12-01-2004 03:49 PM
Hi all,
I'm using a netscreen vpn client to TRY to connect to a pix vpn on a 6.3 pix501 (3des license). Here's the problem;
I can connect to the vpn successfully, but I cannot get any traffic to flow. Once connected I try to ping the inside interface (192.168.1.1). But I get no reply on the client machine (192.168.20.20).
'show ip local pool vpnpool' tells me that I'm allocated an ip of 192.16.2.1 (correct).
'show crypto ipsec sa' tells me that I'm connected ok with the expected public and private gateways. If I ping from the client, I can see the number of encrypted packets increase.
'show access-list' is odd! I get zero hitcnt on all configured access lists, BUT I see an access list called dynacl1 (or dynacl2, or dynacl3 etc..) which does increase its hitcnt - still no reply to the pings though.
The client also tells me that encrypted traffic is flowing.
It looks to me that interesting traffic is misconfigured, I've tried lots of access-list combo's with no success though.
Someone please help before I go insane !!!
Here's the config with the irrevelent bits deleted.
Thanks,
mrthrt
PIX Version 6.3(3)
access-list outside-in permit tcp any host 192.168.2.2 eq ftp-data
access-list outside-in permit icmp any host 192.168.2.2 echo-reply
access-list nonat permit ip 192.168.1.0 255.255.255.0 172.16.2.0 255.255.255.0
ip address outside dhcp
ip address inside 192.168.1.1 255.255.255.0
ip local pool vpnpool 172.16.2.1-172.16.2.100
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.10 255.255.255.255 0 0
nat (inside) 1 192.168.1.2 255.255.255.255 0 0
nat (inside) 1 192.168.1.6 255.255.255.255 0 0
nat (inside) 1 192.168.1.11 255.255.255.255 0 0
nat (inside) 1 192.168.1.26 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside-in in interface outside
sysopt connection permit-ipsec
crypto ipsec transform-set ableset esp-3des esp-md5-hmac
crypto dynamic-map macdynmap 120 set transform-set ableset
crypto map macmap 120 ipsec-isakmp dynamic macdynmap
crypto map macmap client configuration address initiate
crypto map macmap client configuration address respond
crypto map macmap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local vpnpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
12-01-2004 03:52 PM
oops !!
'show ip local pool vpnpool' tells me that I'm allocated an ip of 192.16.2.1 (correct).
should read;
'show ip local pool vpnpool' tells me that I'm allocated an ip of 172.16.2.1 (correct).
mrthrt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide