-des esp-md5-hmac
    > > > crypto dynamic-map dynmap 10 set transform-set cityset
    > > > crypto map citymap 1 ipsec-isakmp
    > > > crypto map citymap 1 set peer x.x.184.146
    > > > crypto map citymap 1 set transform-set cityset
    > > > crypto map citymap 2 ipsec-isakmp
    > > > crypto map citymap 2 set transform-set cityset
    > > > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > > > crypto map mymap client configuration address initiate
    > > > crypto map mymap client configuration address respond
    > > > crypto map mymap interface outside
    > > > isakmp enable outside
    > > > isakmp key ******** address x.x.184.146 netmask 255.255.255.255
    > > > no-xauth no-co
    > > > nfig-mode
    > > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > > > isakmp identity address
    > > > isakmp client configuration address-pool local ciscovpn outside
    > > > isakmp policy 8 authentication pre-share
    > > > isakmp policy 8 encryption des
    > > > isakmp policy 8 hash md5
    > > > isakmp policy 8 group 1
    > > > isakmp policy 8 lifetime 86400
    > > > isakmp policy 10 authentication pre-share
    > > > isakmp policy 10 encryption des
    > > > isakmp policy 10 hash md5
    > > > isakmp policy 10 group 2
    > > > isakmp policy 10 lifetime 86400
    > > > vpngroup ctvpn address-pool ciscovpn
    > > > vpngroup ctvpn dns-server x.x.226.13
    > > > vpngroup ctvpn split-tunnel 201
    > > > vpngroup ctvpn idle-time 7200
    > > > vpngroup ctvpn password ********
    > > > vpngroup pgmr address-pool ciscovpn
    > > > vpngroup pgmr dns-server x.x.226.13
    > > > vpngroup pgmr idle-time 1800
    > > > vpngroup pgmr password ********
    > > > telnet 192.168.2.0 255.255.255.0 outside
    > > > telnet 192.168.2.0 255.255.255.0 inside
    > > > telnet 192.168.1.0 255.255.255.0 inside
    > > > telnet 192.168.1.1 255.255.255.255 inside
    > > > telnet timeout 5
    > > > ssh timeout 5
    > > > vpdn group 1 accept dialin pptp
    > > > vpdn group 1 ppp authentication pap
    > > > vpdn group 1 ppp authentication chap
    > > > vpdn group 1 ppp authentication mschap
    > > > vpdn group 1 ppp encryption mppe 40
    > > > vpdn group 1 client configuration address local pptp-pool
    > > > vpdn group 1 pptp echo 60
    > > > vpdn group 1 client authentication local
    > > > vpdn username scsadmin password ********
    > > > vpdn username cisco password ********
    > > > vpdn username gkurcon password ********
    > > > vpdn enable outside
    > > > vpdn enable inside
    > > > username cisco password 2J6.dR4Av1kpERLo encrypted privilege 2
    > > > terminal width 80
    > > > Cryptochecksum:e62274b3c71e69f4fe95b9693b1ad1b4
     
    scott enwright, Jan 1, 2004
    #4
  5. GKurcon

    GKurcon Guest

    Ok, tried the clear xlate command, it killed all connections but I
    still was not able to get to the 192.168.1.x subnet. I am still able
    to connect with either the VPN client (ver 3.6) or the Windows built
    in dialer, but not able to route over to the 192.168.1.x network.
    Here is the current config. Thanks for the continued support:

    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 4R3vD8XGO4lVLaq6 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname newburghcityhall
    domain-name ciscopix.com
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    access-list acl_out permit icmp any any
    access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    255.255.255.0
    access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
    255.255.255.0
    access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    access-list 200 permit tcp any host x.x.185.50 eq 5632
    access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    255.255.255.0
    pager lines 24
    logging on
    interface ethernet0 10baset
    interface ethernet1 10full
    icmp deny any outside
    mtu outside 1500
    mtu inside 1500
    ip address outside x.x.185.50 255.255.255.252
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ciscovpn 172.16.1.1-172.16.1.20
    ip local pool pptp-pool 172.16.101.1-172.16.101.14
    pdm location 192.168.1.11 255.255.255.255 inside
    pdm location 192.168.2.0 255.255.255.0 inside
    pdm location 172.16.1.0 255.255.255.0 outside
    pdm location 192.168.2.0 255.255.255.0 outside
    pdm location 172.16.0.0 255.255.254.0 inside
    pdm location 172.16.101.0 255.255.255.0 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 111
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    pcanywhere-da
    ta netmask 255.255.255.255 0 20
    static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
    255.255.255
    ..255 0 0
    access-group 200 in interface outside
    route outside 0.0.0.0 0.0.0.0 24.97.185.49 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 si
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    no sysopt route dnat
    crypto ipsec transform-set cityset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set cityset
    crypto map citymap 1 ipsec-isakmp
    crypto map citymap 1 set peer x.x.184.146
    crypto map citymap 1 set transform-set cityset
    crypto map citymap 2 ipsec-isakmp
    crypto map citymap 2 set transform-set cityset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client configuration address initiate
    crypto map mymap client configuration address respond
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address x.x.184.146 netmask 255.255.255.255
    no-xauth no-co
    nfig-mode
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp client configuration address-pool local ciscovpn outside
    isakmp policy 8 authentication pre-share
    isakmp policy 8 encryption des
    isakmp policy 8 hash md5
    isakmp policy 8 group 1
    isakmp policy 8 lifetime 86400
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup ctvpn address-pool ciscovpn
    vpngroup ctvpn dns-server x.x.226.13
    vpngroup ctvpn split-tunnel 201
    vpngroup ctvpn idle-time 7200
    vpngroup ctvpn password ********
    vpngroup pgmr address-pool ciscovpn
    vpngroup pgmr dns-server x.x.226.13
    vpngroup pgmr idle-time 1800
    vpngroup pgmr password ********
    vpngroup testvpn address-pool ciscovpn
    vpngroup testvpn idle-time 1800
    vpngroup testvpn password ********
    telnet 192.168.2.0 255.255.255.0 outside
    telnet 192.168.2.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 192.168.1.1 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe 40
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 client configuration dns 192.168.1.11
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username scsadmin password ********
    vpdn username cityhall password ********
    vpdn username gkurcon password ********
    vpdn enable outside
    vpdn enable inside
    username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
    terminal width 80
    Cryptochecksum:9d077096c3b18daec412525f083931d9

    "scott enwright" <0spam.net.au> wrote in message news:<etQIb.72741$>...
    > G'day,
    >
    > I've just been through the configuration again with and compared it to both
    > a working configuration and to a sample Cisco configuration
    > (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuratio
    > n_example09186a0080093f89.shtml). With that new line I suggested it should
    > just work - could you do a 'clear xlate' on the box and test it again - the
    > clear xlate command will kill all connections that are active on the unit.
    >
    > If this doesnt work can you repost the new configuration maybe there is
    > something else stopping it now that wasnt there in your previous post.
    >
    > Regards,
    >
    > Scott.
    >
    > "GKurcon" <> wrote in message
    > news:...
    > > Thanks for the tip. I added this line to the config but still no
    > > luck. A consultant that I work with suggested that I add this:
    > >
    > > static (inside,outside) 172.168.101.0 192.168.1.0 netmask
    > > 255.255.255.0 0 0
    > >
    > > But when I add this, the only result is all devices on the 192.168.1.0
    > > subnet are unable to get out to the internet, I have to reboot the PIX
    > > and also the remote PIX.
    > >
    > > I tried removing this line, but it didn't seem to make a difference
    > > either:
    > >
    > >
    > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
    > >
    > > This seems like it should be a relatively easy thing to set up, any
    > > ideas of what I am missing? Thanks.
    > >
    > > "scott enwright" <0spam.net.au> wrote in

    > message news:<WxeIb.70433$>...
    > > > G'day,
    > > >
    > > > I assume when you connect using PPTP you receive an address from the

    > pool
    > > > pptp-pool (172.16.101.1-172.16.101.14)? This pool is not being excluded
    > > > from the NAT process so it's being translated. To correct this you need

    > to
    > > > make access-list 111 the following:
    > > >
    > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > > > 255.255.255.0
    > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0

    > 255.255.255.0
    > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
    > > > 255.255.255.0
    > > >
    > > > The last line is new and stops pptp traffic from being natted.
    > > >
    > > > Scott.
    > > >
    > > >
    > > > "GKurcon" <> wrote in message
    > > > news:...
    > > > > I need to connect to a PIX 501 running 6.2(2)with either the Cisco VPN
    > > > > client or a Windows built in PPTP client. I can connect with either
    > > > > of these clients, but am not able to access anything on the inside
    > > > > subnet (192.168.1.x). We do have a site to site VPN established with
    > > > > another PIX 501 as well, which works fine. Right now it is not
    > > > > necessary for me to access the remote side (192.168.2.x), as I have
    > > > > read that there are issues with attempting to do so. I just want to
    > > > > connect to the PIX and get to the 192.168.1.x resources. What do I
    > > > > need to change in the config to accomplish this?? (I realize that I
    > > > > am a few versions behind...one step at a time :) )
    > > > >
    > > > > PIX Version 6.2(2)
    > > > > nameif ethernet0 outside security0
    > > > > nameif ethernet1 inside security100
    > > > > enable password 4R3vD8XGO4lVLaq6 encrypted
    > > > > passwd 2KFQnbNIdI.2KYOU encrypted
    > > > > hostname PIX1
    > > > > domain-name ciscopix.com
    > > > > fixup protocol ftp 21
    > > > > fixup protocol http 80
    > > > > fixup protocol h323 h225 1720
    > > > > fixup protocol h323 ras 1718-1719
    > > > > fixup protocol ils 389
    > > > > fixup protocol rsh 514
    > > > > fixup protocol rtsp 554
    > > > > fixup protocol smtp 25
    > > > > fixup protocol sqlnet 1521
    > > > > fixup protocol sip 5060
    > > > > fixup protocol skinny 2000
    > > > > names
    > > > > access-list acl_out permit icmp any any
    > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > > > > 255.255.255.0
    > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > > > > 255.255.255.0
    > > > > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    > > > > access-list 200 permit tcp any host x.x.185.50 eq 5632
    > > > > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > > > > 255.255.255.0
    > > > > pager lines 24
    > > > > logging on
    > > > > interface ethernet0 10baset
    > > > > interface ethernet1 10full
    > > > > icmp deny any outside
    > > > > mtu outside 1500
    > > > > mtu inside 1500
    > > > > ip address outside x.x.185.50 255.255.255.252
    > > > > ip address inside 192.168.1.1 255.255.255.0
    > > > > ip audit info action alarm
    > > > > ip audit attack action alarm
    > > > > ip local pool ciscovpn 172.16.1.1-172.16.1.20
    > > > > ip local pool pptp-pool 172.16.101.1-172.16.101.14
    > > > > pdm location 192.168.1.11 255.255.255.255 inside
    > > > > pdm location 192.168.2.0 255.255.255.0 inside
    > > > > pdm location 172.16.1.0 255.255.255.0 outside
    > > > > pdm location 192.168.2.0 255.255.255.0 outside
    > > > > pdm location 172.16.0.0 255.255.254.0 inside
    > > > > pdm logging informational 100
    > > > > pdm history enable
    > > > > arp timeout 14400
    > > > > global (outside) 1 interface
    > > > > nat (inside) 0 access-list 111
    > > > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
    > > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > > > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    > > > > pcanywhere-da
    > > > > ta netmask 255.255.255.255 0 20
    > > > > static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
    > > > > 255.255.255
    > > > > .255 0 0
    > > > > access-group 200 in interface outside
    > > > > route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
    > > > > timeout xlate 0:05:00
    > > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > > > > 0:05:00 si
    > > > > p 0:30:00 sip_media 0:02:00
    > > > > timeout uauth 0:05:00 absolute
    > > > > aaa-server TACACS+ protocol tacacs+
    > > > > aaa-server RADIUS protocol radius
    > > > > aaa-server LOCAL protocol local
    > > > > http server enable
    > > > > http 192.168.1.0 255.255.255.0 inside
    > > > > no snmp-server location
    > > > > no snmp-server contact
    > > > > snmp-server community public
    > > > > no snmp-server enable traps
    > > > > floodguard enable
    > > > > sysopt connection permit-ipsec
    > > > > sysopt connection permit-pptp
    > > > > no sysopt route dnat
    > > > > crypto ipsec transform-set cityset esp-des esp-md5-hmac
    > > > > crypto dynamic-map dynmap 10 set transform-set cityset
    > > > > crypto map citymap 1 ipsec-isakmp
    > > > > crypto map citymap 1 set peer x.x.184.146
    > > > > crypto map citymap 1 set transform-set cityset
    > > > > crypto map citymap 2 ipsec-isakmp
    > > > > crypto map citymap 2 set transform-set cityset
    > > > > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > > > > crypto map mymap client configuration address initiate
    > > > > crypto map mymap client configuration address respond
    > > > > crypto map mymap interface outside
    > > > > isakmp enable outside
    > > > > isakmp key ******** address x.x.184.146 netmask 255.255.255.255
    > > > > no-xauth no-co
    > > > > nfig-mode
    > > > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > > > > isakmp identity address
    > > > > isakmp client configuration address-pool local ciscovpn outside
    > > > > isakmp policy 8 authentication pre-share
    > > > > isakmp policy 8 encryption des
    > > > > isakmp policy 8 hash md5
    > > > > isakmp policy 8 group 1
    > > > > isakmp policy 8 lifetime 86400
    > > > > isakmp policy 10 authentication pre-share
    > > > > isakmp policy 10 encryption des
    > > > > isakmp policy 10 hash md5
    > > > > isakmp policy 10 group 2
    > > > > isakmp policy 10 lifetime 86400
    > > > > vpngroup ctvpn address-pool ciscovpn
    > > > > vpngroup ctvpn dns-server x.x.226.13
    > > > > vpngroup ctvpn split-tunnel 201
    > > > > vpngroup ctvpn idle-time 7200
    > > > > vpngroup ctvpn password ********
    > > > > vpngroup pgmr address-pool ciscovpn
    > > > > vpngroup pgmr dns-server x.x.226.13
    > > > > vpngroup pgmr idle-time 1800
    > > > > vpngroup pgmr password ********
    > > > > telnet 192.168.2.0 255.255.255.0 outside
    > > > > telnet 192.168.2.0 255.255.255.0 inside
    > > > > telnet 192.168.1.0 255.255.255.0 inside
    > > > > telnet 192.168.1.1 255.255.255.255 inside
    > > > > telnet timeout 5
    > > > > ssh timeout 5
    > > > > vpdn group 1 accept dialin pptp
    > > > > vpdn group 1 ppp authentication pap
    > > > > vpdn group 1 ppp authentication chap
    > > > > vpdn group 1 ppp authentication mschap
    > > > > vpdn group 1 ppp encryption mppe 40
    > > > > vpdn group 1 client configuration address local pptp-pool
    > > > > vpdn group 1 pptp echo 60
    > > > > vpdn group 1 client authentication local
    > > > > vpdn username scsadmin password ********
    > > > > vpdn username cisco password ********
    > > > > vpdn username gkurcon password ********
    > > > > vpdn enable outside
    > > > > vpdn enable inside
    > > > > username cisco password 2J6.dR4Av1kpERLo encrypted privilege 2
    > > > > terminal width 80
    > > > > Cryptochecksum:e62274b3c71e69f4fe95b9693b1ad1b4
     
    GKurcon, Jan 6, 2004
    #5
  6. Try this configuration I have noted the changes where needed. Dont just cut
    and paste it in as I dont have all the passwords etc. Please dont save this
    configuration just test it and let me know how it goes. If it doesnt work
    please trun on the following debugs and enable "terminal monitor" (and maybe
    "logging monitor debugging") so we can what going on with the following
    debuging options enabled:

    debug ppp io
    debug ppp error
    debug vpdn error
    debug vpdn packet
    debug vpdn events
    debug ppp uauth

    Please repost the ocnfiguration before losing it so we can see *definately*
    what it was.

    ------------------------------------------------------------

    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 4R3vD8XGO4lVLaq6 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname newburghcityhall
    domain-name ciscopix.com
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    access-list acl_out permit icmp any any
    !--- Access list 110 added - please change the <desitnation subnet> to
    !--- suite the site-to-site connection. This connection must be broken
    at the moment or
    !--- it is being initialed deom the other end.
    access-list 110 permit ip 192.168.1.0 255.255.255.0 <destination subnet>
    255.255.255.0
    !-- end of newly added lines
    access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
    access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
    255.255.255.0
    access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    access-list 200 permit tcp any host x.x.185.50 eq 5632
    access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
    pager lines 24
    logging on
    interface ethernet0 10baset
    interface ethernet1 10full
    icmp deny any outside
    mtu outside 1500
    mtu inside 1500
    ip address outside x.x.185.50 255.255.255.252
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ciscovpn 172.16.1.1-172.16.1.20
    ip local pool pptp-pool 172.16.101.1-172.16.101.14
    pdm location 192.168.1.11 255.255.255.255 inside
    pdm location 192.168.2.0 255.255.255.0 inside
    pdm location 172.16.1.0 255.255.255.0 outside
    pdm location 192.168.2.0 255.255.255.0 outside
    pdm location 172.16.0.0 255.255.254.0 inside
    pdm location 172.16.101.0 255.255.255.0 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 111
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    pcanywhere-data netmask 255.255.255.255 0 20
    static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
    255.255.255.255 0 0
    access-group 200 in interface outside
    route outside 0.0.0.0 0.0.0.0 24.97.185.49 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    no sysopt route dnat
    crypto ipsec transform-set cityset esp-des esp-md5-hmac
    !------------ Changes made in here ----------------------
    crypto dynamic-map dynmap 30 set transform-set cityset
    crypto map citymap 10 ipsec-isakmp
    crypto map citymap 10 match address 110
    crypto map citymap 10 set peer x.x.184.146
    crypto map citymap 10 set transform-set cityset
    crypto map citymap 20 ipsec-isakmp dynamic dynmap
    crypto map citymap interface outside
    !----------- end of changes - note some lines deleted as well:)
    isakmp enable outside
    isakmp key ******** address x.x.184.146 netmask 255.255.255.255 no-xauth
    no-config-mode
    !--- The line below is not needed please remove it
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp client configuration address-pool local ciscovpn outside
    isakmp policy 8 authentication pre-share
    isakmp policy 8 encryption des
    isakmp policy 8 hash md5
    isakmp policy 8 group 1
    isakmp policy 8 lifetime 86400
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup ctvpn address-pool ciscovpn
    vpngroup ctvpn dns-server x.x.226.13
    vpngroup ctvpn split-tunnel 201
    vpngroup ctvpn idle-time 7200
    vpngroup ctvpn password ********
    vpngroup pgmr address-pool ciscovpn
    vpngroup pgmr dns-server x.x.226.13
    vpngroup pgmr idle-time 1800
    vpngroup pgmr password ********
    vpngroup testvpn address-pool ciscovpn
    vpngroup testvpn idle-time 1800
    vpngroup testvpn password ********
    telnet 192.168.2.0 255.255.255.0 outside
    telnet 192.168.2.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 192.168.1.1 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    !--- The line below is not needed please remove it
    vpdn group 1 ppp encryption mppe 40
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 client configuration dns 192.168.1.11
    !--- The line below is not needed please remove it
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username scsadmin password ********
    vpdn username cityhall password ********
    vpdn username gkurcon password ********
    vpdn enable outside
    !--- The line below is not needed please remove it
    vpdn enable inside
    username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
    terminal width 80





    Regards,

    Scott.
    \|/
    (o o)
    ---------------------oOOO--(_)--OOOo----------------------
    Out the 100Base-T, off the firewall, through the router, down
    the T1, over the leased line, off the bridge, nothing but Net.
    (Use ROT13 to see my email address)
    .oooO Oooo.
    ----------------------( )---( )-----------------------
    \ ( ) /
    \_) (_/


    "GKurcon" <> wrote in message
    news:...
    > Ok, tried the clear xlate command, it killed all connections but I
    > still was not able to get to the 192.168.1.x subnet. I am still able
    > to connect with either the VPN client (ver 3.6) or the Windows built
    > in dialer, but not able to route over to the 192.168.1.x network.
    > Here is the current config. Thanks for the continued support:
    >
    > PIX Version 6.2(2)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password 4R3vD8XGO4lVLaq6 encrypted
    > passwd 2KFQnbNIdI.2KYOU encrypted
    > hostname newburghcityhall
    > domain-name ciscopix.com
    > fixup protocol ftp 21
    > fixup protocol http 80
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol sip 5060
    > fixup protocol skinny 2000
    > names
    > access-list acl_out permit icmp any any
    > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > 255.255.255.0
    > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > 255.255.255.0
    > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
    > 255.255.255.0
    > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    > access-list 200 permit tcp any host x.x.185.50 eq 5632
    > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > 255.255.255.0
    > pager lines 24
    > logging on
    > interface ethernet0 10baset
    > interface ethernet1 10full
    > icmp deny any outside
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside x.x.185.50 255.255.255.252
    > ip address inside 192.168.1.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool ciscovpn 172.16.1.1-172.16.1.20
    > ip local pool pptp-pool 172.16.101.1-172.16.101.14
    > pdm location 192.168.1.11 255.255.255.255 inside
    > pdm location 192.168.2.0 255.255.255.0 inside
    > pdm location 172.16.1.0 255.255.255.0 outside
    > pdm location 192.168.2.0 255.255.255.0 outside
    > pdm location 172.16.0.0 255.255.254.0 inside
    > pdm location 172.16.101.0 255.255.255.0 outside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 111
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    > pcanywhere-da
    > ta netmask 255.255.255.255 0 20
    > static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
    > 255.255.255
    > .255 0 0
    > access-group 200 in interface outside
    > route outside 0.0.0.0 0.0.0.0 24.97.185.49 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > 0:05:00 si
    > p 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > no sysopt route dnat
    > crypto ipsec transform-set cityset esp-des esp-md5-hmac
    > crypto dynamic-map dynmap 10 set transform-set cityset
    > crypto map citymap 1 ipsec-isakmp
    > crypto map citymap 1 set peer x.x.184.146
    > crypto map citymap 1 set transform-set cityset
    > crypto map citymap 2 ipsec-isakmp
    > crypto map citymap 2 set transform-set cityset
    > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > crypto map mymap client configuration address initiate
    > crypto map mymap client configuration address respond
    > crypto map mymap interface outside
    > isakmp enable outside
    > isakmp key ******** address x.x.184.146 netmask 255.255.255.255
    > no-xauth no-co
    > nfig-mode
    > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > isakmp identity address
    > isakmp client configuration address-pool local ciscovpn outside
    > isakmp policy 8 authentication pre-share
    > isakmp policy 8 encryption des
    > isakmp policy 8 hash md5
    > isakmp policy 8 group 1
    > isakmp policy 8 lifetime 86400
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption des
    > isakmp policy 10 hash m5
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    > vpngroup ctvpn address-pool ciscovpn
    > vpngroup ctvpn dns-server x.x.226.13
    > vpngroup ctvpn split-tunnel 201
    > vpngroup ctvpn idle-time 7200
    > vpngroup ctvpn password ********
    > vpngroup pgmr address-pool ciscovpn
    > vpngroup pgmr dns-server x.x.226.13
    > vpngroup pgmr idle-time 1800
    > vpngroup pgmr password ********
    > vpngroup testvpn address-pool ciscovpn
    > vpngroup testvpn idle-time 1800
    > vpngroup testvpn password ********
    > telnet 192.168.2.0 255.255.255.0 outside
    > telnet 192.168.2.0 255.255.255.0 inside
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet 192.168.1.1 255.255.255.255 inside
    > telnet timeout 5
    > ssh timeout 5
    > vpdn group 1 accept dialin pptp
    > vpdn group 1 ppp authentication pap
    > vpdn group 1 ppp authentication chap
    > vpdn group 1 ppp authentication mschap
    > vpdn group 1 ppp encryption mppe 40
    > vpdn group 1 client configuration address local pptp-pool
    > vpdn group 1 client configuration dns 192.168.1.11
    > vpdn group 1 pptp echo 60
    > vpdn group 1 client authentication local
    > vpdn username scsadmin password ********
    > vpdn username cityhall password ********
    > vpdn username gkurcon password ********
    > vpdn enable outside
    > vpdn enable inside
    > username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
    > terminal width 80
    > Cryptochecksum:9d077096c3b18daec412525f083931d9
    >
    > "scott enwright" <0spam.net.au> wrote in

    message news:<etQIb.72741$>...
    > > G'day,
    > >
    > > I've just been through the configuration again with and compared it to

    both
    > > a working configuration and to a sample Cisco configuration
    > >

    (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuratio
    > > n_example09186a0080093f89.shtml). With that new line I suggested it

    should
    > > just work - could you do a 'clear xlate' on the box and test it again -

    the
    > > clear xlate command will kill all connections that are active on the

    unit.
    > >
    > > If this doesnt work can you repost the new configuration maybe there is
    > > something else stopping it now that wasnt there in your previous post.
    > >
    > > Regards,
    > >
    > > Scott.
    > >
    > > "GKurcon" <> wrote in message
    > > news:...
    > > > Thanks for the tip. I added this line to the config but still no
    > > > luck. A consultant that I work with suggested that I add this:
    > > >
    > > > static (inside,outside) 172.168.101.0 192.168.1.0 netmask
    > > > 255.255.255.0 0 0
    > > >
    > > > But when I add this, the only result is all devices on the 192.168.1.0
    > > > subnet are unable to get out to the internet, I have to reboot the PIX
    > > > and also the remote PIX.
    > > >
    > > > I tried removing this line, but it didn't seem to make a difference
    > > > either:
    > > >
    > > >
    > > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
    > > >
    > > > This seems like it should be a relatively easy thing to set up, any
    > > > ideas of what I am missing? Thanks.
    > > >
    > > > "scott enwright" <0spam.net.au> wrote in

    > > message news:<WxeIb.70433$>...
    > > > > G'day,
    > > > >
    > > > > I assume when you connect using PPTP you receive an address from the

    > > pool
    > > > > pptp-pool (172.16.101.1-172.16.101.14)? This pool is not being

    excluded
    > > > > from the NAT process so it's being translated. To correct this you

    need
    > > to
    > > > > make access-list 111 the following:
    > > > >
    > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > > > > 255.255.255.0
    > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0

    > > 255.255.255.0
    > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
    > > > > 255.255.255.0
    > > > >
    > > > > The last line is new and stops pptp traffic from being natted.
    > > > >
    > > > > Scott.
    > > > >
    > > > >
    > > > > "GKurcon" <> wrote in message
    > > > > news:...
    > > > > > I need to connect to a PIX 501 running 6.2(2)with either the Cisco

    VPN
    > > > > > client or a Windows built in PPTP client. I can connect with

    either
    > > > > > of these clients, but am not able to access anything on the inside
    > > > > > subnet (192.168.1.x). We do have a site to site VPN established

    with
    > > > > > another PIX 501 as well, which works fine. Right now it is not
    > > > > > necessary for me to access the remote side (192.168.2.x), as I

    have
    > > > > > read that there are issues with attempting to do so. I just want

    to
    > > > > > connect to the PIX and get to the 192.168.1.x resources. What do

    I
    > > > > > need to change in the config to accomplish this?? (I realize that

    I
    > > > > > am a few versions behind...one step at a time :) )
    > > > > >
    > > > > > PIX Version 6.2(2)
    > > > > > nameif ethernet0 outside security0
    > > > > > nameif ethernet1 inside security100
    > > > > > enable password 4R3vD8XGO4lVLaq6 encrypted
    > > > > > passwd 2KFQnbNIdI.2KYOU encrypted
    > > > > > hostname PIX1
    > > > > > domain-name ciscopix.com
    > > > > > fixup protocol ftp 21
    > > > > > fixup protocol http 80
    > > > > > fixup protocol h323 h225 1720
    > > > > > fixup protocol h323 ras 1718-1719
    > > > > > fixup protocol ils 389
    > > > > > fixup protocol rsh 514
    > > > > > fixup protocol rtsp 554
    > > > > > fixup protocol smtp 25
    > > > > > fixup protocol sqlnet 1521
    > > > > > fixup protocol sip 5060
    > > > > > fixup protocol skinny 2000
    > > > > > names
    > > > > > access-list acl_out permit icmp any any
    > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > > > > > 255.255.255.0
    > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > > > > > 255.255.255.0
    > > > > > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    > > > > > access-list 200 permit tcp any host x.x.185.50 eq 5632
    > > > > > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > > > > > 255.255.255.0
    > > > > > pager lines 24
    > > > > > logging on
    > > > > > interface ethernet0 10baset
    > > > > > interface ethernet1 10full
    > > > > > icmp deny any outside
    > > > > > mtu outside 1500
    > > > > > mtu inside 1500
    > > > > > ip address outside x.x.185.50 255.255.255.252
    > > > > > ip address inside 192.168.1.1 255.255.255.0
    > > > > > ip audit info action alarm
    > > > > > ip audit attack action alarm
    > > > > > ip local pool ciscovpn 172.16.1.1-172.16.1.20
    > > > > > ip local pool pptp-pool 172.16.101.1-172.16.101.14
    > > > > > pdm location 192.168.1.11 255.255.255.255 inside
    > > > > > pdm location 192.168.2.0 255.255.255.0 inside
    > > > > > pdm location 172.16.1.0 255.255.255.0 outside
    > > > > > pdm location 192.168.2.0 255.255.255.0 outside
    > > > > > pdm location 172.16.0.0 255.255.254.0 inside
    > > > > > pdm logging informational 100
    > > > > > pdm history enable
    > > > > > arp timeout 14400
    > > > > > global (outside) 1 interface
    > > > > > nat (inside) 0 access-list 111
    > > > > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
    > > > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > > > > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    > > > > > pcanywhere-da
    > > > > > ta netmask 255.255.255.255 0 20
    > > > > > static (inside,outside) tcp interface 5632 192.168.1.11 5632

    netmask
    > > > > > 255.255.255
    > > > > > .255 0 0
    > > > > > access-group 200 in interface outside
    > > > > > route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
    > > > > > timeout xlate 0:05:00
    > > > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00

    h323
    > > > > > 0:05:00 si
    > > > > > p 0:30:00 sip_media 0:02:00
    > > > > > timeout uauth 0:05:00 absolute
    > > > > > aaa-server TACACS+ protocol tacacs+
    > > > > > aaa-server RADIUS protocol radius
    > > > > > aaa-server LOCAL protocol local
    > > > > > http server enable
    > > > > > http 192.168.1.0 255.255.255.0 inside
    > > > > > no snmp-server location
    > > > > > no snmp-server contact
    > > > > > snmp-server community public
    > > > > > no snmp-server enable traps
    > > > > > floodguard enable
    > > > > > sysopt connection permit-ipsec
    > > > > > sysopt connection permit-pptp
    > > > > > no sysopt route dnat
    > > > > > crypto ipsec transform-set cityset esp-des esp-md5-hmac
    > > > > > crypto dynamic-map dynmap 10 set transform-set cityset
    > > > > > crypto map citymap 1 ipsec-isakmp
    > > > > > crypto map citymap 1 set peer x.x.184.146
    > > > > > crypto map citymap 1 set transform-set cityset
    > > > > > crypto map citymap 2 ipsec-isakmp
    > > > > > crypto map citymap 2 set transform-set cityset
    > > > > > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > > > > > crypto map mymap client configuration address initiate
    > > > > > crypto map mymap client configuration address respond
    > > > > > crypto map mymap interface outside
    > > > > > isakmp enable outside
    > > > > > isakmp key ******** address x.x.184.146 netmask 255.255.255.255
    > > > > > no-xauth no-co
    > > > > > nfig-mode
    > > > > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > > > > > isakmp identity address
    > > > > > isakmp client configuration address-pool local ciscovpn outside
    > > > > > isakmp policy 8 authentication pre-share
    > > > > > isakmp policy 8 encryption des
    > > > > > isakmp policy 8 hash md5
    > > > > > isakmp policy 8 group 1
    > > > > > isakmp policy 8 lifetime 86400
    > > > > > isakmp policy 10 authentication pre-share
    > > > > > isakmp policy 10 encryption des
    > > > > > isakmp policy 10 hash md5
    > > > > > isakmp policy 10 group 2
    > > > > > isakmp policy 10 lifetime 86400
    > > > > > vpngroup ctvpn address-pool ciscovpn
    > > > > > vpngroup ctvpn dns-server x.x.226.13
    > > > > > vpngroup ctvpn split-tunnel 201
    > > > > > vpngroup ctvpn idle-time 7200
    > > > > > vpngroup ctvpn password ********
    > > > > > vpngroup pgmr address-pool ciscovpn
    > > > > > vpngroup pgmr dns-server x.x.226.13
    > > > > > vpngroup pgmr idle-time 1800
    > > > > > vpngroup pgmr password ********
    > > > > > telnet 192.168.2.0 255.255.255.0 outside
    > > > > > telnet 192.168.2.0 255.255.255.0 inside
    > > > > > telnet 192.168.1.0 255.255.255.0 inside
    > > > > > telnet 192.168.1.1 255.255.255.255 inside
    > > > > > telnet timeout 5
    > > > > > ssh timeout 5
    > > > > > vpdn group 1 accept dialin pptp
    > > > > > vpdn group 1 ppp authentication pap
    > > > > > vpdn group 1 ppp authentication chap
    > > > > > vpdn group 1 ppp authentication mschap
    > > > > > vpdn group 1 ppp encryption mppe 40
    > > > > > vpdn group 1 client configuration address local pptp-pool
    > > > > > vpdn group 1 pptp echo 60
    > > > > > vpdn group 1 client authentication local
    > > > > > vpdn username scsadmin password ********
    > > > > > vpdn username cisco password ********
    > > > > > vpdn username gkurcon password ********
    > > > > > vpdn enable outside
    > > > > > vpdn enable inside
    > > > > > username cisco password 2J6.dR4Av1kpERLo encrypted privilege 2
    > > > > > terminal width 80
    > > > > > Cryptochecksum:e62274b3c71e69f4fe95b9693b1ad1b4
     
    scott enwright, Jan 7, 2004
    #6
  7. GKurcon

    GKurcon Guest

    How do I remove the line:

    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

    Thanks!


    "scott enwright" <> wrote in message news:<8_SKb.81897$>...
    > Try this configuration I have noted the changes where needed. Dont just cut
    > and paste it in as I dont have all the passwords etc. Please dont save this
    > configuration just test it and let me know how it goes. If it doesnt work
    > please trun on the following debugs and enable "terminal monitor" (and maybe
    > "logging monitor debugging") so we can what going on with the following
    > debuging options enabled:
    >
    > debug ppp io
    > debug ppp error
    > debug vpdn error
    > debug vpdn packet
    > debug vpdn events
    > debug ppp uauth
    >
    > Please repost the ocnfiguration before losing it so we can see *definately*
    > what it was.
    >
    > ------------------------------------------------------------
    >
    > PIX Version 6.2(2)
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password 4R3vD8XGO4lVLaq6 encrypted
    > passwd 2KFQnbNIdI.2KYOU encrypted
    > hostname newburghcityhall
    > domain-name ciscopix.com
    > fixup protocol ftp 21
    > fixup protocol http 80
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol sip 5060
    > fixup protocol skinny 2000
    > names
    > access-list acl_out permit icmp any any
    > !--- Access list 110 added - please change the <desitnation subnet> to
    > !--- suite the site-to-site connection. This connection must be broken
    > at the moment or
    > !--- it is being initialed deom the other end.
    > access-list 110 permit ip 192.168.1.0 255.255.255.0 <destination subnet>
    > 255.255.255.0
    > !-- end of newly added lines
    > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > 255.255.255.0
    > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
    > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
    > 255.255.255.0
    > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    > access-list 200 permit tcp any host x.x.185.50 eq 5632
    > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
    > pager lines 24
    > logging on
    > interface ethernet0 10baset
    > interface ethernet1 10full
    > icmp deny any outside
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside x.x.185.50 255.255.255.252
    > ip address inside 192.168.1.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool ciscovpn 172.16.1.1-172.16.1.20
    > ip local pool pptp-pool 172.16.101.1-172.16.101.14
    > pdm location 192.168.1.11 255.255.255.255 inside
    > pdm location 192.168.2.0 255.255.255.0 inside
    > pdm location 172.16.1.0 255.255.255.0 outside
    > pdm location 192.168.2.0 255.255.255.0 outside
    > pdm location 172.16.0.0 255.255.254.0 inside
    > pdm location 172.16.101.0 255.255.255.0 outside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 111
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    > pcanywhere-data netmask 255.255.255.255 0 20
    > static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
    > 255.255.255.255 0 0
    > access-group 200 in interface outside
    > route outside 0.0.0.0 0.0.0.0 24.97.185.49 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > no sysopt route dnat
    > crypto ipsec transform-set cityset esp-des esp-md5-hmac
    > !------------ Changes made in here ----------------------
    > crypto dynamic-map dynmap 30 set transform-set cityset
    > crypto map citymap 10 ipsec-isakmp
    > crypto map citymap 10 match address 110
    > crypto map citymap 10 set peer x.x.184.146
    > crypto map citymap 10 set transform-set cityset
    > crypto map citymap 20 ipsec-isakmp dynamic dynmap
    > crypto map citymap interface outside
    > !----------- end of changes - note some lines deleted as well:)
    > isakmp enable outside
    > isakmp key ******** address x.x.184.146 netmask 255.255.255.255 no-xauth
    > no-config-mode
    > !--- The line below is not needed please remove it
    > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > isakmp identity address
    > isakmp client configuration address-pool local ciscovpn outside
    > isakmp policy 8 authentication pre-share
    > isakmp policy 8 encryption des
    > isakmp policy 8 hash md5
    > isakmp policy 8 group 1
    > isakmp policy 8 lifetime 86400
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption des
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    > vpngroup ctvpn address-pool ciscovpn
    > vpngroup ctvpn dns-server x.x.226.13
    > vpngroup ctvpn split-tunnel 201
    > vpngroup ctvpn idle-time 7200
    > vpngroup ctvpn password ********
    > vpngroup pgmr address-pool ciscovpn
    > vpngroup pgmr dns-server x.x.226.13
    > vpngroup pgmr idle-time 1800
    > vpngroup pgmr password ********
    > vpngroup testvpn address-pool ciscovpn
    > vpngroup testvpn idle-time 1800
    > vpngroup testvpn password ********
    > telnet 192.168.2.0 255.255.255.0 outside
    > telnet 192.168.2.0 255.255.255.0 inside
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet 192.168.1.1 255.255.255.255 inside
    > telnet timeout 5
    > ssh timeout 5
    > vpdn group 1 accept dialin pptp
    > vpdn group 1 ppp authentication pap
    > vpdn group 1 ppp authentication chap
    > vpdn group 1 ppp authentication mschap
    > !--- The line below is not needed please remove it
    > vpdn group 1 ppp encryption mppe 40
    > vpdn group 1 client configuration address local pptp-pool
    > vpdn group 1 client configuration dns 192.168.1.11
    > !--- The line below is not needed please remove it
    > vpdn group 1 pptp echo 60
    > vpdn group 1 client authentication local
    > vpdn username scsadmin password ********
    > vpdn username cityhall password ********
    > vpdn username gkurcon password ********
    > vpdn enable outside
    > !--- The line below is not needed please remove it
    > vpdn enable inside
    > username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
    > terminal width 80
    >
    >
    >
    >
    >
    > Regards,
    >
    > Scott.
    > \|/
    > (o o)
    > ---------------------oOOO--(_)--OOOo----------------------
    > Out the 100Base-T, off the firewall, through the router, down
    > the T1, over the leased line, off the bridge, nothing but Net.
    > (Use ROT13 to see my email address)
    > .oooO Oooo.
    > ----------------------( )---( )-----------------------
    > \ ( ) /
    > \_) (_/
    >
    >
    > "GKurcon" <> wrote in message
    > news:...
    > > Ok, tried the clear xlate command, it killed all connections but I
    > > still was not able to get to the 192.168.1.x subnet. I am still able
    > > to connect with either the VPN client (ver 3.6) or the Windows built
    > > in dialer, but not able to route over to the 192.168.1.x network.
    > > Here is the current config. Thanks for the continued support:
    > >
    > > PIX Version 6.2(2)
    > > nameif ethernet0 outside security0
    > > nameif ethernet1 inside security100
    > > enable password 4R3vD8XGO4lVLaq6 encrypted
    > > passwd 2KFQnbNIdI.2KYOU encrypted
    > > hostname newburghcityhall
    > > domain-name ciscopix.com
    > > fixup protocol ftp 21
    > > fixup protocol http 80
    > > fixup protocol h323 h225 1720
    > > fixup protocol h323 ras 1718-1719
    > > fixup protocol ils 389
    > > fixup protocol rsh 514
    > > fixup protocol rtsp 554
    > > fixup protocol smtp 25
    > > fixup protocol sqlnet 1521
    > > fixup protocol sip 5060
    > > fixup protocol skinny 2000
    > > names
    > > access-list acl_out permit icmp any any
    > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > > 255.255.255.0
    > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > > 255.255.255.0
    > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
    > > 255.255.255.0
    > > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    > > access-list 200 permit tcp any host x.x.185.50 eq 5632
    > > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > > 255.255.255.0
    > > pager lines 24
    > > logging on
    > > interface ethernet0 10baset
    > > interface ethernet1 10full
    > > icmp deny any outside
    > > mtu outside 1500
    > > mtu inside 1500
    > > ip address outside x.x.185.50 255.255.255.252
    > > ip address inside 192.168.1.1 255.255.255.0
    > > ip audit info action alarm
    > > ip audit attack action alarm
    > > ip local pool ciscovpn 172.16.1.1-172.16.1.20
    > > ip local pool pptp-pool 172.16.101.1-172.16.101.14
    > > pdm location 192.168.1.11 255.255.255.255 inside
    > > pdm location 192.168.2.0 255.255.255.0 inside
    > > pdm location 172.16.1.0 255.255.255.0 outside
    > > pdm location 192.168.2.0 255.255.255.0 outside
    > > pdm location 172.16.0.0 255.255.254.0 inside
    > > pdm location 172.16.101.0 255.255.255.0 outside
    > > pdm logging informational 100
    > > pdm history enable
    > > arp timeout 14400
    > > global (outside) 1 interface
    > > nat (inside) 0 access-list 111
    > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    > > pcanywhere-da
    > > ta netmask 255.255.255.255 0 20
    > > static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
    > > 255.255.255
    > > .255 0 0
    > > access-group 200 in interface outside
    > > route outside 0.0.0.0 0.0.0.0 24.97.185.49 1
    > > timeout xlate 0:05:00
    > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > > 0:05:00 si
    > > p 0:30:00 sip_media 0:02:00
    > > timeout uauth 0:05:00 absolute
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server RADIUS protocol radius
    > > aaa-server LOCAL protocol local
    > > http server enable
    > > http 192.168.1.0 255.255.255.0 inside
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server community public
    > > no snmp-server enable traps
    > > floodguard enable
    > > sysopt connection permit-ipsec
    > > sysopt connection permit-pptp
    > > no sysopt route dnat
    > > crypto ipsec transform-set cityset esp-des esp-md5-hmac
    > > crypto dynamic-map dynmap 10 set transform-set cityset
    > > crypto map citymap 1 ipsec-isakmp
    > > crypto map citymap 1 set peer x.x.184.146
    > > crypto map citymap 1 set transform-set cityset
    > > crypto map citymap 2 ipsec-isakmp
    > > crypto map citymap 2 set transform-set cityset
    > > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > > crypto map mymap client configuration address initiate
    > > crypto map mymap client configuration address respond
    > > crypto map mymap interface outside
    > > isakmp enable outside
    > > isakmp key ******** address x.x.184.146 netmask 255.255.255.255
    > > no-xauth no-co
    > > nfig-mode
    > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > > isakmp identity address
    > > isakmp client configuration address-pool local ciscovpn outside
    > > isakmp policy 8 authentication pre-share
    > > isakmp policy 8 encryption des
    > > isakmp policy 8 hash md5
    > > isakmp policy 8 group 1
    >> isakmp policy 8 lifetime 86400
    > > isakmp policy 10 authentication pre-share
    > > isakmp policy 10 encryption des
    > > isakmp policy 10 hash md5
    > > isakmp policy 10 group 2
    > > isakmp policy 10 lifetime 86400
    > > vpngroup ctvpn address-pool ciscovpn
    > > vpngroup ctvpn dns-server x.x.226.13
    > > vpngroup ctvpn split-tunnel 201
    > > vpngroup ctvpn idle-time 7200
    > > vpngroup ctvpn password ********
    > > vpngroup pgmr address-pool ciscovpn
    > > vpngroup pgmr dns-server x.x.226.13
    > > vpngroup pgmr idle-time 1800
    > > vpngroup pgmr password ********
    > > vpngroup testvpn address-pool ciscovpn
    > > vpngroup testvpn idle-time 1800
    > > vpngroup testvpn password ********
    > > telnet 192.168.2.0 255.255.255.0 outside
    > > telnet 192.168.2.0 255.255.255.0 inside
    > > telnet 192.168.1.0 255.255.255.0 inside
    > > telnet 192.168.1.1 255.255.255.255 inside
    > > telnet timeout 5
    > > ssh timeout 5
    > > vpdn group 1 accept dialin pptp
    > > vpdn group 1 ppp authentication pap
    > > vpdn group 1 ppp authentication chap
    > > vpdn group 1 ppp authentication mschap
    > > vpdn group 1 ppp encryption mppe 40
    > > vpdn group 1 client configuration address local pptp-pool
    > > vpdn group 1 client configuration dns 192.168.1.11
    > > vpdn group 1 pptp echo 60
    > > vpdn group 1 client authentication local
    > > vpdn username scsadmin password ********
    > > vpdn username cityhall password ********
    > > vpdn username gkurcon password ********
    > > vpdn enable outside
    > > vpdn enable inside
    > > username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
    > > terminal width 80
    > > Cryptochecksum:9d077096c3b18daec412525f083931d9
    > >
    > > "scott enwright" <0spam.net.au> wrote in

    > message news:<etQIb.72741$>...
    > > > G'day,
    > > >
    > > > I've just been through the configuration again with and compared it to

    > both
    > > > a working configuration and to a sample Cisco configuration
    > > >

    > (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuratio
    > > > n_example09186a0080093f89.shtml). With that new line I suggested it

    > should
    > > > just work - could you do a 'clear xlate' on the box and test it again -

    > the
    > > > clear xlate command will kill all connections that are active on the

    > unit.
    > > >
    > > > If this doesnt work can you repost the new configuration maybe there is
    > > > something else stopping it now that wasnt there in your previous post.
    > > >
    > > > Regards,
    > > >
    > > > Scott.
    > > >
    > > > "GKurcon" <> wrote in message
    > > > news:...
    > > > > Thanks for the tip. I added this line to the config but still no
    > > > > luck. A consultant that I work with suggested that I add this:
    > > > >
    > > > > static (inside,outside) 172.168.101.0 192.168.1.0 netmask
    > > > > 255.255.255.0 0 0
    > > > >
    > > > > But when I add this, the only result is all devices on the 192.168.1.0
    > > > > subnet are unable to get out to the internet, I have to reboot the PIX
    > > > > and also the remote PIX.
    > > > >
    > > > > I tried removing this line, but it didn't seem to make a difference
    > > > > either:
    > > > >
    > > > >
    > > > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
    > > > >
    > > > > This seems like it should be a relatively easy thing to set up, any
    > > > > ideas of what I am missing? Thanks.
    > > > >
    > > > > "scott enwright" <0spam.net.au> wrote in

    > message news:<WxeIb.70433$>...
    > > > > > G'day,
    > > > > >
    > > > > > I assume when you connect using PPTP you receive an address from the

    > pool
    > > > > > pptp-pool (172.16.101.1-172.16.101.14)? This pool is not being

    > excluded
    > > > > > from the NAT process so it's being translated. To correct this you

    > need
    > to
    > > > > > make access-list 111 the following:
    > > > > >
    > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > > > > > 255.255.255.0
    > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0

    > 255.255.255.0
    > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
    > > > > > 255.255.255.0
    > > > > >
    > > > > > The last line is new and stops pptp traffic from being natted.
    > > > > >
    > > > > > Scott.
    > > > > >
    > > > > >
    > > > > > "GKurcon" <> wrote in message
    > > > > > news:...
    > > > > > > I need to connect to a PIX 501 running 6.2(2)with either the Cisco

    > VPN
    > > > > > > client or a Windows built in PPTP client. I can connect with

    > either
    > > > > > > of these clients, but am not able to access anything on the inside
    > > > > > > subnet (192.168.1.x). We do have a site to site VPN established

    > with
    > > > > > > another PIX 501 as well, which works fine. Right now it is not
    > > > > > > necessary for me to access the remote side (192.168.2.x), as I

    > have
    > > > > > > read that there are issues with attempting to do so. I just want

    > to
    > > > > > > connect to the PIX and get to the 192.168.1.x resources. What do

    > I
    > > > > > > need to change in the config to accomplish this?? (I realize that

    > I
    > > > > > > am a few versions behind...one step at a time :) )
    > > > > > >
    > > > > > > PIX Version 6.2(2)
    > > > > > > nameif ethernet0 outside security0
    > > > > > > nameif ethernet1 inside security100
    > > > > > > enable password 4R3vD8XGO4lVLaq6 encrypted
    > > > > > > passwd 2KFQnbNIdI.2KYOU encrypted
    > > > > > > hostname PIX1
    > > > > > > domain-name ciscopix.com
    > > > > > > fixup protocol ftp 21
    > > > > > > fixup protocol http 80
    > > > > > > fixup protocol h323 h225 1720
    > > > > > > fixup protocol h323 ras 1718-1719
    > > > > > > fixup protocol ils 389
    > > > > > > fixup protocol rsh 514
    > > > > > > fixup protocol rtsp 554
    > > > > > > fixup protocol smtp 25
    > > > > > > fixup protocol sqlnet 1521
    > > > > > > fixup protocol sip 5060
    > > > > > > fixup protocol skinny 2000
    > > > > > > names
    > > > > > > access-list acl_out permit icmp any any
    > > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > > > > > > 255.255.255.0
    > > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > > > > > > 255.255.255.0
    > > > > > > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    > > > > > > access-list 200 permit tcp any host x.x.185.50 eq 5632
    > > > > > > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > > > > > > 255.255.255.0
    > > > > > > pager lines 24
    > > > > > > logging on
    > > > > > > interface ethernet0 10baset
    > > > > > > interface ethernet1 10full
    > > > > > > icmp deny any outside
    > > > > > > mtu outside 1500
    > > > > > > mtu inside 1500
    > > > > > > ip address outside x.x.185.50 255.255.255.252
    > > > > > > ip address inside 192.168.1.1 255.255.255.0
    > > > > > > ip audit info action alarm
    > > > > > > ip audit attack action alarm
    > > > > > > ip local pool ciscovpn 172.16.1.1-172.16.1.20
    > > > > > > ip local pool pptp-pool 172.16.101.1-172.16.101.14
    > > > > > > pdm location 192.168.1.11 255.255.255.255 inside
    > > > > > > pdm location 192.168.2.0 255.255.255.0 inside
    > > > > > > pdm location 172.16.1.0 255.255.255.0 outside
    > > > > > > pdm location 192.168.2.0 255.255.255.0 outside
    > > > > > > pdm location 172.16.0.0 255.255.254.0 inside
    > > > > > > pdm logging informational 100
    > > > > > > pdm history enable
    > > > > > > arp timeout 14400
    > > > > > > global (outside) 1 interface
    > > > > > > nat (inside) 0 access-list 111
    > > > > > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
    > > > > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > > > > > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    > > > > > > pcanywhere-da
    > > > > > > ta netmask 255.255.255.255 0 20
    > > > > > > static (inside,outside) tcp interface 5632 192.168.1.11 5632

    > netmask
    > > > > > > 255.255.255
    > > > > > > .255 0 0
    > > > > > > access-group 200 in interface outside
    > > > > > > route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
    > > > > > > timeout xlate 0:05:00
    > > > > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00

    > h323
    > > > > > > 0:05:00 si
    > > > > > > p 0:30:00 sip_media 0:02:00
    > > > > > > timeout uauth 0:05:00 absolute
    > > > > > > aaa-server TACACS+ protocol tacacs+
    > > > > > > aaa-server RADIUS protocol radius
    > > > > > > aaa-server LOCAL protocol local
    > > > > > > http server enable
    > > > > > > http 192.168.1.0 255.255.255.0 inside
    > > > > > > no snmp-server location
    > > > > > > no snmp-server contact
    > > > > > > snmp-server community public
    > > > > > > no snmp-server enable traps
    > > > > > > floodguard enable
    > > > > > > sysopt connection permit-ipsec
    > > > > > > sysopt connection permit-pptp
    > > > > > > no sysopt route dnat
    > > > > > > crypto ipsec transform-set cityset esp-des esp-md5-hmac
    > > > > > > crypto dynamic-map dynmap 10 set transform-set cityset
    > > > > > > crypto map citymap 1 ipsec-isakmp
    > > > > > > crypto map citymap 1 set peer x.x.184.146
    > > > > > > crypto map citymap 1 set transform-set cityset
    > > > > > > crypto map citymap 2 ipsec-isakmp
    > > > > > > crypto map citymap 2 set transform-set cityset
    > > > > > > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > > > > > > crypto map mymap client configuration address initiate
    > > > > > > crypto map mymap client configuration address respond
    > > > > > > crypto map mymap interface outside
    > > > > > > isakmp enable outside
    > > > > > > isakmp key ******** address x.x.184.146 netmask 255.255.255.255
    > > > > > > no-xauth no-co
    > > > > > > nfig-mode
    > > > > > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > > > > > > isakmp identity address
    > > > > > > isakmp client configuration address-pool local ciscovpn outside
    > > > > > > isakmp policy 8 authentication pre-share
    > > > > > > isakmp policy 8 encryption des
    > > > > > > isakmp policy 8 hash md5
    > > > > > > isakmp policy 8 group 1
    > > > > > > isakmp policy 8 lifetime 86400
    > > > > > > isakmp policy 10 authentication pre-share
    > > > > > > isakmp policy 10 encryption des
    > > > > > > isakmp policy 10 hash md5
    > > > > > > isakmp policy 10 group 2
    > > > > > > isakmp policy 10 lifetime 86400
    > > > > > > vpngroup ctvpn address-pool ciscovpn
    > > > > > > vpngroup ctvpn dns-server x.x.226.13
    > > > > > > vpngroup ctvpn split-tunnel 201
    > > > > > > vpngroup ctvpn idle-time 7200
    > > > > > > vpngroup ctvpn password ********
    > > > > > > vpngroup pgmr address-pool ciscovpn
    > > > > > > vpngroup pgmr dns-server x.x.226.13
    > > > > > > vpngroup pgmr idle-time 1800
    > > > > > > vpngroup pgmr password ********
    > > > > > > telnet 192.168.2.0 255.255.255.0 outside
    > > > > > > telnet 192.168.2.0 255.255.255.0 inside
    > > > > > > telnet 192.168.1.0 255.255.255.0 inside
    > > > > > > telnet 192.168.1.1 255.255.255.255 inside
    > > > > > > telnet timeout 5
    > > > > > > ssh timeout 5
    > > > > > > vpdn group 1 accept dialin pptp
    > > > > > > vpdn group 1 ppp authentication pap
    > > > > > > vpdn group 1 ppp authentication chap
    > > > > > > vpdn group 1 ppp authentication mschap
    > > > > > > vpdn group 1 ppp encryption mppe 40
    > > > > > > vpdn group 1 client configuration address local pptp-pool
    > > > > > > vpdn group 1 pptp echo 60
    > > > > > > vpdn group 1 client authentication local
    > > > > > > vpdn username scsadmin password ********
    > > > > > > vpdn username cisco password ********
    > > > > > > vpdn username gkurcon password ********
    > > > > > > vpdn enable outside
    > > > > > > vpdn enable inside
    > > > > > > username cisco password 2J6.dR4Av1kpERLo encrypted privilege 2
    > > > > > > terminal width 80
    > > > > > > Cryptochecksum:e62274b3c71e69f4fe95b9693b1ad1b4
     
    GKurcon, Jan 8, 2004
    #7
  8. just put a no in front like so:

    no isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

    Regards,

    Scott.
    \|/
    (o o)
    ---------------------oOOO--(_)--OOOo----------------------
    Out the 100Base-T, off the firewall, through the router, down
    the T1, over the leased line, off the bridge, nothing but Net.
    (Use ROT13 to see my email address)
    .oooO Oooo.
    ----------------------( )---( )-----------------------
    \ ( ) /
    \_) (_/


    "GKurcon" <> wrote in message
    news:...
    > How do I remove the line:
    >
    > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    >
    > Thanks!
    >
    >
    > "scott enwright" <> wrote in message

    news:<8_SKb.81897$>...
    > > Try this configuration I have noted the changes where needed. Dont just

    cut
    > > and paste it in as I dont have all the passwords etc. Please dont save

    this
    > > configuration just test it and let me know how it goes. If it doesnt

    work
    > > please trun on the following debugs and enable "terminal monitor" (and

    maybe
    > > "logging monitor debugging") so we can what going on with the following
    > > debuging options enabled:
    > >
    > > debug ppp io
    > > debug ppp error
    > > debug vpdn error
    > > debug vpdn packet
    > > debug vpdn events
    > > debug ppp uauth
    > >
    > > Please repost the ocnfiguration before losing it so we can see

    *definately*
    > > what it was.
    > >
    > > ------------------------------------------------------------
    > >
    > > PIX Version 6.2(2)
    > > nameif ethernet0 outside security0
    > > nameif ethernet1 inside security100
    > > enable password 4R3vD8XGO4lVLaq6 encrypted
    > > passwd 2KFQnbNIdI.2KYOU encrypted
    > > hostname newburghcityhall
    > > domain-name ciscopix.com
    > > fixup protocol ftp 21
    > > fixup protocol http 80
    > > fixup protocol h323 h225 1720
    > > fixup protocol h323 ras 1718-1719
    > > fixup protocol ils 389
    > > fixup protocol rsh 514
    > > fixup protocol rtsp 554
    > > fixup protocol smtp 25
    > > fixup protocol sqlnet 1521
    > > fixup protocol sip 5060
    > > fixup protocol skinny 2000
    > > names
    > > access-list acl_out permit icmp any any
    > > !--- Access list 110 added - please change the <desitnation subnet> to
    > > !--- suite the site-to-site connection. This connection must be

    broken
    > > at the moment or
    > > !--- it is being initialed deom the other end.
    > > access-list 110 permit ip 192.168.1.0 255.255.255.0 <destination subnet>
    > > 255.255.255.0
    > > !-- end of newly added lines
    > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > > 255.255.255.0
    > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0

    255.255.255.0
    > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
    > > 255.255.255.0
    > > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    > > access-list 200 permit tcp any host x.x.185.50 eq 5632
    > > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0

    255.255.255.0
    > > pager lines 24
    > > logging on
    > > interface ethernet0 10baset
    > > interface ethernet1 10full
    > > icmp deny any outside
    > > mtu outside 1500
    > > mtu inside 1500
    > > ip address outside x.x.185.50 255.255.255.252
    > > ip address inside 192.168.1.1 255.255.255.0
    > > ip audit info action alarm
    > > ip audit attack action alarm
    > > ip local pool ciscovpn 172.16.1.1-172.16.1.20
    > > ip local pool pptp-pool 172.16.101.1-172.16.101.14
    > > pdm location 192.168.1.11 255.255.255.255 inside
    > > pdm location 192.168.2.0 255.255.255.0 inside
    > > pdm location 172.16.1.0 255.255.255.0 outside
    > > pdm location 192.168.2.0 255.255.255.0 outside
    > > pdm location 172.16.0.0 255.255.254.0 inside
    > > pdm location 172.16.101.0 255.255.255.0 outside
    > > pdm logging informational 100
    > > pdm history enable
    > > arp timeout 14400
    > > global (outside) 1 interface
    > > nat (inside) 0 access-list 111
    > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    > > pcanywhere-data netmask 255.255.255.255 0 20
    > > static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
    > > 255.255.255.255 0 0
    > > access-group 200 in interface outside
    > > route outside 0.0.0.0 0.0.0.0 24.97.185.49 1
    > > timeout xlate 0:05:00
    > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > > 0:05:00 sip 0:30:00 sip_media 0:02:00
    > > timeout uauth 0:05:00 absolute
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server RADIUS protocol radius
    > > aaa-server LOCAL protocol local
    > > http server enable
    > > http 192.168.1.0 255.255.255.0 inside
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server community public
    > > no snmp-server enable traps
    > > floodguard enable
    > > sysopt connection permit-ipsec
    > > sysopt connection permit-pptp
    > > no sysopt route dnat
    > > crypto ipsec transform-set cityset esp-des esp-md5-hmac
    > > !------------ Changes made in here ----------------------
    > > crypto dynamic-map dynmap 30 set transform-set cityset
    > > crypto map citymap 10 ipsec-isakmp
    > > crypto map citymap 10 match address 110
    > > crypto map citymap 10 set peer x.x.184.146
    > > crypto map citymap 10 set transform-set cityset
    > > crypto map citymap 20 ipsec-isakmp dynamic dynmap
    > > crypto map citymap interface outside
    > > !----------- end of changes - note some lines deleted as well:)
    > > isakmp enable outside
    > > isakmp key ******** address x.x.184.146 netmask 255.255.255.255 no-xauth
    > > no-config-mode
    > > !--- The line below is not needed please remove it
    > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > > isakmp identity address
    > > isakmp client configuration address-pool local ciscovpn outside
    > > isakmp policy 8 authentication pre-share
    > > isakmp policy 8 encryption des
    > > isakmp policy 8 hash md5
    > > isakmp policy 8 group 1
    > > isakmp policy 8 lifetime 86400
    > > isakmp policy 10 authentication pre-share
    > > isakmp policy 10 encryption des
    > > isakmp policy 10 hash md5
    > > isakmp policy 10 group 2
    > > isakmp policy 10 lifetime 86400
    > > vpngroup ctvpn address-pool ciscovpn
    > > vpngroup ctvpn dns-server x.x.226.13
    > > vpngroup ctvpn split-tunnel 201
    > > vpngroup ctvpn idle-time 7200
    > > vpngroup ctvpn password ********
    > > vpngroup pgmr address-pool ciscovpn
    > > vpngroup pgmr dns-server x.x.226.13
    > > vpngroup pgmr idle-time 1800
    > > vpngroup pgmr password ********
    > > vpngroup testvpn address-pool ciscovpn
    > > vpngroup testvpn idle-time 1800
    > > vpngroup testvpn password ********
    > > telnet 192.168.2.0 255.255.255.0 outside
    > > telnet 192.168.2.0 255.255.255.0 inside
    > > telnet 192.168.1.0 255.255.255.0 inside
    > > telnet 192.168.1.1 255.255.255.255 inside
    > > telnet timeout 5
    > > ssh timeout 5
    > > vpdn group 1 accept dialin pptp
    > > vpdn group 1 ppp authentication pap
    > > vpdn group 1 ppp authentication chap
    > > vpdn group 1 ppp authentication mschap
    > > !--- The line below is not needed please remove it
    > > vpdn group 1 ppp encryption mppe 40
    > > vpdn group 1 client configuration address local pptp-pool
    > > vpdn group 1 client configuration dns 192.168.1.11
    > > !--- The line below is not needed please remove it
    > > vpdn group 1 pptp echo 60
    > > vpdn group 1 client authentication local
    > > vpdn username scsadmin password ********
    > > vpdn username cityhall password ********
    > > vpdn username gkurcon password ********
    > > vpdn enable outside
    > > !--- The line below is not needed please remove it
    > > vpdn enable inside
    > > username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
    > > terminal width 80
    > >
    > >
    > >
    > >
    > >
    > > Regards,
    > >
    > > Scott.
    > > \|/
    > > (o o)
    > > ---------------------oOOO--(_)--OOOo----------------------
    > > Out the 100Base-T, off the firewall, through the router, down
    > > the T1, over the leased line, off the bridge, nothing but Net.
    > > (Use ROT13 to see my email address)
    > > .oooO Oooo.
    > > ----------------------( )---( )-----------------------
    > > \ ( ) /
    > > \_) (_/
    > >
    > >
    > > "GKurcon" <> wrote in message
    > > news:...
    > > > Ok, tried the clear xlate command, it killed all connections but I
    > > > still was not able to get to the 192.168.1.x subnet. I am still able
    > > > to connect with either the VPN client (ver 3.6) or the Windows built
    > > > in dialer, but not able to route over to the 192.168.1.x network.
    > > > Here is the current config. Thanks for the continued support:
    > > >
    > > > PIX Version 6.2(2)
    > > > nameif ethernet0 outside security0
    > > > nameif ethernet1 inside security100
    > > > enable password 4R3vD8XGO4lVLaq6 encrypted
    > > > passwd 2KFQnbNIdI.2KYOU encrypted
    > > > hostname newburghcityhall
    > > > domain-name ciscopix.com
    > > > fixup protocol ftp 21
    > > > fixup protocol http 80
    > > > fixup protocol h323 h225 1720
    > > > fixup protocol h323 ras 1718-1719
    > > > fixup protocol ils 389
    > > > fixup protocol rsh 514
    > > > fixup protocol rtsp 554
    > > > fixup protocol smtp 25
    > > > fixup protocol sqlnet 1521
    > > > fixup protocol sip 5060
    > > > fixup protocol skinny 2000
    > > > names
    > > > access-list acl_out permit icmp any any
    > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > > > 255.255.255.0
    > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > > > 255.255.255.0
    > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
    > > > 255.255.255.0
    > > > access-list 200 permit tcp any host x.x.185.50 eq pcanywhere-data
    > > > access-list 200 permit tcp any host x.x.185.50 eq 5632
    > > > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > > > 255.255.255.0
    > > > pager lines 24
    > > > logging on
    > > > interface ethernet0 10baset
    > > > interface ethernet1 10full
    > > > icmp deny any outside
    > > > mtu outside 1500
    > > > mtu inside 1500
    > > > ip address outside x.x.185.50 255.255.255.252
    > > > ip address inside 192.168.1.1 255.255.255.0
    > > > ip audit info action alarm
    > > > ip audit attack action alarm
    > > > ip local pool ciscovpn 172.16.1.1-172.16.1.20
    > > > ip local pool pptp-pool 172.16.101.1-172.16.101.14
    > > > pdm location 192.168.1.11 255.255.255.255 inside
    > > > pdm location 192.168.2.0 255.255.255.0 inside
    > > > pdm location 172.16.1.0 255.255.255.0 outside
    > > > pdm location 192.168.2.0 255.255.255.0 outside
    > > > pdm location 172.16.0.0 255.255.254.0 inside
    > > > pdm location 172.16.101.0 255.255.255.0 outside
    > > > pdm logging informational 100
    > > > pdm history enable
    > > > arp timeout 14400
    > > > global (outside) 1 interface
    > > > nat (inside) 0 access-list 111
    > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > > static (inside,outside) tcp interface pcanywhere-data 192.168.1.11
    > > > pcanywhere-da
    > > > ta netmask 255.255.255.255 0 20
    > > > static (inside,outside) tcp interface 5632 192.168.1.11 5632 netmask
    > > > 255.255.255
    > > > .255 0 0
    > > > access-group 200 in interface outside
    > > > route outside 0.0.0.0 0.0.0.0 24.97.185.49 1
    > > > timeout xlate 0:05:00
    > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    > > > 0:05:00 si
    > > > p 0:30:00 sip_media 0:02:00
    > > > timeout uauth 0:05:00 absolute
    > > > aaa-server TACACS+ protocol tacacs+
    > > > aaa-server RADIUS protocol radius
    > > > aaa-server LOCAL protocol local
    > > > http server enable
    > > > http 192.168.1.0 255.255.255.0 inside
    > > > no snmp-server location
    > > > no snmp-server contact
    > > > snmp-server community public
    > > > no snmp-server enable traps
    > > > floodguard enable
    > > > sysopt connection permit-ipsec
    > > > sysopt connection permit-pptp
    > > > no sysopt route dnat
    > > > crypto ipsec transform-set cityset esp-des esp-md5-hmac
    > > > crypto dynamic-map dynmap 10 set transform-set cityset
    > > > crypto map citymap 1 ipsec-isakmp
    > > > crypto map citymap 1 set peer x.x.184.146
    > > > crypto map citymap 1 set transform-set cityset
    > > > crypto map citymap 2 ipsec-isakmp
    > > > crypto map citymap 2 set transform-set cityset
    > > > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > > > crypto map mymap client configuration address initiate
    > > > crypto map mymap client configuration address respond
    > > > crypto map mymap interface outside
    > > > isakmp enable outside
    > > > isakmp key ******** address x.x.184.146 netmask 255.255255.255
    > > > no-xauth no-co
    > > > nfig-mode
    > > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > > > isakmp identity address
    > > > isakmp client configuration address-pool local ciscovpn outside
    > > > isakmp policy 8 authentication pre-share
    > > > isakmp policy 8 encryption des
    > > > isakmp policy 8 hash md5
    > > > isakmp policy 8 group 1
    > > > isakmp policy 8 lifetime 86400
    > > > isakmp policy 10 authentication pre-share
    > > > isakmp policy 10 encryption des
    > > > isakmp policy 10 hash md5
    > > > isakmp policy 10 group 2
    > > > isakmp policy 10 lifetime 86400
    > > > vpngroup ctvpn address-pool ciscovpn
    > > > vpngroup ctvpn dns-server x.x.226.13
    > > > vpngroup ctvpn split-tunnel 201
    > > > vpngroup ctvpn idle-time 7200
    > > > vpngroup ctvpn password ********
    > > > vpngroup pgmr address-pool ciscovpn
    > > > vpngroup pgmr dns-server x.x.226.13
    > > > vpngroup pgmr idle-time 1800
    > > > vpngroup pgmr password ********
    > > > vpngroup testvpn address-pool ciscovpn
    > > > vpngroup testvpn idle-time 1800
    > > > vpngroup testvpn password ********
    > > > telnet 192.168.2.0 255.255.255.0 outside
    > > > telnet 192.168.2.0 255.255.255.0 inside
    > > > telnet 192.168.1.0 255.255.255.0 inside
    > > > telnet 192.168.1.1 255.255.255.255 inside
    > > > telnet timeout 5
    > > > ssh timeout 5
    > > > vpdn group 1 accept dialin pptp
    > > > vpdn group 1 ppp authentication pap
    > > > vpdn group 1 ppp authentication chap
    > > > vpdn group 1 ppp authentication mschap
    > > > vpdn group 1 ppp encryption mppe 40
    > > > vpdn group 1 client configuration address local pptp-pool
    > > > vpdn group 1 client configuration dns 192.168.1.11
    > > > vpdn group 1 pptp echo 60
    > > > vpdn group 1 client authentication local
    > > > vpdn username scsadmin password ********
    > > > vpdn username cityhall password ********
    > > > vpdn username gkurcon password ********
    > > > vpdn enable outside
    > > > vpdn enable inside
    > > > username cityhall password 2J6.dR4Av1kpERLo encrypted privilege 2
    > > > terminal width 80
    > > > Cryptochecksum:9d077096c3b18daec412525f083931d9
    > > >
    > > > "scott enwright" <0spam.net.au> wrote in

    > > message news:<etQIb.72741$>...
    > > > > G'day,
    > > > >
    > > > > I've just been through the configuration again with and compared it

    to
    > > both
    > > > > a working configuration and to a sample Cisco configuration
    > > > >

    > >

    (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuratio
    > > > > n_example09186a0080093f89.shtml). With that new line I suggested it

    > > should
    > > > > just work - could you do a 'clear xlate' on the box and test it

    again -
    > > the
    > > > > clear xlate command will kill all connections that are active on the

    > > unit.
    > > > >
    > > > > If this doesnt work can you repost the new configuration maybe there

    is
    > > > > something else stopping it now that wasnt there in your previous

    post.
    > > > >
    > > > > Regards,
    > > > >
    > > > > Scott.
    > > > >
    > > > > "GKurcon" <> wrote in message
    > > > > news:...
    > > > > > Thanks for the tip. I added this line to the config but still no
    > > > > > luck. A consultant that I work with suggested that I add this:
    > > > > >
    > > > > > static (inside,outside) 172.168.101.0 192.168.1.0 netmask
    > > > > > 255.255.255.0 0 0
    > > > > >
    > > > > > But when I add this, the only result is all devices on the

    192.168.1.0
    > > > > > subnet are unable to get out to the internet, I have to reboot the

    PIX
    > > > > > and also the remote PIX.
    > > > > >
    > > > > > I tried removing this line, but it didn't seem to make a

    difference
    > > > > > either:
    > > > > >
    > > > > >
    > > > > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
    > > > > >
    > > > > > This seems like it should be a relatively easy thing to set up,

    any
    > > > > > ideas of what I am missing? Thanks.
    > > > > >
    > > > > > "scott enwright" <0spam.net.au>

    wrote in
    > > message news:<WxeIb.70433$>...
    > > > > > > G'day,
    > > > > > >
    > > > > > > I assume when you connect using PPTP you receive an address from

    the
    > > pool
    > > > > > > pptp-pool (172.16.101.1-172.16.101.14)? This pool is not being

    > > excluded
    > > > > > > from the NAT process so it's being translated. To correct this

    you
    > > need
    > > to
    > > > > > > make access-list 111 the following:
    > > > > > >
    > > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > > > > > > 255.255.255.0
    > > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0

    > > 255.255.255.0
    > > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.101.0
    > > > > > > 255.255.255.0
    > > > > > >
    > > > > > > The last line is new and stops pptp traffic from being natted.
    > > > > > >
    > > > > > > Scott.
    > > > > > >
    > > > > > >
    > > > > > > "GKurcon" <> wrote in message
    > > > > > > news:...
    > > > > > > > I need to connect to a PIX 501 running 6.2(2)with either the

    Cisco
    > > VPN
    > > > > > > > client or a Windows built in PPTP client. I can connect with

    > > either
    > > > > > > > of these clients, but am not able to access anything on the

    inside
    > > > > > > > subnet (192.168.1.x). We do have a site to site VPN

    established
    > > with
    > > > > > > > another PIX 501 as well, which works fine. Right now it is

    not
    > > > > > > > necessary for me to access the remote side (192.168.2.x), as I

    > > have
    > > > > > > > read that there are issues with attempting to do so. I just

    want
    > > to
    > > > > > > > connect to the PIX and get to the 192.168.1.x resources. What

    do
    > > I
    > > > > > > > need to change in the config to accomplish this?? (I realize

    that
    > > I
    > > > > > > > am a few versions behind...one step at a time :) )
    > > > > > > >
    > > > > > > > PIX Version 6.2(2)
    > > > > > > > nameif ethernet0 outside security0
    > > > > > > > nameif ethernet1 inside security100
    > > > > > > > enable password 4R3vD8XGO4lVLaq6 encrypted
    > > > > > > > passwd 2KFQnbNIdI.2KYOU encrypted
    > > > > > > > hostname PIX1
    > > > > > > > domain-name ciscopix.com
    > > > > > > > fixup protocol ftp 21
    > > > > > > > fixup protocol http 80
    > > > > > > > fixup protocol h323 h225 1720
    > > > > > > > fixup protocol h323 ras 1718-1719
    > > > > > > > fixup protocol ils 389
    > > > > > > > fixup protocol rsh 514
    > > > > > > > fixup protocol rtsp 554
    > > > > > > > fixup protocol smtp 25
    > > > > > > > fixup protocol sqlnet 1521
    > > > > > > > fixup protocol sip 5060
    > > > > > > > fixup protocol skinny 2000
    > > > > > > > names
    > > > > > > > access-list acl_out permit icmp any any
    > > > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0

    192.168.2.0
    > > > > > > > 255.255.255.0
    > > > > > > > access-list 111 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > > > > > > > 255.255.255.0
    > > > > > > > access-list 200 permit tcp any host x.x.185.50 eq

    pcanywhere-data
    > > > > > > > access-list 200 permit tcp any host x.x.185.50 eq 5632
    > > > > > > > access-list 201 permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > > > > > > > 255.255.255.0
    > > > > > > > pager lines 24
    > > > > > > > logging on
    > > > > > > > interface ethernet0 10baset
    > > > > > > > interface ethernet1 10full
    > > > > > > > icmp deny any outside
    > > > > > > > mtu outside 1500
    > > > > > > > mtu inside 1500
    > > > > > > > ip address outside x.x.185.50 255.255.255.252
    > > > > > > > ip address inside 192.168.1.1 255.255.255.0
    > > > > > > > ip audit info action alarm
    > > > > > > > ip audit attack action alarm
    > > > > > > > ip local pool ciscovpn 172.16.1.1-172.16.1.20
    > > > > > > > ip local pool pptp-pool 172.16.101.1-172.16.101.14
    > > > > > > > pdm location 192.168.1.11 255.255.255.255 inside
    > > > > > > > pdm location 192.168.2.0 255.255.255.0 inside
    > > > > > > > pdm location 172.16.1.0 255.255.255.0 outside
    > > > > > > > pdm location 192.168.2.0 255.255.255.0 outside
    > > > > > > > pdm location 172.16.0.0 255.255.254.0 inside
    > > > > > > > pdm logging informational 100
    > > > > > > > pdm history enable
    > > > > > > > arp timeout 14400
    > > > > > > > global (outside) 1 interface
    > > > > > > > nat (inside) 0 access-list 111
    > > > > > > > nat (inside) 1 172.16.0.0 255.255.254.0 0 0
    > > > > > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > > > > > > static (inside,outside) tcp interface pcanywhere-data

    192.168.1.11
    > > > > > > > pcanywhere-da
    > > > > > > > ta netmask 255.255.255.255 0 20
    > > > > > > > static (inside,outside) tcp interface 5632 192.168.1.11 5632

    > > netmask
    > > > > > > > 255.255.255
    > > > > > > > .255 0 0
    > > > > > > > access-group 200 in interface outside
    > > > > > > > route outside 0.0.0.0 0.0.0.0 x.x.185.49 1
    > > > > > > > timeout xlate 0:05:00
    > > > > > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc

    0:10:00
    > > h323
    > > > > > > > 0:05:00 si
    > > > > > > > p 0:30:00 sip_media 0:02:00
    > > > > > > > timeout uauth 0:05:00 absolute
    > > > > > > > aaa-server TACACS+ protocol tacacs+
    > > > > > > > aaa-server RADIUS protocol radius
    > > > > > > > aaa-server LOCAL protocol local
    > > > > > > > http server enable
    > > > > > > > http 192.168.1.0 255.255.255.0 inside
    > > > > > > > no snmp-server location
    > > > > > > > no snmp-server contact
    > > > > > > > snmp-server community public
    > > > > > > > no snmp-server enable traps
    > > > > > > > floodguard enable
    > > > > > > > sysopt connection permit-ipsec
    > > > > > > > sysopt connection permit-pptp
    > > > > > > > no sysopt route dnat
    > > > > > > > crypto ipsec transform-set cityset esp-des esp-md5-hmac
    > > > > > > > crypto dynamic-map dynmap 10 set transform-set cityset
    > > > > > > > crypto map citymap 1 ipsec-isakmp
    > > > > > > > crypto map citymap 1 set peer x.x.184.146
    > > > > > > > crypto map citymap 1 set transform-set cityset
    > > > > > > > crypto map citymap 2 ipsec-isakmp
    > > > > > > > crypto map citymap 2 set transform-set cityset
    > > > > > > > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > > > > > > > crypto map mymap client configuration address initiate
    > > > > > > > crypto map mymap client configuration address respond
    > > > > > > > crypto map mymap interface outside
    > > > > > > > isakmp enable outside
    > > > > > > > isakmp key ******** address x.x.184.146 netmask

    255.255.255.255
    > > > > > > > no-xauth no-co
    > > > > > > > nfig-mode
    > > > > > > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > > > > > > > isakmp identity address
    > > > > > > > isakmp client configuration address-pool local ciscovpn

    outside
    > > > > > > > isakmp policy 8 authentication pre-share
    > > > > > > > isakmp policy 8 encryption des
    > > > > > > > isakmp policy 8 hash md5
    > > > > > > > isakmp policy 8 group 1
    > > > > > > > isakmp policy 8 lifetime 86400
    > > > > > > > isakmp policy 10 authentication pre-share
    > > > > > > > isakmp policy 10 encryption des
    > > > > > > > isakmp policy 10 hash md5
    > > > > > > > isakmp policy 10 group 2
    > > > > > > > isakmp policy 10 lifetime 86400
    > > > > > > > vpngroup ctvpn address-pool ciscovpn
    > > > > > > > vpngroup ctvpn dns-server x.x.226.13
    > > > > > > > vpngroup ctvpn split-tunnel 201
    > > > > > > > vpngroup ctvpn idle-time 7200
    > > > > > > > vpngroup ctvpn password ********
    > > > > > > > vpngroup pgmr address-pool ciscovpn
    > > > > > > > vpngroup pgmr dns-server x.x.226.13
    > > > > > > > vpngroup pgmr idle-time 1800
    > > > > > > > vpngroup pgmr password ********
    > > > > > > > telnet 192.168.2.0 255.255.255.0 outside
    > > > > > > > telnet 192.168.2.0 255.255.255.0 inside
    > > > > > > > telnet 192.168.1.0 255.255.255.0 inside
    > > > > > > > telnet 192.168.1.1 255.255.255.255 inside
    > > > > > > > telnet timeout 5
    > > > > > > > ssh timeout 5
    > > > > > > > vpdn group 1 accept dialin pptp
    > > > > > > > vpdn group 1 ppp authentication pap
    > > > > > > > vpdn group 1 ppp authentication chap
    > > > > > > > vpdn group 1 ppp authentication mschap
    > > > > > > > vpdn group 1 ppp encryption mppe 40
    > > > > > > > vpdn group 1 client configuration address local pptp-pool
    > > > > > > > vpdn group 1 pptp echo 60
    > > > > > > > vpdn group 1 client authentication local
    > > > > > > > vpdn username scsadmin password ********
    > > > > > > > vpdn username cisco password ********
    > > > > > > > vpdn username gkurcon password ********
    > > > > > > > vpdn enable outside
    > > > > > > > vpdn enable inside
    > > > > > > > username cisco password 2J6.dR4Av1kpERLo encrypted privilege 2
    > > > > > > > terminal width 80
    > > > > > > > Cryptochecksum:e62274b3c71e69f4fe95b9693b1ad1b4
     
    scott enwright, Jan 9, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,843
    Martin Bilgrav
    Feb 6, 2004
  2. AlanP
    Replies:
    3
    Views:
    942
    Mirek
    Apr 7, 2004
  3. Nick
    Replies:
    2
    Views:
    2,430
  4. Svenn
    Replies:
    3
    Views:
    745
    Svenn
    Mar 13, 2006
  5. Stephen M
    Replies:
    1
    Views:
    671
    mcaissie
    Nov 14, 2006
Loading...

Share This Page