Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
461
Views
0
Helpful
1
Replies

'Easy VPN with third party client

mrthrt
Level 1
Level 1

‎12-01-2004 03:49 PM

Hi all,

I'm using a netscreen vpn client to TRY to connect to a pix vpn on a 6.3 pix501 (3des license). Here's the problem;

I can connect to the vpn successfully, but I cannot get any traffic to flow. Once connected I try to ping the inside interface (192.168.1.1). But I get no reply on the client machine (192.168.20.20).

'show ip local pool vpnpool' tells me that I'm allocated an ip of 192.16.2.1 (correct).

'show crypto ipsec sa' tells me that I'm connected ok with the expected public and private gateways. If I ping from the client, I can see the number of encrypted packets increase.

'show access-list' is odd! I get zero hitcnt on all configured access lists, BUT I see an access list called dynacl1 (or dynacl2, or dynacl3 etc..) which does increase its hitcnt - still no reply to the pings though.

The client also tells me that encrypted traffic is flowing.

It looks to me that interesting traffic is misconfigured, I've tried lots of access-list combo's with no success though.

Someone please help before I go insane !!!

Here's the config with the irrevelent bits deleted.

Thanks,

mrthrt

PIX Version 6.3(3)

access-list outside-in permit tcp any host 192.168.2.2 eq ftp-data

access-list outside-in permit icmp any host 192.168.2.2 echo-reply

access-list nonat permit ip 192.168.1.0 255.255.255.0 172.16.2.0 255.255.255.0

ip address outside dhcp

ip address inside 192.168.1.1 255.255.255.0

ip local pool vpnpool 172.16.2.1-172.16.2.100

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.0.10 255.255.255.255 0 0

nat (inside) 1 192.168.1.2 255.255.255.255 0 0

nat (inside) 1 192.168.1.6 255.255.255.255 0 0

nat (inside) 1 192.168.1.11 255.255.255.255 0 0

nat (inside) 1 192.168.1.26 255.255.255.255 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside-in in interface outside

sysopt connection permit-ipsec

crypto ipsec transform-set ableset esp-3des esp-md5-hmac

crypto dynamic-map macdynmap 120 set transform-set ableset

crypto map macmap 120 ipsec-isakmp dynamic macdynmap

crypto map macmap client configuration address initiate

crypto map macmap client configuration address respond

crypto map macmap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local vpnpool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Labels:
0 Helpful
1 Reply 1

mrthrt
Level 1
Level 1

‎12-01-2004 03:52 PM

oops !!

'show ip local pool vpnpool' tells me that I'm allocated an ip of 192.16.2.1 (correct).

should read;

'show ip local pool vpnpool' tells me that I'm allocated an ip of 172.16.2.1 (correct).

mrthrt

0 Helpful
Customers Also Viewed These Support Documents