VPN - Easy VPN Server (PIX 515) and Hardware Client (831 Router)

Discussion in 'Cisco' started by Al, Feb 16, 2005.

  1. Al

    Al Guest

    I'm hoping someone can help me solve a problem I've been trying to
    resolve for the last several days.

    Environment: PIX 515 - IOS 6.3(4)
    Cisco 831 Router - IOS 12.3(2)XA


    Goal: I want to setup a VPN between a Cisco 831 Router (Hardware
    Client) and a PIX 515 (Easy VPN Server)

    Problem: No traffic is able to pass beyond the outside interfaces
    between the two devices.

    Background: I have successfully terminated both software VPN clients
    (VPN Client 4.6) and Site-to-Site VPN clients to the PIX 515 in
    question. I can pass data in either of these configurations.

    In regard to the PIX 515 and the 831, the tunnel is actually
    successfully established. I can successfully ping the outsite
    interface of each device. However, when I try to ping any resources
    (192.168.0.0) behind the inside interface of the PIX from the 831
    router, no traffic will pass. I cannot go the other way either.

    HELP!!

    I have included the configs from both the PIX 515 and 831. I've only
    included the code which I thought might be relevant.


    PIX 515

    interface ethernet0 100basetx
    interface ethernet1 100basetx
    interface ethernet2 100basetx
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50

    access-list acl-out permit tcp any host 198.67.37.148 eq smtp
    access-list acl-out deny ip any any
    access-list acl-in permit ip any any
    access-list acl-vpn permit ip 192.168.0.0 255.255.0.0 172.16.2.0
    255.255.255.0
    access-list acl-vpn permit ip 192.168.0.0 255.255.0.0 10.10.10.0
    255.255.255.0
    access-list IDXSupport permit ip host 198.67.37.147 198.114.170.8
    255.255.255.248
    access-list IDXECommerce permit ip host 198.67.37.147 204.165.247.0
    255.255.255.0
    access-list acl-ipsec-protect permit ip 192.168.0.0 255.255.0.0
    172.16.2.0 255.255.255.0
    access-list homenet permit ip 192.168.0.0 255.255.0.0 10.10.10.0
    255.255.255.0
    ip address outside 198.67.37.146 255.255.255.240
    ip address inside 192.168.15.2 255.255.255.0
    ip address dmz 10.240.240.1 255.255.255.0
    ip local pool vpn-ipsec 172.16.2.1-172.16.2.254
    global (outside) 1 198.67.37.156 netmask 255.255.255.240
    nat (inside) 0 access-list acl-vpn
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group acl-out in interface outside
    access-group acl-in in interface inside
    route outside 0.0.0.0 0.0.0.0 198.168.36.145 1
    route inside 192.168.0.0 255.255.0.0 192.168.15.2 1
    aaa-server RADIUS protocol radius
    aaa-server AuthInbound protocol radius
    aaa-server AuthInbound (inside) host 192.168.15.15 ******
    sysopt connection permit-ipsec
    crypto ipsec transform-set TRIPLEDES esp-3des esp-sha-hmac
    crypto ipsec transform-set VendorTransform esp-3des esp-sha-hmac
    crypto dynamic-map RemoteAccess 99 set transform-set TRIPLEDES
    crypto map VPN 10 ipsec-isakmp
    crypto map VPN 10 match address IDXECommerce
    crypto map VPN 10 set peer 204.165.246.197
    crypto map VPN 10 set transform-set VendorTransform
    crypto map VPN 20 ipsec-isakmp
    crypto map VPN 20 match address IDXSupport
    crypto map VPN 20 set peer 192.107.146.7
    crypto map VPN 20 set transform-set VendorTransform
    crypto map VPN 99 ipsec-isakmp dynamic RemoteAccess
    crypto map VPN client authentication AuthInbound
    crypto map VPN interface outside
    isakmp enable outside
    isakmp key ***** address 192.107.146.7 netmask 255.255.255.255
    no-config-mode no-xauth
    isakmp key ***** address 204.165.246.197 netmask 255.255.255.255
    no-config-mode no-xauth
    isakmp identity address
    isakmp client configuration address-pool local vpn-ipsec outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash sha
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 3000
    isakmp policy 99 authentication pre-share
    isakmp policy 99 encryption 3des
    isakmp policy 99 hash sha
    isakmp policy 99 group 2
    isakmp policy 99 lifetime 3000
    vpngroup default address-pool vpn-ipsec
    vpngroup default dns-server 192.168.15.10
    vpngroup default wins-server 192.168.15.11
    vpngroup default default-domain pioneermedicalgroup.local
    vpngroup default split-tunnel acl-ipsec-protect
    vpngroup default split-dns 204.97.212.10 204.117.214.10
    vpngroup default idle-time 1800
    vpngroup default max-time 3600
    vpngroup default password *****
    vpngroup hw-client address-pool vpn-ipsec
    vpngroup hw-client dns-server 192.168.15.10
    vpngroup hw-client wins-server 192.168.15.11
    vpngroup hw-client default-domain pioneermedicalgroup.local
    vpngroup hw-client split-tunnel homenet
    vpngroup hw-client split-dns 204.97.212.10 204.117.214.10
    vpngroup hw-client idle-time 86400
    vpngroup hw-client password *****



    831

    ip inspect name myfw cuseeme timeout 3600
    ip inspect name myfw ftp timeout 3600
    ip inspect name myfw rcmd timeout 3600
    ip inspect name myfw realaudio timeout 3600
    ip inspect name myfw smtp timeout 3600
    ip inspect name myfw tftp timeout 30
    ip inspect name myfw udp timeout 15
    ip inspect name myfw tcp timeout 3600
    ip inspect name myfw h323 timeout 3600
    ip audit notify log
    ip audit po max-events 100

    crypto ipsec client ezvpn RemoteAccess
    connect auto
    group hw-client key *****
    mode network-extension
    peer 198.67.37.146
    username ***** password *****

    interface Ethernet0
    ip address 10.10.10.1 255.255.255.0
    ip nat inside
    crypto ipsec client ezvpn RemoteAccess inside

    interface Ethernet1
    ip address dhcp client-id Ethernet1
    ip access-group 111 in
    ip nat outside
    ip inspect myfw out
    crypto ipsec client ezvpn RemoteAccess

    ip nat inside source list 102 interface Ethernet1 overload

    access-list 102 permit ip 10.10.10.0 0.0.0.255 any
    access-list 111 permit tcp any any eq www
    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any traceroute
    access-list 111 permit icmp any any unreachable
    access-list 111 permit udp any eq bootps any eq bootpc
    access-list 111 permit udp any eq bootps any eq bootps
    access-list 111 permit udp any eq domain any
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit udp any any eq 10000
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit tcp any any eq 139
    access-list 111 permit udp any any eq netbios-ns
    access-list 111 permit udp any any eq netbios-dgm
    access-list 111 permit gre any any
    access-list 111 deny ip any any
     
    Al, Feb 16, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Masud Reza
    Replies:
    2
    Views:
    7,432
    Masud Reza
    Oct 20, 2003
  2. Jimmyzshack
    Replies:
    1
    Views:
    533
    Claude LeFort
    Nov 19, 2003
  3. Bob Smith
    Replies:
    3
    Views:
    5,809
    Bob Smith
    Nov 10, 2004
  4. Scott Townsend
    Replies:
    8
    Views:
    707
    Roman Nakhmanson
    Feb 22, 2006
  5. Stephen M
    Replies:
    1
    Views:
    668
    mcaissie
    Nov 14, 2006
Loading...

Share This Page