I'm using a latest Cisco VPN Client (behind a PIX 501) trying to connect to remote office using PIX 515. I'm unable to get outside connection even though
access-list pix_out permit udp host 10.10.1.1 any eq isakmp
Because we're unrelated company and I'm only a client, both PIX is not configured as Site-to-Site VPN.
Is there any other command on myside I need to use in order to connect to the PIX VPN site?
Thanks in advance.
ADSL SOHO - One External Static IP
Inside address 192.168.0.1
SOHO PIX 501
Outside address 172.16.0.2
Inside address 172.16.0.1
Outside address 184.108.40.206
Outside address 220.127.116.11
Inside address 18.104.22.168
Outside address 22.214.171.124
Inside address 192.168.10.1
IP addresses used are for example only......
Your issue may due to nat/pat failure of the ipsec vpn session originating on the client. Ask the partner network if their pix 515 can accept ipsec via NAT-T which will use udp port 4500 as well as port 500. If not, then you will need to do a static nat xlate for your client - which may not be possible due to how many public/routable addresses were assigned to you. Using nat-t is the better option - the pix command is iksamp nat-traversal.
On your side, all you need to do is to reconfig the client to use nat traversal (aka nat-t using udp). Then on your pix allow the client to connect to the remote end dest. port 4500 (as well as dest port 500). You can continue to use nat/pat for your client as the ike negotiation will determine that there is a nat/pat device between the two ipsec vpn peers.
Let me know how it proceeds from here.
Thanks for your reply. There's good news and bads news.
I can connect using vpn client from myside to PIX 515. Good news!
However, when I connect to my end PIX 501 via VPN client it says Secure VPN Connection terminated locally by the client. Reason 412.
I'm using a Laptop with modem dial-up and no Firewall.
Is there anything is should look out for?
Hi, the PIX 501 is my home use and this is my config:
access-list inside_outbound_nat0_acl permit ip any 10.1.1.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 10.1.1.0 255.255.255.224
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Dmouth address-pool bromley
vpngroup Dmouth dns-server Briscoe 126.96.36.199
vpngroup Dmouth default-domain Test.COM
vpngroup Dmouth idle-time 1800
vpngroup Tenfore-VPN split-tunnel inside_outbound_nat0_acl
vpngroup Dmouth password ***********
Is this config ok?
Your config looks good, been busy with the PDM eh! :)
Just one thing, I presume you've not included the ras pool command on your post?
> ip local pool raspool 10.1.1.1-10.1.1.10