vpngroup to pix515

Discussion in 'Cisco' started by davidspollack@gmail.com, May 18, 2006.

  1. Guest

    Hi, I'm trying to set up a cisco ipsec client connection to a pix 515
    running 6.3.3.

    The clients get authenticated, and connect fine.

    Onc ethe vpn client tries to go to any machine on the inside
    (192.168.10.0/24) the following message is generated on the pix:

    No translation group found for tcp src <vpn ip>

    The sanitized conf is below. Any help is appreciated.
    thanks


    #############################################
    PIX Version 6.3(3)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 100full
    interface ethernet3 100full
    interface ethernet4 auto shutdown
    interface ethernet5 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 failover security20
    nameif ethernet3 dmz security20
    nameif ethernet4 e4 security0
    nameif ethernet5 e5 security0
    enable password ************ encrypted
    passwd ************ encrypted
    hostname spix
    domain-name ********
    fixup protocol dns maximum-length 512
    fixup protocol domain 53
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    no fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    no fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no names
    access-list soc2800 permit ip host 216.74.163.199 host 65.197.254.5
    access-list soc2800 permit ip host 216.74.163.199 63.108.175.0
    255.255.255.0
    access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.1
    access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.2
    access-list inside permit udp 192.168.0.0 255.255.0.0 host
    216.74.163.194 eq ntp
    access-list inside permit udp 192.168.0.0 255.255.0.0 host
    216.74.163.195 eq ntp
    access-list inside permit icmp any any echo
    access-list inside permit icmp any any unreachable
    access-list inside permit icmp any any source-quench
    access-list inside permit icmp any any time-exceeded
    access-list inside remark ###### allow ftp to ftp.lim.com
    access-list inside permit tcp 192.168.10.0 255.255.255.0 host
    12.43.226.2 eq ftp
    access-list inside permit tcp host 192.168.10.80 any eq www
    access-list inside permit tcp host 192.168.10.80 any eq ftp
    access-list inside permit tcp host 192.168.10.80 any eq https
    access-list inside permit tcp host 192.168.10.80 any eq ssh
    access-list inside permit tcp host 192.168.10.80 any eq smtp
    access-list inside permit ip 10.0.0.0 255.255.0.0 host 192.168.12.1
    access-list inside permit ip 10.0.0.0 255.255.0.0 host 192.168.12.2
    access-list inside permit ip 192.168.0.0 255.255.0.0 10.0.0.0
    255.255.0.0
    access-list inside permit ip 192.168.0.0 255.255.0.0 192.168.0.0
    255.255.0.0
    access-list inside permit tcp host 192.168.10.80 any eq telnet
    access-list inside permit tcp host 192.168.10.157 any eq https
    access-list inside permit tcp host 192.168.10.156 any eq smtp
    access-list inside permit tcp host 192.168.10.156 any eq https
    access-list inside permit udp host 192.168.10.156 any eq ntp
    access-list inside permit udp host 192.168.10.157 any eq ntp
    access-list inside permit udp host 192.168.10.157 any eq domain
    access-list inside permit udp host 192.168.10.156 any eq domain
    access-list inside permit tcp host 192.168.10.157 any eq domain
    access-list inside permit tcp host 192.168.10.156 any eq domain
    access-list inside permit tcp host 192.168.10.199 any eq domain
    access-list inside permit udp host 192.168.10.199 any eq domain
    access-list inside permit tcp host 192.168.10.197 any eq domain
    access-list inside permit udp host 192.168.10.197 any eq domain
    access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0
    255.255.255.0 eq www
    access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0
    255.255.255.0 eq https
    access-list inside permit tcp 192.168.0.0 255.255.0.0 host
    208.173.140.54 eq smtp
    access-list inside permit tcp host 192.168.10.199 host 192.88.69.69 eq
    ftp
    access-list inside permit tcp host 192.168.10.197 host 192.88.69.69 eq
    ftp
    access-list inside permit tcp host 192.168.10.185 any eq smtp
    access-list inside remark ##### allow all machines out to
    futuresource.com and xml.marketcenter.com on 4004
    access-list inside permit tcp 192.168.10.0 255.255.255.0 any eq 4004
    access-list inside remark ###### allow specific machines out
    access-list inside permit tcp host 192.168.10.185 any eq www
    access-list inside permit tcp host 192.168.10.185 any eq https
    access-list inside permit tcp host 192.168.10.200 any eq www
    access-list inside permit tcp host 192.168.10.201 any eq www
    access-list inside permit tcp host 192.168.10.200 any eq https
    access-list inside permit tcp host 192.168.10.201 any eq https
    access-list inside permit tcp host 192.168.10.200 any eq ftp
    access-list inside permit tcp host 192.168.10.201 any eq ftp
    access-list inside remark ###### LAN --> border network
    access-list inside permit tcp 192.168.10.0 255.255.255.0 216.74.163.192
    255.255.255.224 eq telnet
    access-list inside remark #### allw VPN local pool ips
    access-list inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0
    255.255.255.0
    access-list outside permit icmp any any echo-reply
    access-list outside permit icmp any any unreachable
    access-list outside permit icmp any any time-exceeded
    access-list outside permit tcp any host 216.74.163.204 eq https
    access-list outside permit tcp any host 216.74.163.204 eq www
    access-list outside permit tcp any host 216.74.163.209 eq www
    access-list outside permit tcp any host 216.74.163.209 eq https
    access-list outside permit tcp any host 216.74.163.205 eq www
    access-list outside permit tcp any host 216.74.163.205 eq https
    access-list outside permit tcp any host 216.74.163.203 eq www
    access-list outside permit tcp any host 216.74.163.203 eq https
    access-list outside permit tcp any host 216.74.163.201 eq www
    access-list outside permit tcp any host 216.74.163.201 eq https
    access-list outside permit tcp any host 216.74.146.250 eq www
    access-list outside remark ###### line 15-22 may be obsolete DSP 2.6.06
    access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
    ssh
    access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
    10000
    access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
    8888
    access-list outside permit esp host 12.146.1.11 host 216.74.146.244
    access-list outside permit esp host 12.146.1.11 host 216.74.146.245
    access-list outside permit tcp any host 216.74.163.202 eq 24
    access-list outside permit tcp any host 216.74.146.244 eq ssh
    access-list outside permit tcp any host 216.74.146.245 eq ssh
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.10.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.11.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.12.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.13.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.20.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.21.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.22.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.23.0
    255.255.255.0
    access-list dmz permit udp 216.74.146.240 255.255.255.240 host
    216.74.163.194 eq ntp
    access-list dmz permit udp 216.74.146.240 255.255.255.240 host
    216.74.163.195 eq ntp
    access-list dmz permit icmp any any echo
    access-list dmz permit icmp any any unreachable
    access-list dmz permit icmp any any time-exceeded
    access-list dmz permit tcp host 216.74.146.250 host 24.213.162.100 eq
    smtp
    access-list dmz permit tcp host 216.74.146.250 any eq domain
    access-list dmz permit udp host 216.74.146.250 any eq domain
    access-list dmz permit tcp host 216.74.146.250 any eq ssh
    access-list dmz permit udp host 216.74.146.244 host 12.146.1.11 eq
    isakmp
    access-list dmz permit udp host 216.74.146.245 host 12.146.1.11 eq
    isakmp
    access-list dmz permit esp host 216.74.146.245 host 12.146.1.11
    access-list dmz permit esp host 216.74.146.244 host 12.146.1.11
    access-list dmz permit tcp host 216.74.146.245 host 192.168.10.57 eq
    2036
    access-list dmz permit tcp host 216.74.146.244 host 192.168.10.57 eq
    2036
    access-list dmz permit tcp host 216.74.146.244 host 192.168.10.57 eq
    ssh
    access-list dmz permit tcp host 216.74.146.245 host 192.168.10.57 eq
    ssh
    access-list dmz permit tcp host 216.74.146.245 host 192.168.10.55 eq
    2036
    access-list dmz permit tcp host 216.74.146.244 host 192.168.10.55 eq
    2036
    access-list dmz permit tcp host 216.74.146.244 host 192.168.10.55 eq
    ssh
    access-list dmz permit tcp host 216.74.146.245 host 192.168.10.55 eq
    ssh
    access-list 628broadway permit ip 192.168.0.0 255.255.0.0 10.0.0.0
    255.255.0.0
    access-list 628broadway permit ip 172.16.1.0 255.255.255.0 192.168.0.0
    255.255.0.0
    access-list 628broadway permit ip 192.168.0.0 255.255.0.0 172.16.1.0
    255.255.255.0
    pager lines 24
    logging on
    logging timestamp
    logging standby
    logging trap debugging
    logging history informational
    logging facility 23
    logging device-id hostname
    logging host outside 63.108.175.80
    logging host inside 192.168.10.156
    no logging message 302015
    no logging message 302014
    no logging message 302013
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    mtu failover 1500
    mtu dmz 1500
    mtu e4 1500
    mtu e5 1500
    ip address outside x.x.x.x
    ip address inside 192.168.12.1 255.255.255.0
    ip address failover 192.168.14.1 255.255.255.252
    ip address dmz x.x.x.x
    no ip address e4
    no ip address e5
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn 172.16.1.1-172.16.1.100
    failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside x.x.x.x
    failover ip address inside 192.168.12.2
    failover ip address failover 192.168.14.2
    failover ip address dmz x.x.x.x
    no failover ip address e4
    no failover ip address e5
    failover link failover
    no pdm history enable
    arp outside x.x.x.x 0000.0c07.ac00 alias
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 628broadway
    nat (inside) 1 192.168.10.0 255.255.255.0 0 0
    nat (inside) 1 192.168.11.0 255.255.255.0 0 0
    nat (inside) 1 192.168.12.0 255.255.255.0 0 0
    nat (inside) 1 192.168.13.0 255.255.255.0 0 0
    nat (inside) 1 192.168.20.0 255.255.255.0 0 0
    nat (inside) 1 192.168.21.0 255.255.255.0 0 0
    nat (inside) 1 192.168.22.0 255.255.255.0 0 0
    nat (inside) 1 192.168.23.0 255.255.255.0 0 0
    static (inside,outside) tcp 216.74.163.205 www 192.168.10.99 8022
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.205 https 192.168.10.99 8021
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.201 www 192.168.10.99 8002
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.201 https 192.168.10.99 8001
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.203 www 192.168.10.99 9002
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.203 https 192.168.10.99 9001
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.204 www 192.168.10.99 8032
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.204 https 192.168.10.99 8031
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.202 24 192.168.10.156 24 netmask
    255.255.255.255 0 0
    static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0 0

    static (inside,dmz) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 0 0

    static (inside,dmz) 192.168.12.0 192.168.12.0 netmask 255.255.255.0 0 0

    static (inside,dmz) 192.168.13.0 192.168.13.0 netmask 255.255.255.0 0 0

    static (dmz,outside) 216.74.146.240 216.74.146.240 netmask
    255.255.255.240 0 0
    access-group outside in interface outside
    access-group inside in interface inside
    access-group dmz in interface dmz
    router ospf 100
    network 192.168.12.0 255.255.255.0 area 0
    log-adj-changes
    redistribute static subnets
    route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ (inside) host 192.168.10.156 *********** timeout 10
    aaa-server TACACS+ (inside) host 192.168.10.157 *********** timeout 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 192.168.10.201 ********** timeout 10
    aaa-server LOCAL protocol local
    aaa authentication telnet console TACACS+
    aaa authentication ssh console TACACS+
    aaa accounting include telnet inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    TACACS+
    aaa accounting include tcp/22 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    TACACS+
    aaa accounting include tcp/22 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    TACACS+
    aaa accounting include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    TACACS+
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set kiodex esp-3des esp-md5-hmac
    crypto ipsec transform-set riptech esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set kiodex
    crypto map outside 1 ipsec-isakmp
    crypto map outside 1 match address 628broadway
    crypto map outside 1 set peer 24.213.162.102
    crypto map outside 1 set transform-set kiodex
    crypto map outside 10 ipsec-isakmp
    crypto map outside 10 match address soc2800
    crypto map outside 10 set peer 65.201.134.9
    crypto map outside 10 set transform-set riptech
    crypto map outside 20 ipsec-isakmp dynamic dynmap
    crypto map outside client authentication RADIUS
    crypto map outside interface outside
    isakmp enable outside
    isakmp key ******** address x.x.x.x netmask 255.255.255.255
    isakmp key ******** address x.x.x.x netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup exovpn address-pool vpn
    vpngroup exovpn dns-server 192.168.10.156 192.168.10.157
    vpngroup exovpn wins-server 192.168.10.200
    vpngroup exovpn default-domain kdx.int
    vpngroup exovpn split-tunnel 628broadway
    vpngroup exovpn idle-time 900
    vpngroup exovpn password ********
    telnet timeout 10
    ssh 192.168.10.0 255.255.255.0 inside
    ssh timeout 10
    console timeout 0
    vpdn group exo-pptp accept dialin pptp
    vpdn group exo-pptp ppp authentication mschap
    vpdn group exo-pptp ppp encryption mppe auto
    vpdn group exo-pptp client configuration address local vpn
    vpdn group exo-pptp client configuration dns 192.168.10.156
    192.168.10.157
    vpdn group exo-pptp client configuration wins 192.168.10.200 10.0.0.10
    vpdn group exo-pptp client authentication aaa RADIUS
    vpdn group exo-pptp pptp echo 60
    vpdn enable outside
    terminal width 80
    Cryptochecksum:a32890423cd33fe6d6eaf4852149721a
    , May 18, 2006
    #1
    1. Advertising

  2. mcaissie Guest

    --It is not recommended to use the same acl for the split
    tunneling and the noNAT. I think it's not even permitted .
    And in your case you also use the same list on the crypto map.


    *****
    nat (inside) 0 access-list 628broadway

    vpngroup exovpn split-tunnel 628broadway

    crypto map outside 1 match address 628broadway


    access-list 628broadway permit ip 192.168.0.0 255.255.0.0 10.0.0.0
    255.255.0.0
    access-list 628broadway permit ip 172.16.1.0 255.255.255.0 192.168.0.0
    255.255.0.0
    access-list 628broadway permit ip 192.168.0.0 255.255.0.0 172.16.1.0
    255.255.255.0

    ip local pool vpn 172.16.1.1-172.16.1.100


    *******

    --So i strongly suggest to create a separate acl for the split-tunneling
    and nat (inside ) 0
    and we can see from there.



    -split tunnel list is "permit ip [ip pool] [internal address]"

    access-list split-exovpn permit ip 172.16.1.0 255.255.255.0 192.168.0.0
    255.255.0.0
    vpngroup exovpn split-tunnel split-exovpn

    -nonat list must include the inverse; "permit ip [internal address] [ip
    pool]


    access-list nonat permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.0.0
    access-list nonat permit ip 192.168.0.0 255.255.0.0 172.16.1.0 255.255.255.0
    nat (inside) 0 access-list nonat





    <> wrote in message
    news:...
    > Hi, I'm trying to set up a cisco ipsec client connection to a pix 515
    > running 6.3.3.
    >
    > The clients get authenticated, and connect fine.
    >
    > Onc ethe vpn client tries to go to any machine on the inside
    > (192.168.10.0/24) the following message is generated on the pix:
    >
    > No translation group found for tcp src <vpn ip>
    >
    > The sanitized conf is below. Any help is appreciated.
    > thanks
    >
    >
    > #############################################
    > PIX Version 6.3(3)
    > interface ethernet0 100full
    > interface ethernet1 100full
    > interface ethernet2 100full
    > interface ethernet3 100full
    > interface ethernet4 auto shutdown
    > interface ethernet5 auto shutdown
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 failover security20
    > nameif ethernet3 dmz security20
    > nameif ethernet4 e4 security0
    > nameif ethernet5 e5 security0
    > enable password ************ encrypted
    > passwd ************ encrypted
    > hostname spix
    > domain-name ********
    > fixup protocol dns maximum-length 512
    > fixup protocol domain 53
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > no fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > no fixup protocol skinny 2000
    > no fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > no names
    > access-list soc2800 permit ip host 216.74.163.199 host 65.197.254.5
    > access-list soc2800 permit ip host 216.74.163.199 63.108.175.0
    > 255.255.255.0
    > access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.1
    > access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.2
    > access-list inside permit udp 192.168.0.0 255.255.0.0 host
    > 216.74.163.194 eq ntp
    > access-list inside permit udp 192.168.0.0 255.255.0.0 host
    > 216.74.163.195 eq ntp
    > access-list inside permit icmp any any echo
    > access-list inside permit icmp any any unreachable
    > access-list inside permit icmp any any source-quench
    > access-list inside permit icmp any any time-exceeded
    > access-list inside remark ###### allow ftp to ftp.lim.com
    > access-list inside permit tcp 192.168.10.0 255.255.255.0 host
    > 12.43.226.2 eq ftp
    > access-list inside permit tcp host 192.168.10.80 any eq www
    > access-list inside permit tcp host 192.168.10.80 any eq ftp
    > access-list inside permit tcp host 192.168.10.80 any eq https
    > access-list inside permit tcp host 192.168.10.80 any eq ssh
    > access-list inside permit tcp host 192.168.10.80 any eq smtp
    > access-list inside permit ip 10.0.0.0 255.255.0.0 host 192.168.12.1
    > access-list inside permit ip 10.0.0.0 255.255.0.0 host 192.168.12.2
    > access-list inside permit ip 192.168.0.0 255.255.0.0 10.0.0.0
    > 255.255.0.0
    > access-list inside permit ip 192.168.0.0 255.255.0.0 192.168.0.0
    > 255.255.0.0
    > access-list inside permit tcp host 192.168.10.80 any eq telnet
    > access-list inside permit tcp host 192.168.10.157 any eq https
    > access-list inside permit tcp host 192.168.10.156 any eq smtp
    > access-list inside permit tcp host 192.168.10.156 any eq https
    > access-list inside permit udp host 192.168.10.156 any eq ntp
    > access-list inside permit udp host 192.168.10.157 any eq ntp
    > access-list inside permit udp host 192.168.10.157 any eq domain
    > access-list inside permit udp host 192.168.10.156 any eq domain
    > access-list inside permit tcp host 192.168.10.157 any eq domain
    > access-list inside permit tcp host 192.168.10.156 any eq domain
    > access-list inside permit tcp host 192.168.10.199 any eq domain
    > access-list inside permit udp host 192.168.10.199 any eq domain
    > access-list inside permit tcp host 192.168.10.197 any eq domain
    > access-list inside permit udp host 192.168.10.197 any eq domain
    > access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0
    > 255.255.255.0 eq www
    > access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0
    > 255.255.255.0 eq https
    > access-list inside permit tcp 192.168.0.0 255.255.0.0 host
    > 208.173.140.54 eq smtp
    > access-list inside permit tcp host 192.168.10.199 host 192.88.69.69 eq
    > ftp
    > access-list inside permit tcp host 192.168.10.197 host 192.88.69.69 eq
    > ftp
    > access-list inside permit tcp host 192.168.10.185 any eq smtp
    > access-list inside remark ##### allow all machines out to
    > futuresource.com and xml.marketcenter.com on 4004
    > access-list inside permit tcp 192.168.10.0 255.255.255.0 any eq 4004
    > access-list inside remark ###### allow specific machines out
    > access-list inside permit tcp host 192.168.10.185 any eq www
    > access-list inside permit tcp host 192.168.10.185 any eq https
    > access-list inside permit tcp host 192.168.10.200 any eq www
    > access-list inside permit tcp host 192.168.10.201 any eq www
    > access-list inside permit tcp host 192.168.10.200 any eq https
    > access-list inside permit tcp host 192.168.10.201 any eq https
    > access-list inside permit tcp host 192.168.10.200 any eq ftp
    > access-list inside permit tcp host 192.168.10.201 any eq ftp
    > access-list inside remark ###### LAN --> border network
    > access-list inside permit tcp 192.168.10.0 255.255.255.0 216.74.163.192
    > 255.255.255.224 eq telnet
    > access-list inside remark #### allw VPN local pool ips
    > access-list inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0
    > 255.255.255.0
    > access-list outside permit icmp any any echo-reply
    > access-list outside permit icmp any any unreachable
    > access-list outside permit icmp any any time-exceeded
    > access-list outside permit tcp any host 216.74.163.204 eq https
    > access-list outside permit tcp any host 216.74.163.204 eq www
    > access-list outside permit tcp any host 216.74.163.209 eq www
    > access-list outside permit tcp any host 216.74.163.209 eq https
    > access-list outside permit tcp any host 216.74.163.205 eq www
    > access-list outside permit tcp any host 216.74.163.205 eq https
    > access-list outside permit tcp any host 216.74.163.203 eq www
    > access-list outside permit tcp any host 216.74.163.203 eq https
    > access-list outside permit tcp any host 216.74.163.201 eq www
    > access-list outside permit tcp any host 216.74.163.201 eq https
    > access-list outside permit tcp any host 216.74.146.250 eq www
    > access-list outside remark ###### line 15-22 may be obsolete DSP 2.6.06
    > access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
    > ssh
    > access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
    > 10000
    > access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
    > 8888
    > access-list outside permit esp host 12.146.1.11 host 216.74.146.244
    > access-list outside permit esp host 12.146.1.11 host 216.74.146.245
    > access-list outside permit tcp any host 216.74.163.202 eq 24
    > access-list outside permit tcp any host 216.74.146.244 eq ssh
    > access-list outside permit tcp any host 216.74.146.245 eq ssh
    > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.10.0
    > 255.255.255.0
    > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.11.0
    > 255.255.255.0
    > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.12.0
    > 255.255.255.0
    > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.13.0
    > 255.255.255.0
    > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.20.0
    > 255.255.255.0
    > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.21.0
    > 255.255.255.0
    > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.22.0
    > 255.255.255.0
    > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.23.0
    > 255.255.255.0
    > access-list dmz permit udp 216.74.146.240 255.255.255.240 host
    > 216.74.163.194 eq ntp
    > access-list dmz permit udp 216.74.146.240 255.255.255.240 host
    > 216.74.163.195 eq ntp
    > access-list dmz permit icmp any any echo
    > access-list dmz permit icmp any any unreachable
    > access-list dmz permit icmp any any time-exceeded
    > access-list dmz permit tcp host 216.74.146.250 host 24.213.162.100 eq
    > smtp
    > access-list dmz permit tcp host 216.74.146.250 any eq domain
    > access-list dmz permit udp host 216.74.146.250 any eq domain
    > access-list dmz permit tcp host 216.74.146.250 any eq ssh
    > access-list dmz permit udp host 216.74.146.244 host 12.146.1.11 eq
    > isakmp
    > access-list dmz permit udp host 216.74.146.245 host 12.146.1.11 eq
    > isakmp
    > access-list dmz permit esp host 216.74.146.245 host 12.146.1.11
    > access-list dmz permit esp host 216.74.146.244 host 12.146.1.11
    > access-list dmz permit tcp host 216.74.146.245 host 192.168.10.57 eq
    > 2036
    > access-list dmz permit tcp host 216.74.146.244 host 192.168.10.57 eq
    > 2036
    > access-list dmz permit tcp host 216.74.146.244 host 192.168.10.57 eq
    > ssh
    > access-list dmz permit tcp host 216.74.146.245 host 192.168.10.57 eq
    > ssh
    > access-list dmz permit tcp host 216.74.146.245 host 192.168.10.55 eq
    > 2036
    > access-list dmz permit tcp host 216.74.146.244 host 192.168.10.55 eq
    > 2036
    > access-list dmz permit tcp host 216.74.146.244 host 192.168.10.55 eq
    > ssh
    > access-list dmz permit tcp host 216.74.146.245 host 192.168.10.55 eq
    > ssh
    > access-list 628broadway permit ip 192.168.0.0 255.255.0.0 10.0.0.0
    > 255.255.0.0
    > access-list 628broadway permit ip 172.16.1.0 255.255.255.0 192.168.0.0
    > 255.255.0.0
    > access-list 628broadway permit ip 192.168.0.0 255.255.0.0 172.16.1.0
    > 255.255.255.0
    > pager lines 24
    > logging on
    > logging timestamp
    > logging standby
    > logging trap debugging
    > logging history informational
    > logging facility 23
    > logging device-id hostname
    > logging host outside 63.108.175.80
    > logging host inside 192.168.10.156
    > no logging message 302015
    > no logging message 302014
    > no logging message 302013
    > icmp permit any inside
    > mtu outside 1500
    > mtu inside 1500
    > mtu failover 1500
    > mtu dmz 1500
    > mtu e4 1500
    > mtu e5 1500
    > ip address outside x.x.x.x
    > ip address inside 192.168.12.1 255.255.255.0
    > ip address failover 192.168.14.1 255.255.255.252
    > ip address dmz x.x.x.x
    > no ip address e4
    > no ip address e5
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool vpn 172.16.1.1-172.16.1.100
    > failover
    > failover timeout 0:00:00
    > failover poll 15
    > failover ip address outside x.x.x.x
    > failover ip address inside 192.168.12.2
    > failover ip address failover 192.168.14.2
    > failover ip address dmz x.x.x.x
    > no failover ip address e4
    > no failover ip address e5
    > failover link failover
    > no pdm history enable
    > arp outside x.x.x.x 0000.0c07.ac00 alias
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 628broadway
    > nat (inside) 1 192.168.10.0 255.255.255.0 0 0
    > nat (inside) 1 192.168.11.0 255.255.255.0 0 0
    > nat (inside) 1 192.168.12.0 255.255.255.0 0 0
    > nat (inside) 1 192.168.13.0 255.255.255.0 0 0
    > nat (inside) 1 192.168.20.0 255.255.255.0 0 0
    > nat (inside) 1 192.168.21.0 255.255.255.0 0 0
    > nat (inside) 1 192.168.22.0 255.255.255.0 0 0
    > nat (inside) 1 192.168.23.0 255.255.255.0 0 0
    > static (inside,outside) tcp 216.74.163.205 www 192.168.10.99 8022
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp 216.74.163.205 https 192.168.10.99 8021
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp 216.74.163.201 www 192.168.10.99 8002
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp 216.74.163.201 https 192.168.10.99 8001
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp 216.74.163.203 www 192.168.10.99 9002
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp 216.74.163.203 https 192.168.10.99 9001
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp 216.74.163.204 www 192.168.10.99 8032
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp 216.74.163.204 https 192.168.10.99 8031
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp 216.74.163.202 24 192.168.10.156 24 netmask
    > 255.255.255.255 0 0
    > static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0 0
    >
    > static (inside,dmz) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 0 0
    >
    > static (inside,dmz) 192.168.12.0 192.168.12.0 netmask 255.255.255.0 0 0
    >
    > static (inside,dmz) 192.168.13.0 192.168.13.0 netmask 255.255.255.0 0 0
    >
    > static (dmz,outside) 216.74.146.240 216.74.146.240 netmask
    > 255.255.255.240 0 0
    > access-group outside in interface outside
    > access-group inside in interface inside
    > access-group dmz in interface dmz
    > router ospf 100
    > network 192.168.12.0 255.255.255.0 area 0
    > log-adj-changes
    > redistribute static subnets
    > route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ (inside) host 192.168.10.156 *********** timeout 10
    > aaa-server TACACS+ (inside) host 192.168.10.157 *********** timeout 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS (inside) host 192.168.10.201 ********** timeout 10
    > aaa-server LOCAL protocol local
    > aaa authentication telnet console TACACS+
    > aaa authentication ssh console TACACS+
    > aaa accounting include telnet inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    > TACACS+
    > aaa accounting include tcp/22 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    > TACACS+
    > aaa accounting include tcp/22 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    > TACACS+
    > aaa accounting include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    > TACACS+
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > crypto ipsec transform-set kiodex esp-3des esp-md5-hmac
    > crypto ipsec transform-set riptech esp-3des esp-md5-hmac
    > crypto dynamic-map dynmap 10 set transform-set kiodex
    > crypto map outside 1 ipsec-isakmp
    > crypto map outside 1 match address 628broadway
    > crypto map outside 1 set peer 24.213.162.102
    > crypto map outside 1 set transform-set kiodex
    > crypto map outside 10 ipsec-isakmp
    > crypto map outside 10 match address soc2800
    > crypto map outside 10 set peer 65.201.134.9
    > crypto map outside 10 set transform-set riptech
    > crypto map outside 20 ipsec-isakmp dynamic dynmap
    > crypto map outside client authentication RADIUS
    > crypto map outside interface outside
    > isakmp enable outside
    > isakmp key ******** address x.x.x.x netmask 255.255.255.255
    > isakmp key ******** address x.x.x.x netmask 255.255.255.255
    > isakmp identity address
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption 3des
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    > vpngroup exovpn address-pool vpn
    > vpngroup exovpn dns-server 192.168.10.156 192.168.10.157
    > vpngroup exovpn wins-server 192.168.10.200
    > vpngroup exovpn default-domain kdx.int
    > vpngroup exovpn split-tunnel 628broadway
    > vpngroup exovpn idle-time 900
    > vpngroup exovpn password ********
    > telnet timeout 10
    > ssh 192.168.10.0 255.255.255.0 inside
    > ssh timeout 10
    > console timeout 0
    > vpdn group exo-pptp accept dialin pptp
    > vpdn group exo-pptp ppp authentication mschap
    > vpdn group exo-pptp ppp encryption mppe auto
    > vpdn group exo-pptp client configuration address local vpn
    > vpdn group exo-pptp client configuration dns 192.168.10.156
    > 192.168.10.157
    > vpdn group exo-pptp client configuration wins 192.168.10.200 10.0.0.10
    > vpdn group exo-pptp client authentication aaa RADIUS
    > vpdn group exo-pptp pptp echo 60
    > vpdn enable outside
    > terminal width 80
    > Cryptochecksum:a32890423cd33fe6d6eaf4852149721a
    >
    mcaissie, May 19, 2006
    #2
    1. Advertising

  3. Guest

    ok, the updated conf is below. this did solve the "No translation group
    found for src" errors, but I still cant connect to anythign on
    192.168.0.0./16 once I (sucessfully) make the vpn connection.

    I noticed on the client side, after connecting, that I didnt have any
    routes to 192.168.x.x

    thanks
    david

    --------------------------------------------------------------------
    PIX Version 6.3(3)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 100full
    interface ethernet3 100full
    interface ethernet4 auto shutdown
    interface ethernet5 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 failover security20
    nameif ethernet3 dmz security20
    nameif ethernet4 e4 security0
    nameif ethernet5 e5 security0
    enable password ************ encrypted
    passwd ************ encrypted
    hostname spix
    domain-name x.x.x
    fixup protocol dns maximum-length 512
    fixup protocol domain 53
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    no fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    no fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no names
    access-list soc2800 permit ip host 216.74.163.199 host 65.197.254.5
    access-list soc2800 permit ip host 216.74.163.199 63.108.175.0
    255.255.255.0
    access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.1
    access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.2
    access-list inside permit udp 192.168.0.0 255.255.0.0 host
    216.74.163.194 eq ntp
    access-list inside permit udp 192.168.0.0 255.255.0.0 host
    216.74.163.195 eq ntp
    access-list inside permit icmp any any echo
    access-list inside permit icmp any any unreachable
    access-list inside permit icmp any any source-quench
    access-list inside permit icmp any any time-exceeded
    access-list inside remark ###### allow ftp to ftp.lim.com
    access-list inside permit tcp 192.168.10.0 255.255.255.0 host
    12.43.226.2 eq ftp
    access-list inside permit tcp host 192.168.10.80 any eq www
    access-list inside permit tcp host 192.168.10.80 any eq ftp
    access-list inside permit tcp host 192.168.10.80 any eq https
    access-list inside permit tcp host 192.168.10.80 any eq ssh
    access-list inside permit tcp host 192.168.10.80 any eq smtp
    access-list inside permit ip 10.0.0.0 255.255.0.0 host 192.168.12.1
    access-list inside permit ip 10.0.0.0 255.255.0.0 host 192.168.12.2
    access-list inside permit ip 192.168.0.0 255.255.0.0 10.0.0.0
    255.255.0.0
    access-list inside permit ip 192.168.0.0 255.255.0.0 192.168.0.0
    255.255.0.0
    access-list inside permit tcp host 192.168.10.80 any eq telnet
    access-list inside permit tcp host 192.168.10.157 any eq https
    access-list inside permit tcp host 192.168.10.156 any eq smtp
    access-list inside permit tcp host 192.168.10.156 any eq https
    access-list inside permit udp host 192.168.10.156 any eq ntp
    access-list inside permit udp host 192.168.10.157 any eq ntp
    access-list inside permit udp host 192.168.10.157 any eq domain
    access-list inside permit udp host 192.168.10.156 any eq domain
    access-list inside permit tcp host 192.168.10.157 any eq domain
    access-list inside permit tcp host 192.168.10.156 any eq domain
    access-list inside permit tcp host 192.168.10.199 any eq domain
    access-list inside permit udp host 192.168.10.199 any eq domain
    access-list inside permit tcp host 192.168.10.197 any eq domain
    access-list inside permit udp host 192.168.10.197 any eq domain
    access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0
    255.255.255.0 eq www
    access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0
    255.255.255.0 eq https
    access-list inside permit tcp 192.168.0.0 255.255.0.0 host
    208.173.140.54 eq smtp
    access-list inside permit tcp host 192.168.10.199 host 192.88.69.69 eq
    ftp
    access-list inside permit tcp host 192.168.10.197 host 192.88.69.69 eq
    ftp
    access-list inside permit tcp host 192.168.10.185 any eq smtp
    access-list inside remark ##### allow all machines out to
    futuresource.com and xml.marketcenter.com on 4004
    access-list inside permit tcp 192.168.10.0 255.255.255.0 any eq 4004
    access-list inside remark ###### allow specific machines out
    access-list inside permit tcp host 192.168.10.185 any eq www
    access-list inside permit tcp host 192.168.10.185 any eq https
    access-list inside permit tcp host 192.168.10.200 any eq www
    access-list inside permit tcp host 192.168.10.201 any eq www
    access-list inside permit tcp host 192.168.10.200 any eq https
    access-list inside permit tcp host 192.168.10.201 any eq https
    access-list inside permit tcp host 192.168.10.200 any eq ftp
    access-list inside permit tcp host 192.168.10.201 any eq ftp
    access-list inside remark ###### LAN --> border network
    access-list inside permit tcp 192.168.10.0 255.255.255.0 216.74.163.192
    255.255.255.224 eq telnet
    access-list inside remark #### allw VPN local pool ips
    access-list inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0
    255.255.255.0
    access-list outside permit icmp any any echo-reply
    access-list outside permit icmp any any unreachable
    access-list outside permit icmp any any time-exceeded
    access-list outside permit tcp any host 216.74.163.204 eq https
    access-list outside permit tcp any host 216.74.163.204 eq www
    access-list outside permit tcp any host 216.74.163.209 eq www
    access-list outside permit tcp any host 216.74.163.209 eq https
    access-list outside permit tcp any host 216.74.163.205 eq www
    access-list outside permit tcp any host 216.74.163.205 eq https
    access-list outside permit tcp any host 216.74.163.203 eq www
    access-list outside permit tcp any host 216.74.163.203 eq https
    access-list outside permit tcp any host 216.74.163.201 eq www
    access-list outside permit tcp any host 216.74.163.201 eq https
    access-list outside permit tcp any host 216.74.146.250 eq www
    access-list outside remark ###### line 15-22 may be obsolete DSP 2.6.06
    access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
    ssh
    access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
    10000
    access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
    8888
    access-list outside permit esp host 12.146.1.11 host 216.74.146.244
    access-list outside permit esp host 12.146.1.11 host 216.74.146.245
    access-list outside permit tcp any host 216.74.163.202 eq 24
    access-list outside permit tcp any host 216.74.146.244 eq ssh
    access-list outside permit tcp any host 216.74.146.245 eq ssh
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.10.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.11.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.12.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.13.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.20.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.21.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.22.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.23.0
    255.255.255.0
    access-list outside remark ##### deny below added per SOC incident
    19319363
    access-list outside deny tcp any host 67.85.186.115
    access-list dmz permit udp 216.74.146.240 255.255.255.240 host
    216.74.163.194 eq ntp
    access-list dmz permit udp 216.74.146.240 255.255.255.240 host
    216.74.163.195 eq ntp
    access-list dmz permit icmp any any echo
    access-list dmz permit icmp any any unreachable
    access-list dmz permit icmp any any time-exceeded
    access-list dmz permit tcp host 216.74.146.250 host 24.213.162.100 eq
    smtp
    access-list dmz permit tcp host 216.74.146.250 any eq domain
    access-list dmz permit udp host 216.74.146.250 any eq domain
    access-list dmz permit tcp host 216.74.146.250 any eq ssh
    access-list dmz permit udp host 216.74.146.244 host 12.146.1.11 eq
    isakmp
    access-list dmz permit udp host 216.74.146.245 host 12.146.1.11 eq
    isakmp
    access-list dmz permit esp host 216.74.146.245 host 12.146.1.11
    access-list dmz permit esp host 216.74.146.244 host 12.146.1.11
    access-list dmz permit tcp host 216.74.146.245 host 192.168.10.57 eq
    2036
    access-list dmz permit tcp host 216.74.146.244 host 192.168.10.57 eq
    2036
    access-list dmz permit tcp host 216.74.146.244 host 192.168.10.57 eq
    ssh
    access-list dmz permit tcp host 216.74.146.245 host 192.168.10.57 eq
    ssh
    access-list dmz permit tcp host 216.74.146.245 host 192.168.10.55 eq
    2036
    access-list dmz permit tcp host 216.74.146.244 host 192.168.10.55 eq
    2036
    access-list dmz permit tcp host 216.74.146.244 host 192.168.10.55 eq
    ssh
    access-list dmz permit tcp host 216.74.146.245 host 192.168.10.55 eq
    ssh
    access-list 628broadway permit ip 192.168.0.0 255.255.0.0 10.0.0.0
    255.255.0.0
    access-list 628broadway permit ip 192.168.0.0 255.255.0.0 172.16.1.0
    255.255.255.0
    access-list exovpn permit ip 172.16.1.0 255.255.255.0 192.168.0.0
    255.255.0.0
    pager lines 24
    logging on
    logging timestamp
    logging standby
    logging trap debugging
    logging history informational
    logging facility 23
    logging device-id hostname
    logging host outside x.x.x.x
    logging host inside x.x.x.x
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    mtu failover 1500
    mtu dmz 1500
    mtu e4 1500
    mtu e5 1500
    ip address outside x.x.x.x 255.255.255.224
    ip address inside 192.168.12.1 255.255.255.0
    ip address failover 192.168.14.1 255.255.255.252
    ip address dmz x.x.x.x 255.255.255.240
    no ip address e4
    no ip address e5
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn 172.16.1.1-172.16.1.100
    failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside x.x.x.x
    failover ip address inside 192.168.12.2
    failover ip address failover 192.168.14.2
    failover ip address dmz x.x.x.x
    no failover ip address e4
    no failover ip address e5
    failover link failover
    no pdm history enable
    arp outside x.x.x.x 0000.0c07.ac00 alias
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 628broadway
    nat (inside) 1 192.168.10.0 255.255.255.0 0 0
    nat (inside) 1 192.168.11.0 255.255.255.0 0 0
    nat (inside) 1 192.168.12.0 255.255.255.0 0 0
    nat (inside) 1 192.168.13.0 255.255.255.0 0 0
    nat (inside) 1 192.168.20.0 255.255.255.0 0 0
    nat (inside) 1 192.168.21.0 255.255.255.0 0 0
    nat (inside) 1 192.168.22.0 255.255.255.0 0 0
    nat (inside) 1 192.168.23.0 255.255.255.0 0 0
    static (inside,outside) tcp 216.74.163.205 www 192.168.10.99 8022
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.205 https 192.168.10.99 8021
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.201 www 192.168.10.99 8002
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.201 https 192.168.10.99 8001
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.203 www 192.168.10.99 9002
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.203 https 192.168.10.99 9001
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.204 www 192.168.10.99 8032
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.204 https 192.168.10.99 8031
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.202 24 192.168.10.156 24 netmask
    255.255.255.255 0 0
    static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0 0

    static (inside,dmz) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 0 0

    static (inside,dmz) 192.168.12.0 192.168.12.0 netmask 255.255.255.0 0 0

    static (inside,dmz) 192.168.13.0 192.168.13.0 netmask 255.255.255.0 0 0

    static (dmz,outside) 216.74.146.240 216.74.146.240 netmask
    255.255.255.240 0 0
    access-group outside in interface outside
    access-group inside in interface inside
    access-group dmz in interface dmz
    router ospf 100
    network 192.168.12.0 255.255.255.0 area 0
    log-adj-changes
    redistribute static subnets
    route outside 0.0.0.0 0.0.0.0 216.74.163.193 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ (inside) host 192.168.10.156 ******** timeout 10
    aaa-server TACACS+ (inside) host 192.168.10.157 ******** timeout 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 192.168.10.201 ******** timeout 10
    aaa-server LOCAL protocol local
    aaa authentication telnet console TACACS+
    aaa authentication ssh console TACACS+
    aaa accounting include telnet inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    TACACS+
    aaa accounting include tcp/22 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    TACACS+
    aaa accounting include tcp/22 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    TACACS+
    aaa accounting include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    TACACS+
    no snmp-server location
    no snmp-server contact
    snmp-server community xxxxx
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set kiodex esp-3des esp-md5-hmac
    crypto ipsec transform-set riptech esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set kiodex
    crypto map outside 1 ipsec-isakmp
    crypto map outside 1 match address 628broadway
    crypto map outside 1 set peer x.x.x.x
    crypto map outside 1 set transform-set kiodex
    crypto map outside 10 ipsec-isakmp
    crypto map outside 10 match address soc2800
    crypto map outside 10 set peer xxxx
    crypto map outside 10 set transform-set riptech
    crypto map outside 20 ipsec-isakmp dynamic dynmap
    crypto map outside client authentication RADIUS
    crypto map outside interface outside
    isakmp enable outside
    isakmp key ******** address x.x.x.x netmask 255.255.255.255
    isakmp key ******** address x.x.x.x netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup exovpn address-pool vpn
    vpngroup exovpn dns-server 192.168.10.156 192.168.10.157
    vpngroup exovpn wins-server 192.168.10.200
    vpngroup exovpn default-domain kdx.int
    vpngroup exovpn split-tunnel exovpn
    vpngroup exovpn idle-time 900
    vpngroup exovpn password ********
    telnet timeout 10
    ssh 192.168.10.0 255.255.255.0 inside
    ssh timeout 10
    console timeout 0
    vpdn group exo-pptp accept dialin pptp
    vpdn group exo-pptp ppp authentication mschap
    vpdn group exo-pptp ppp encryption mppe auto
    vpdn group exo-pptp client configuration address local vpn
    vpdn group exo-pptp client configuration dns 192.168.10.156
    192.168.10.157
    vpdn group exo-pptp client configuration wins 192.168.10.200 10.0.0.10
    vpdn group exo-pptp client authentication aaa RADIUS
    vpdn group exo-pptp pptp echo 60
    vpdn enable outside
    terminal width 80
    , May 19, 2006
    #3
  4. mcaissie Guest

    <> wrote in message
    news:...
    > ok, the updated conf is below. this did solve the "No translation group
    > found for src" errors, but I still cant connect to anythign on
    > 192.168.0.0./16 once I (sucessfully) make the vpn connection.
    >
    > I noticed on the client side, after connecting, that I didnt have any
    > routes to 192.168.x.x
    >


    -On your Cisco client, what do you see in Status-Statistics-Route Details
    after
    connecting ?



















    >
    > --------------------------------------------------------------------
    > PIX Version 6.3(3)
    > interface ethernet0 100full
    > interface ethernet1 100full
    > interface ethernet2 100full
    > interface ethernet3 100full
    > interface ethernet4 auto shutdown
    > interface ethernet5 auto shutdown
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 failover security20
    > nameif ethernet3 dmz security20
    > nameif ethernet4 e4 security0
    > nameif ethernet5 e5 security0
    > enable password ************ encrypted
    > passwd ************ encrypted
    > hostname spix
    > domain-name x.x.x
    > fixup protocol dns maximum-length 512
    > fixup protocol domain 53
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > no fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > no fixup protocol skinny 2000
    > no fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > no names
    > access-list soc2800 permit ip host 216.74.163.199 host 65.197.254.5
    > access-list soc2800 permit ip host 216.74.163.199 63.108.175.0
    > 255.255.255.0
    > access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.1
    > access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.2
    > access-list inside permit udp 192.168.0.0 255.255.0.0 host
    > 216.74.163.194 eq ntp
    > access-list inside permit udp 192.168.0.0 255.255.0.0 host
    > 216.74.163.195 eq ntp
    > access-list inside permit icmp any any echo
    > access-list inside permit icmp any any unreachable
    > access-list inside permit icmp any any source-quench
    > access-list inside permit icmp any any time-exceeded
    > access-list inside remark ###### allow ftp to ftp.lim.com
    > access-list inside permit tcp 192.168.10.0 255.255.255.0 host
    > 12.43.226.2 eq ftp
    > access-list inside permit tcp host 192.168.10.80 any eq www
    > access-list inside permit tcp host 192.168.10.80 any eq ftp
    > access-list inside permit tcp host 192.168.10.80 any eq https
    > access-list inside permit tcp host 192.168.10.80 any eq ssh
    > access-list inside permit tcp host 192.168.10.80 any eq smtp
    > access-list inside permit ip 10.0.0.0 255.255.0.0 host 192.168.12.1
    > access-list inside permit ip 10.0.0.0 255.255.0.0 host 192.168.12.2
    > access-list inside permit ip 192.168.0.0 255.255.0.0 10.0.0.0
    > 255.255.0.0
    > access-list inside permit ip 192.168.0.0 255.255.0.0 192.168.0.0
    > 255.255.0.0
    > access-list inside permit tcp host 192.168.10.80 any eq telnet
    > access-list inside permit tcp host 192.168.10.157 any eq https
    > access-list inside permit tcp host 192.168.10.156 any eq smtp
    > access-list inside permit tcp host 192.168.10.156 any eq https
    > access-list inside permit udp host 192.168.10.156 any eq ntp
    > access-list inside permit udp host 192.168.10.157 any eq ntp
    > access-list inside permit udp host 192.168.10.157 any eq domain
    > access-list inside permit udp host 192.168.10.156 any eq domain
    > access-list inside permit tcp host 192.168.10.157 any eq domain
    > access-list inside permit tcp host 192.168.10.156 any eq domain
    > access-list inside permit tcp host 192.168.10.199 any eq domain
    > access-list inside permit udp host 192.168.10.199 any eq domain
    > access-list inside permit tcp host 192.168.10.197 any eq domain
    > access-list inside permit udp host 192.168.10.197 any eq domain
    > access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0
    > 255.255.255.0 eq www
    > access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0
    > 255.255.255.0 eq https
    > access-list inside permit tcp 192.168.0.0 255.255.0.0 host
    > 208.173.140.54 eq smtp
    > access-list inside permit tcp host 192.168.10.199 host 192.88.69.69 eq
    > ftp
    > access-list inside permit tcp host 192.168.10.197 host 192.88.69.69 eq
    > ftp
    > access-list inside permit tcp host 192.168.10.185 any eq smtp
    > access-list inside remark ##### allow all machines out to
    > futuresource.com and xml.marketcenter.com on 4004
    > access-list inside permit tcp 192.168.10.0 255.255.255.0 any eq 4004
    > access-list inside remark ###### allow specific machines out
    > access-list inside permit tcp host 192.168.10.185 any eq www
    > access-list inside permit tcp host 192.168.10.185 any eq https
    > access-list inside permit tcp host 192.168.10.200 any eq www
    > access-list inside permit tcp host 192.168.10.201 any eq www
    > access-list inside permit tcp host 192.168.10.200 any eq https
    > access-list inside permit tcp host 192.168.10.201 any eq https
    > access-list inside permit tcp host 192.168.10.200 any eq ftp
    > access-list inside permit tcp host 192.168.10.201 any eq ftp
    > access-list inside remark ###### LAN --> border network
    > access-list inside permit tcp 192.168.10.0 255.255.255.0 216.74.163.192
    > 255.255.255.224 eq telnet
    > access-list inside remark #### allw VPN local pool ips
    > access-list inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0
    > 255.255.255.0
    > access-list outside permit icmp any any echo-reply
    > access-list outside permit icmp any any unreachable
    > access-list outside permit icmp any any time-exceeded
    > access-list outside permit tcp any host 216.74.163.204 eq https
    > access-list outside permit tcp any host 216.74.163.204 eq www
    > access-list outside permit tcp any host 216.74.163.209 eq www
    > access-list outside permit tcp any host 216.74.163.209 eq https
    > access-list outside permit tcp any host 216.74.163.205 eq www
    > access-list outside permit tcp any host 216.74.163.205 eq https
    > access-list outside permit tcp any host 216.74.163.203 eq www
    > access-list outside permit tcp any host 216.74.163.203 eq https
    > access-list outside permit tcp any host 216.74.163.201 eq www
    > access-list outside permit tcp any host 216.74.163.201 eq https
    > access-list outside permit tcp any host 216.74.146.250 eq www
    > access-list outside remark ###### line 15-22 may be obsolete DSP 2.6.06
    > access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
    > ssh
    > access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
    > 10000
    > access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
    > 8888
    > access-list outside permit esp host 12.146.1.11 host 216.74.146.244
    > access-list outside permit esp host 12.146.1.11 host 216.74.146.245
    > access-list outside permit tcp any host 216.74.163.202 eq 24
    > access-list outside permit tcp any host 216.74.146.244 eq ssh
    > access-list outside permit tcp any host 216.74.146.245 eq ssh
    > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.10.0
    > 255.255.255.0
    > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.11.0
    > 255.255.255.0
    > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.12.0
    > 255.255.255.0
    > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.13.0
    > 255.255.255.0
    > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.20.0
    > 255.255.255.0
    > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.21.0
    > 255.255.255.0
    > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.22.0
    > 255.255.255.0
    > access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.23.0
    > 255.255.255.0
    > access-list outside remark ##### deny below added per SOC incident
    > 19319363
    > access-list outside deny tcp any host 67.85.186.115
    > access-list dmz permit udp 216.74.146.240 255.255.255.240 host
    > 216.74.163.194 eq ntp
    > access-list dmz permit udp 216.74.146.240 255.255.255.240 host
    > 216.74.163.195 eq ntp
    > access-list dmz permit icmp any any echo
    > access-list dmz permit icmp any any unreachable
    > access-list dmz permit icmp any any time-exceeded
    > access-list dmz permit tcp host 216.74.146.250 host 24.213.162.100 eq
    > smtp
    > access-list dmz permit tcp host 216.74.146.250 any eq domain
    > access-list dmz permit udp host 216.74.146.250 any eq domain
    > access-list dmz permit tcp host 216.74.146.250 any eq ssh
    > access-list dmz permit udp host 216.74.146.244 host 12.146.1.11 eq
    > isakmp
    > access-list dmz permit udp host 216.74.146.245 host 12.146.1.11 eq
    > isakmp
    > access-list dmz permit esp host 216.74.146.245 host 12.146.1.11
    > access-list dmz permit esp host 216.74.146.244 host 12.146.1.11
    > access-list dmz permit tcp host 216.74.146.245 host 192.168.10.57 eq
    > 2036
    > access-list dmz permit tcp host 216.74.146.244 host 192.168.10.57 eq
    > 2036
    > access-list dmz permit tcp host 216.74.146.244 host 192.168.10.57 eq
    > ssh
    > access-list dmz permit tcp host 216.74.146.245 host 192.168.10.57 eq
    > ssh
    > access-list dmz permit tcp host 216.74.146.245 host 192.168.10.55 eq
    > 2036
    > access-list dmz permit tcp host 216.74.146.244 host 192.168.10.55 eq
    > 2036
    > access-list dmz permit tcp host 216.74.146.244 host 192.168.10.55 eq
    > ssh
    > access-list dmz permit tcp host 216.74.146.245 host 192.168.10.55 eq
    > ssh
    > access-list 628broadway permit ip 192.168.0.0 255.255.0.0 10.0.0.0
    > 255.255.0.0
    > access-list 628broadway permit ip 192.168.0.0 255.255.0.0 172.16.1.0
    > 255.255.255.0
    > access-list exovpn permit ip 172.16.1.0 255.255.255.0 192.168.0.0
    > 255.255.0.0
    > pager lines 24
    > logging on
    > logging timestamp
    > logging standby
    > logging trap debugging
    > logging history informational
    > logging facility 23
    > logging device-id hostname
    > logging host outside x.x.x.x
    > logging host inside x.x.x.x
    > icmp permit any inside
    > mtu outside 1500
    > mtu inside 1500
    > mtu failover 1500
    > mtu dmz 1500
    > mtu e4 1500
    > mtu e5 1500
    > ip address outside x.x.x.x 255.255.255.224
    > ip address inside 192.168.12.1 255.255.255.0
    > ip address failover 192.168.14.1 255.255.255.252
    > ip address dmz x.x.x.x 255.255.255.240
    > no ip address e4
    > no ip address e5
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool vpn 172.16.1.1-172.16.1.100
    > failover
    > failover timeout 0:00:00
    > failover poll 15
    > failover ip address outside x.x.x.x
    > failover ip address inside 192.168.12.2
    > failover ip address failover 192.168.14.2
    > failover ip address dmz x.x.x.x
    > no failover ip address e4
    > no failover ip address e5
    > failover link failover
    > no pdm history enable
    > arp outside x.x.x.x 0000.0c07.ac00 alias
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 628broadway
    > nat (inside) 1 192.168.10.0 255.255.255.0 0 0
    > nat (inside) 1 192.168.11.0 255.255.255.0 0 0
    > nat (inside) 1 192.168.12.0 255.255.255.0 0 0
    > nat (inside) 1 192.168.13.0 255.255.255.0 0 0
    > nat (inside) 1 192.168.20.0 255.255.255.0 0 0
    > nat (inside) 1 192.168.21.0 255.255.255.0 0 0
    > nat (inside) 1 192.168.22.0 255.255.255.0 0 0
    > nat (inside) 1 192.168.23.0 255.255.255.0 0 0
    > static (inside,outside) tcp 216.74.163.205 www 192.168.10.99 8022
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp 216.74.163.205 https 192.168.10.99 8021
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp 216.74.163.201 www 192.168.10.99 8002
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp 216.74.163.201 https 192.168.10.99 8001
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp 216.74.163.203 www 192.168.10.99 9002
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp 216.74.163.203 https 192.168.10.99 9001
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp 216.74.163.204 www 192.168.10.99 8032
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp 216.74.163.204 https 192.168.10.99 8031
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp 216.74.163.202 24 192.168.10.156 24 netmask
    > 255.255.255.255 0 0
    > static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0 0
    >
    > static (inside,dmz) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 0 0
    >
    > static (inside,dmz) 192.168.12.0 192.168.12.0 netmask 255.255.255.0 0 0
    >
    > static (inside,dmz) 192.168.13.0 192.168.13.0 netmask 255.255.255.0 0 0
    >
    > static (dmz,outside) 216.74.146.240 216.74.146.240 netmask
    > 255.255.255.240 0 0
    > access-group outside in interface outside
    > access-group inside in interface inside
    > access-group dmz in interface dmz
    > router ospf 100
    > network 192.168.12.0 255.255.255.0 area 0
    > log-adj-changes
    > redistribute static subnets
    > route outside 0.0.0.0 0.0.0.0 216.74.163.193 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ (inside) host 192.168.10.156 ******** timeout 10
    > aaa-server TACACS+ (inside) host 192.168.10.157 ******** timeout 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS (inside) host 192.168.10.201 ******** timeout 10
    > aaa-server LOCAL protocol local
    > aaa authentication telnet console TACACS+
    > aaa authentication ssh console TACACS+
    > aaa accounting include telnet inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    > TACACS+
    > aaa accounting include tcp/22 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    > TACACS+
    > aaa accounting include tcp/22 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    > TACACS+
    > aaa accounting include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    > TACACS+
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community xxxxx
    > snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > crypto ipsec transform-set kiodex esp-3des esp-md5-hmac
    > crypto ipsec transform-set riptech esp-3des esp-md5-hmac
    > crypto dynamic-map dynmap 10 set transform-set kiodex
    > crypto map outside 1 ipsec-isakmp
    > crypto map outside 1 match address 628broadway
    > crypto map outside 1 set peer x.x.x.x
    > crypto map outside 1 set transform-set kiodex
    > crypto map outside 10 ipsec-isakmp
    > crypto map outside 10 match address soc2800
    > crypto map outside 10 set peer xxxx
    > crypto map outside 10 set transform-set riptech
    > crypto map outside 20 ipsec-isakmp dynamic dynmap
    > crypto map outside client authentication RADIUS
    > crypto map outside interface outside
    > isakmp enable outside
    > isakmp key ******** address x.x.x.x netmask 255.255.255.255
    > isakmp key ******** address x.x.x.x netmask 255.255.255.255
    > isakmp identity address
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption 3des
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    > vpngroup exovpn address-pool vpn
    > vpngroup exovpn dns-server 192.168.10.156 192.168.10.157
    > vpngroup exovpn wins-server 192.168.10.200
    > vpngroup exovpn default-domain kdx.int
    > vpngroup exovpn split-tunnel exovpn
    > vpngroup exovpn idle-time 900
    > vpngroup exovpn password ********
    > telnet timeout 10
    > ssh 192.168.10.0 255.255.255.0 inside
    > ssh timeout 10
    > console timeout 0
    > vpdn group exo-pptp accept dialin pptp
    > vpdn group exo-pptp ppp authentication mschap
    > vpdn group exo-pptp ppp encryption mppe auto
    > vpdn group exo-pptp client configuration address local vpn
    > vpdn group exo-pptp client configuration dns 192.168.10.156
    > 192.168.10.157
    > vpdn group exo-pptp client configuration wins 192.168.10.200 10.0.0.10
    > vpdn group exo-pptp client authentication aaa RADIUS
    > vpdn group exo-pptp pptp echo 60
    > vpdn enable outside
    > terminal width 80
    >
    mcaissie, May 23, 2006
    #4
  5. sampark Guest

    Hi,

    The reason you should not have the same acl for nonat, crypto and split
    tunnel because they all serve different purposes. The idea is to put
    all the things in one acl and apply it to different commands, could be
    a shortcut however it leads to alot of problems when the configuration
    starts to grow.

    So, if you have a lan to lan tunnel and VPN clients terminating and
    only one acl acting as nonat,crypto and split will cause problems. The
    PIX will get the traffic destined for VPN clients it will hit the
    inside interface, based on the crypto map priorities it will start
    checking the SPD, if you have VPN client policy greater then lan to lan
    you will have trouble in this phase, the spd will say ok, I found the
    policy for the traffic in L2L (because you specified the traffic in one
    acl) and if the policy number of L2L is higher than dynamic crypto the
    traffic will go to L2L rather VPN. In this case you will feed too much
    traffic to the L2L tunnel (which is getting discarded at the other end,
    and if you break the tunnel it will not come up because of a policy
    mismatch on the otherside) and your VPN client will starve.


    Coming back to the problem:
    access-list 628broadway permit ip 192.168.0.0 255.255.0.0 10.0.0.0
    > 255.255.0.0
    > access-list 628broadway permit ip 192.168.0.0 255.255.0.0 172.16.1.0
    > 255.255.255.0

    You have the same acl in nonat and crypto.
    You are feeding all the traffic to the tunnel and your VPN client is
    starving.
    To check this you can connect with the VPN client and start pinging a
    server
    come to the PIX and run sh access-list 628broadway and notice the
    coutners
    Also, show crypto ipsec sa command's encry and decy should be balanced
    -- for 3 pings received (decrypted) should have 3 echo-responses
    (encrypted)
    You will notice that your encry counter is increasing and decry counter
    will stay constant.

    To double check use this:
    sh crypto ipsec sa will show you two sa's to the remote side
    one from 192.168.0.0/16 going to 10.0.0.0/16 and
    one from 192.168.0.0/16 to 172.16.1.0/24 ... this sa will have no value
    and if you turn the debugs on you will notice that when the tunnel is
    trying to comeup it is reporting proxy identities not found. It is in
    this SA you will find encry counters increasing. Your traffic is just
    going to oblivion.

    Based on the above configuration you should only have one sa from 192
    address going to 10/16 address.

    Please create different acls for nonat, crypto and split.

    Please tell us if this is working.

    -Vikas
    sampark, May 24, 2006
    #5
  6. Guest

    Vkas, thank you for the detailed reply. I will be re-doing hte ACL
    today & will report on the result.

    thank you,

    david


    sampark wrote:
    > Hi,
    >
    > The reason you should not have the same acl for nonat, crypto and split
    > tunnel because they all serve different purposes. The idea is to put
    > all the things in one acl and apply it to different commands, could be
    > a shortcut however it leads to alot of problems when the configuration
    > starts to grow.
    >
    > So, if you have a lan to lan tunnel and VPN clients terminating and
    > only one acl acting as nonat,crypto and split will cause problems. The
    > PIX will get the traffic destined for VPN clients it will hit the
    > inside interface, based on the crypto map priorities it will start
    > checking the SPD, if you have VPN client policy greater then lan to lan
    > you will have trouble in this phase, the spd will say ok, I found the
    > policy for the traffic in L2L (because you specified the traffic in one
    > acl) and if the policy number of L2L is higher than dynamic crypto the
    > traffic will go to L2L rather VPN. In this case you will feed too much
    > traffic to the L2L tunnel (which is getting discarded at the other end,
    > and if you break the tunnel it will not come up because of a policy
    > mismatch on the otherside) and your VPN client will starve.
    >
    >
    > Coming back to the problem:
    > access-list 628broadway permit ip 192.168.0.0 255.255.0.0 10.0.0.0
    > > 255.255.0.0
    > > access-list 628broadway permit ip 192.168.0.0 255.255.0.0 172.16.1.0
    > > 255.255.255.0

    > You have the same acl in nonat and crypto.
    > You are feeding all the traffic to the tunnel and your VPN client is
    > starving.
    > To check this you can connect with the VPN client and start pinging a
    > server
    > come to the PIX and run sh access-list 628broadway and notice the
    > coutners
    > Also, show crypto ipsec sa command's encry and decy should be balanced
    > -- for 3 pings received (decrypted) should have 3 echo-responses
    > (encrypted)
    > You will notice that your encry counter is increasing and decry counter
    > will stay constant.
    >
    > To double check use this:
    > sh crypto ipsec sa will show you two sa's to the remote side
    > one from 192.168.0.0/16 going to 10.0.0.0/16 and
    > one from 192.168.0.0/16 to 172.16.1.0/24 ... this sa will have no value
    > and if you turn the debugs on you will notice that when the tunnel is
    > trying to comeup it is reporting proxy identities not found. It is in
    > this SA you will find encry counters increasing. Your traffic is just
    > going to oblivion.
    >
    > Based on the above configuration you should only have one sa from 192
    > address going to 10/16 address.
    >
    > Please create different acls for nonat, crypto and split.
    >
    > Please tell us if this is working.
    >
    > -Vikas
    , Jun 5, 2006
    #6
  7. Guest

    Vikas,

    I made your recommended changes. I now have specific ACLs for nonat,
    split tunnel (exovpn) and crypto (628broadway)

    I am still seeing the same behavior - I can make the IPSEC connection,
    but cant get anywhere. I didnt see any counters increasing when I tried
    a ping from the vpn client to an inside (192.168.10.0/24) ip.

    any/all help is very appreciated.

    david

    -----------------------------------------------------------------------
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 100full
    interface ethernet3 100full
    interface ethernet4 auto shutdown
    interface ethernet5 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 failover security20
    nameif ethernet3 dmz security20
    nameif ethernet4 e4 security0
    nameif ethernet5 e5 security0

    hostname
    domain-name
    fixup protocol dns maximum-length 512
    fixup protocol domain 53
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    no fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    no fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no names
    access-list soc2800 permit ip host 216.74.163.199 host 65.197.254.5
    access-list soc2800 permit ip host 216.74.163.199 63.108.175.0
    255.255.255.0
    access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.1
    access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.2
    access-list inside permit udp 192.168.0.0 255.255.0.0 host
    216.74.163.194 eq ntp
    access-list inside permit udp 192.168.0.0 255.255.0.0 host
    216.74.163.195 eq ntp
    access-list inside permit icmp any any echo
    access-list inside permit icmp any any unreachable
    access-list inside permit icmp any any source-quench
    access-list inside permit icmp any any time-exceeded
    access-list inside remark ###### allow ftp to ftp.lim.com
    access-list inside permit tcp 192.168.10.0 255.255.255.0 host
    12.43.226.2 eq ftp
    access-list inside permit tcp host 192.168.10.80 any eq www
    access-list inside permit tcp host 192.168.10.80 any eq ftp
    access-list inside permit tcp host 192.168.10.80 any eq https
    access-list inside permit tcp host 192.168.10.80 any eq ssh
    access-list inside permit tcp host 192.168.10.80 any eq smtp
    access-list inside permit ip 10.0.0.0 255.255.0.0 host 192.168.12.1
    access-list inside permit ip 10.0.0.0 255.255.0.0 host 192.168.12.2
    access-list inside permit ip 192.168.0.0 255.255.0.0 10.0.0.0
    255.255.0.0
    access-list inside permit ip 192.168.0.0 255.255.0.0 192.168.0.0
    255.255.0.0
    access-list inside permit tcp host 192.168.10.80 any eq telnet
    access-list inside permit tcp host 192.168.10.157 any eq https
    access-list inside permit tcp host 192.168.10.156 any eq smtp
    access-list inside permit tcp host 192.168.10.156 any eq https
    access-list inside permit udp host 192.168.10.156 any eq ntp
    access-list inside permit udp host 192.168.10.157 any eq ntp
    access-list inside permit udp host 192.168.10.157 any eq domain
    access-list inside permit udp host 192.168.10.156 any eq domain
    access-list inside permit tcp host 192.168.10.157 any eq domain
    access-list inside permit tcp host 192.168.10.156 any eq domain
    access-list inside permit tcp host 192.168.10.199 any eq domain
    access-list inside permit udp host 192.168.10.199 any eq domain
    access-list inside permit tcp host 192.168.10.197 any eq domain
    access-list inside permit udp host 192.168.10.197 any eq domain
    access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0
    255.255.255.0 eq www
    access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0
    255.255.255.0 eq https
    access-list inside permit tcp 192.168.0.0 255.255.0.0 host
    208.173.140.54 eq smtp
    access-list inside permit tcp host 192.168.10.199 host 192.88.69.69 eq
    ftp
    access-list inside permit tcp host 192.168.10.197 host 192.88.69.69 eq
    ftp
    access-list inside permit tcp host 192.168.10.185 any eq smtp
    access-list inside remark ##### allow all machines out to
    futuresource.com and xml.marketcenter.com on 4004
    access-list inside permit tcp 192.168.10.0 255.255.255.0 any eq 4004
    access-list inside remark ###### allow specific machines out
    access-list inside permit tcp host 192.168.10.185 any eq www
    access-list inside permit tcp host 192.168.10.185 any eq https
    access-list inside permit tcp host 192.168.10.200 any eq www
    access-list inside permit tcp host 192.168.10.201 any eq www
    access-list inside permit tcp host 192.168.10.200 any eq https
    access-list inside permit tcp host 192.168.10.201 any eq https
    access-list inside permit tcp host 192.168.10.200 any eq ftp
    access-list inside permit tcp host 192.168.10.201 any eq ftp
    access-list inside remark ###### LAN --> border network
    access-list inside permit tcp 192.168.10.0 255.255.255.0 216.74.163.192
    255.255.255.224 eq telnet
    access-list inside remark #### allw VPN local pool ips
    access-list inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0
    255.255.255.0
    access-list outside permit icmp any any echo-reply
    access-list outside permit icmp any any unreachable
    access-list outside permit icmp any any time-exceeded
    access-list outside permit tcp any host 216.74.163.204 eq https
    access-list outside permit tcp any host 216.74.163.204 eq www
    access-list outside permit tcp any host 216.74.163.209 eq www
    access-list outside permit tcp any host 216.74.163.209 eq https
    access-list outside permit tcp any host 216.74.163.205 eq www
    access-list outside permit tcp any host 216.74.163.205 eq https
    access-list outside permit tcp any host 216.74.163.203 eq www
    access-list outside permit tcp any host 216.74.163.203 eq https
    access-list outside permit tcp any host 216.74.163.201 eq www
    access-list outside permit tcp any host 216.74.163.201 eq https
    access-list outside permit tcp any host 216.74.146.250 eq www
    access-list outside remark ###### line 15-22 may be obsolete DSP 2.6.06
    access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
    ssh
    access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
    10000
    access-list outside permit tcp host 63.145.12.27 host 216.74.146.250 eq
    8888
    access-list outside permit esp host 12.146.1.11 host 216.74.146.244
    access-list outside permit esp host 12.146.1.11 host 216.74.146.245
    access-list outside permit tcp any host 216.74.163.202 eq 24
    access-list outside permit tcp any host 216.74.146.244 eq ssh
    access-list outside permit tcp any host 216.74.146.245 eq ssh
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.10.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.11.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.12.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.13.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.20.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.21.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.22.0
    255.255.255.0
    access-list outside permit ip 10.0.0.0 255.255.0.0 192.168.23.0
    255.255.255.0
    access-list outside remark ##### deny below added per SOC incident
    19319363
    access-list outside deny tcp any host 67.85.186.115
    access-list dmz permit udp 216.74.146.240 255.255.255.240 host
    216.74.163.194 eq ntp
    access-list dmz permit udp 216.74.146.240 255.255.255.240 host
    216.74.163.195 eq ntp
    access-list dmz permit icmp any any echo
    access-list dmz permit icmp any any unreachable
    access-list dmz permit icmp any any time-exceeded
    access-list dmz permit tcp host 216.74.146.250 host 24.213.162.100 eq
    smtp
    access-list dmz permit tcp host 216.74.146.250 any eq domain
    access-list dmz permit udp host 216.74.146.250 any eq domain
    access-list dmz permit tcp host 216.74.146.250 any eq ssh
    access-list dmz permit udp host 216.74.146.244 host 12.146.1.11 eq
    isakmp
    access-list dmz permit udp host 216.74.146.245 host 12.146.1.11 eq
    isakmp
    access-list dmz permit esp host 216.74.146.245 host 12.146.1.11
    access-list dmz permit esp host 216.74.146.244 host 12.146.1.11
    access-list dmz permit tcp host 216.74.146.245 host 192.168.10.57 eq
    2036
    access-list dmz permit tcp host 216.74.146.244 host 192.168.10.57 eq
    2036
    access-list dmz permit tcp host 216.74.146.244 host 192.168.10.57 eq
    ssh
    access-list dmz permit tcp host 216.74.146.245 host 192.168.10.57 eq
    ssh
    access-list dmz permit tcp host 216.74.146.245 host 192.168.10.55 eq
    2036
    access-list dmz permit tcp host 216.74.146.244 host 192.168.10.55 eq
    2036
    access-list dmz permit tcp host 216.74.146.244 host 192.168.10.55 eq
    ssh
    access-list dmz permit tcp host 216.74.146.245 host 192.168.10.55 eq
    ssh
    access-list 628broadway permit ip 192.168.0.0 255.255.0.0 10.0.0.0
    255.255.0.0
    access-list exovpn permit ip 172.16.1.0 255.255.255.0 192.168.0.0
    255.255.0.0
    access-list nonat permit ip 192.168.0.0 255.255.0.0 10.0.0.0
    255.255.0.0
    access-list nonat permit ip 192.168.0.0 255.255.0.0 172.16.1.0
    255.255.255.0
    pager lines 24
    logging on
    logging timestamp
    logging standby
    logging trap debugging
    logging history informational
    logging facility 23
    logging device-id hostname
    logging host outside x.x.x.x
    logging host inside x.x.x.x
    no logging message 302015
    no logging message 302014
    no logging message 302013
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    mtu failover 1500
    mtu dmz 1500
    mtu e4 1500
    mtu e5 1500
    ip address outside x.x.x.x 255.255.255.224
    ip address inside 192.168.12.1 255.255.255.0
    ip address failover 192.168.14.1 255.255.255.252
    ip address dmz x.x.x.x 255.255.255.240
    no ip address e4
    no ip address e5
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn 172.16.1.1-172.16.1.100
    failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside x.x.x.x
    failover ip address inside 192.168.12.2
    failover ip address failover 192.168.14.2
    failover ip address dmz x.x.x.x
    no failover ip address e4
    no failover ip address e5
    failover link failover
    no pdm history enable
    arp outside 216.74.163.193 0000.0c07.ac00 alias
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 192.168.10.0 255.255.255.0 0 0
    nat (inside) 1 192.168.11.0 255.255.255.0 0 0
    nat (inside) 1 192.168.12.0 255.255.255.0 0 0
    nat (inside) 1 192.168.13.0 255.255.255.0 0 0
    nat (inside) 1 192.168.20.0 255.255.255.0 0 0
    nat (inside) 1 192.168.21.0 255.255.255.0 0 0
    nat (inside) 1 192.168.22.0 255.255.255.0 0 0
    nat (inside) 1 192.168.23.0 255.255.255.0 0 0
    static (inside,outside) tcp 216.74.163.205 www 192.168.10.99 8022
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.205 https 192.168.10.99 8021
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.201 www 192.168.10.99 8002
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.201 https 192.168.10.99 8001
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.203 www 192.168.10.99 9002
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.203 https 192.168.10.99 9001
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.204 www 192.168.10.99 8032
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.204 https 192.168.10.99 8031
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 216.74.163.202 24 192.168.10.156 24 netmask
    255.255.255.255 0 0
    static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0 0

    static (inside,dmz) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 0 0

    static (inside,dmz) 192.168.12.0 192.168.12.0 netmask 255.255.255.0 0 0

    static (inside,dmz) 192.168.13.0 192.168.13.0 netmask 255.255.255.0 0 0

    static (dmz,outside) 216.74.146.240 216.74.146.240 netmask
    255.255.255.240 0 0
    access-group outside in interface outside
    access-group inside in interface inside
    access-group dmz in interface dmz
    router ospf 100
    network 192.168.12.0 255.255.255.0 area 0
    log-adj-changes
    redistribute static subnets
    route outside 0.0.0.0 0.0.0.0 216.74.163.193 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ (inside) host 192.168.10.156 LehMePo23HHHee timeout
    10
    aaa-server TACACS+ (inside) host 192.168.10.157 LehMePo23HHHee timeout
    10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 192.168.10.201 1p2o3i4u!!! timeout 10
    aaa-server LOCAL protocol local
    aaa authentication telnet console TACACS+
    aaa authentication ssh console TACACS+
    aaa accounting include telnet inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    TACACS+
    aaa accounting include tcp/22 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    TACACS+
    aaa accounting include tcp/22 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    TACACS+
    aaa accounting include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
    TACACS+
    no snmp-server location
    no snmp-server contact
    snmp-server community
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set kiodex esp-3des esp-md5-hmac
    crypto ipsec transform-set riptech esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set kiodex
    crypto map outside 1 ipsec-isakmp
    crypto map outside 1 match address 628broadway
    crypto map outside 1 set peer 24.213.162.102
    crypto map outside 1 set transform-set kiodex
    crypto map outside 10 ipsec-isakmp
    crypto map outside 10 match address soc2800
    crypto map outside 10 set peer 65.201.134.9
    crypto map outside 10 set transform-set riptech
    crypto map outside 20 ipsec-isakmp dynamic dynmap
    crypto map outside client authentication RADIUS
    crypto map outside interface outside
    isakmp enable outside
    isakmp key ******** address x.x.x.x netmask 255.255.255.255
    isakmp key ******** address x.x.x.x netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup exovpn address-pool vpn
    vpngroup exovpn dns-server 192.168.10.156 192.168.10.157
    vpngroup exovpn wins-server 192.168.10.200
    vpngroup exovpn default-domain kdx.int
    vpngroup exovpn split-tunnel exovpn
    vpngroup exovpn idle-time 900
    vpngroup exovpn password ********
    telnet timeout 10
    ssh 192.168.10.0 255.255.255.0 inside
    ssh timeout 10
    console timeout 0
    vpdn group exo-pptp accept dialin pptp
    vpdn group exo-pptp ppp authentication mschap
    vpdn group exo-pptp ppp encryption mppe auto
    vpdn group exo-pptp client configuration address local vpn
    vpdn group exo-pptp client configuration dns 192.168.10.156
    192.168.10.157
    vpdn group exo-pptp client configuration wins 192.168.10.200 10.0.0.10
    vpdn group exo-pptp client authentication aaa RADIUS
    vpdn group exo-pptp pptp echo 60
    vpdn enable outside
    terminal width 80
    spix(config)#

    wrote:
    > Vkas, thank you for the detailed reply. I will be re-doing hte ACL
    > today & will report on the result.
    >
    > thank you,
    >
    > david
    >
    >
    > sampark wrote:
    > > Hi,
    > >
    > > The reason you should not have the same acl for nonat, crypto and split
    > > tunnel because they all serve different purposes. The idea is to put
    > > all the things in one acl and apply it to different commands, could be
    > > a shortcut however it leads to alot of problems when the configuration
    > > starts to grow.
    > >
    > > So, if you have a lan to lan tunnel and VPN clients terminating and
    > > only one acl acting as nonat,crypto and split will cause problems. The
    > > PIX will get the traffic destined for VPN clients it will hit the
    > > inside interface, based on the crypto map priorities it will start
    > > checking the SPD, if you have VPN client policy greater then lan to lan
    > > you will have trouble in this phase, the spd will say ok, I found the
    > > policy for the traffic in L2L (because you specified the traffic in one
    > > acl) and if the policy number of L2L is higher than dynamic crypto the
    > > traffic will go to L2L rather VPN. In this case you will feed too much
    > > traffic to the L2L tunnel (which is getting discarded at the other end,
    > > and if you break the tunnel it will not come up because of a policy
    > > mismatch on the otherside) and your VPN client will starve.
    > >
    > >
    > > Coming back to the problem:
    > > access-list 628broadway permit ip 192.168.0.0 255.255.0.0 10.0.0.0
    > > > 255.255.0.0
    > > > access-list 628broadway permit ip 192.168.0.0 255.255.0.0 172.16.1.0
    > > > 255.255.255.0

    > > You have the same acl in nonat and crypto.
    > > You are feeding all the traffic to the tunnel and your VPN client is
    > > starving.
    > > To check this you can connect with the VPN client and start pinging a
    > > server
    > > come to the PIX and run sh access-list 628broadway and notice the
    > > coutners
    > > Also, show crypto ipsec sa command's encry and decy should be balanced
    > > -- for 3 pings received (decrypted) should have 3 echo-responses
    > > (encrypted)
    > > You will notice that your encry counter is increasing and decry counter
    > > will stay constant.
    > >
    > > To double check use this:
    > > sh crypto ipsec sa will show you two sa's to the remote side
    > > one from 192.168.0.0/16 going to 10.0.0.0/16 and
    > > one from 192.168.0.0/16 to 172.16.1.0/24 ... this sa will have no value
    > > and if you turn the debugs on you will notice that when the tunnel is
    > > trying to comeup it is reporting proxy identities not found. It is in
    > > this SA you will find encry counters increasing. Your traffic is just
    > > going to oblivion.
    > >
    > > Based on the above configuration you should only have one sa from 192
    > > address going to 10/16 address.
    > >
    > > Please create different acls for nonat, crypto and split.
    > >
    > > Please tell us if this is working.
    > >
    > > -Vikas
    , Jun 5, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Nowles

    Certificates and vpngroup

    Martin Nowles, Nov 19, 2003, in forum: Cisco
    Replies:
    6
    Views:
    562
    Lutz Donnerhacke
    Nov 21, 2003
  2. Remco Bressers

    vpngroup radius IP address

    Remco Bressers, Apr 26, 2004, in forum: Cisco
    Replies:
    0
    Views:
    480
    Remco Bressers
    Apr 26, 2004
  3. Edwin Dicker

    pix vpngroup no access to dmz

    Edwin Dicker, Feb 15, 2005, in forum: Cisco
    Replies:
    0
    Views:
    423
    Edwin Dicker
    Feb 15, 2005
  4. dspnyc

    vpngroup to pix515 (repost)

    dspnyc, Jun 7, 2006, in forum: Cisco
    Replies:
    4
    Views:
    699
    dspnyc
    Jun 14, 2006
  5. dspnyc

    vpngroup to pix515 (repost 2)

    dspnyc, Jun 21, 2006, in forum: Cisco
    Replies:
    2
    Views:
    900
    dspnyc
    Jun 28, 2006
Loading...

Share This Page