07-11-2002 08:18 AM - edited 02-21-2020 11:55 AM
All,
Sorry for the most basic question here but this situation is this:
PIX 501 sitting between the Internet and LAN. This internet connection DOES NOT handle traffic initiated from within the LAN. I simply need to enable the PIX to accept incoming client connections. I've read through and tried varrious permutations as about 20 different Cisco documents. Each one simply is more complicated than I need. What do I need to do (probably an incedibly basic step I've missed) to tell the PIX to accept connections from incoming clients?
I've added the lines:
ip local pool inpool x.x.x.x-x.x.x.x
vpngroup vpn dns-server x.x.x.x
vpngroup vpn wins-server x.x.x.x
vpngroup vpn default-domian testdomain.com
vpngroup vpn password ********
sysopt connection permit-ipsec
no sysopt route dnat (I have no idea what this line means)
plus the basics, interface names, ip addresses, etc...
Any help is greatly appreciated.
Patrick
07-11-2002 03:45 PM
Have a look at this config and don't use the "aaa-server..." configs and the line "crypto map vpnclient authentication authme" and look at highlighted commands :
http://www.cisco.com/warp/customer/471/vpn3002pix-6421.shtml .
You need :
access-list nonat permit ip "inside ip subnet" "pool inpool ip subnet"
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
crypto ipsec transform-set strong ............
crypto dynamic-map .........
crypto map vpn interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
Regards,
07-11-2002 03:50 PM
You have configed vpngroup commands, which is very good.
You still need
1 crypto map
2 isakmp
3 nat (inside) 0 access-list
to make the remote access client working fine.
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 20 set transform-set myset
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client configuration address initiate
crypto map partner-map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
I assume that your inside network is 192.168.200.x and the pool is 192.168.1.x
ip local pool vpnpool 192.168.1.200-192.168.1.254
access-list 101 permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list 101
Best Regards,
07-11-2002 07:20 PM
Hi Patrick,
This config on cisco's site has helped me out alot http://www.cisco.com/warp/public/110/pptpcrypto3.html
but to be completely honest the esaies way to do this is to upgrade the PIX to 6.2 and install a program called PDM 2.0 (PIX Device Manager) this new program has a wizard built in that allows you to create Site to Site or Software Client to PIX VPNs. It will configure the PIX to do what you want in a couple minutes. Its a very nice tool.
07-16-2002 10:06 AM
ran the tool. it created the vpn client to PIX config. I connect through the client and pull down an address from the pool but I am unable to access any resources on my LAN.
07-16-2002 09:53 PM
Likely routing issue.
Do you have a Nat 0 statement?
Does your inside host default route to the pix ? This is so that it send reply for the ip on vpn pool back to the pix inside interface....
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide