Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
426
Views
0
Helpful
1
Replies

A strange problem - pix 501

dagesh4
Community Member

‎05-06-2005 01:58 AM - edited ‎02-21-2020 12:07 AM

I connect with vpn client v 4.0.3f to the pix 501 v6.2, however I can access resources on the remote lan only after I initiate some kind of connection from the remote lan to the vpn client (a ping for example).Could the fact that I don't get any dhcp,dns or wins servers cause this problem?

(I've noticed that when I run ipconfig/all on the client pc I get only ip-sub-gateway, no dhcp,dns or wins servers are shown).The pix is not configured as dhcp server - I have an internal dhcp server

0 Helpful
1 Reply 1

Patrick Iseli
Level 11
Level 11

‎05-06-2005 04:03 AM

Seems like you have some routing problems.

The VPN Clients should use a separate Network Range that is diffrent from the inside network. As the netmask is choosen by the Class of network it is best to use a Class C network.

For example: 192.168.1.0 / 24 for the inside network

and 192.168.2.0 /24 for the VPN Pool.

Probably a few of this commands as "isakmp nat-traversal" will not work as this was added in the PIX OS 6.3.x code.

Config example:

access-list NONAT permit ip Internalnet ISubnet VPN-Pool 255.255.255.0

nat (inside) 0 access-list NONAT

access-list DYN-VPN-ACL permit ip Internalnet ISubnet VPN-Pool 255.255.255.0

aaa-server LOCAL protocol local

aaa authentication secure-http-client

sysopt connection permit-ipsec

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address DYN-VPN-ACL

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS

crypto map REMOTE 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map REMOTE client authentication LOCAL

crypto map REMOTE interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

ip local pool VPNPool x.y.z.1-x.y.z.254

vpngroup VPNGroup address-pool VPNPool

vpngroup VPNGroup dns-server dns2 dns1

vpngroup VPNGroup default-domain localdomain

vpngroup VPNGroup idle-time 1800

vpngroup VPNGroup password grouppassword

username vpnclient password vpnclient-password

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card