cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2919
Views
0
Helpful
28
Replies

EasyVPN and Pix501-Pix501-Problem

Hi,

I have a problem with my two Pix501.

I want that one of them is the EasyVPN Server and the other one is the EasyVPN Remote Client.

I configured everything like it is shown at http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008019e6d7.shtml

In my testenvironment I have my "normal" network 192.168.0.0/24 that is at the outside interface of the two pixes. The EasyVPN Servers-network is 192.168.1.0/24 the otherone is 192.168.2.0/24.

My problem is, that the two pixes don't connect.

Here are the configs:

EasyVPN Server:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr02
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.220 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.3.1-192.168.3.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.1.200
vpngroup mygroup wins-server 192.168.1.200
vpngroup mygroup default-domain cisco.com
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:4967199c613b5553f9bc5aaa09aa02b3
: end

Client:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr03
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.221 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.2-192.168.2.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
vpnclient server 192.168.0.220
vpnclient mode network-extension-mode
vpnclient vpngroup mygroup password ********
vpnclient enable
terminal width 80
Cryptochecksum:3caebce68a73c906150eb011e7b18f8a
: end

Does anyone has an idea why it doesn't work?

Thanks,

Kriss

28 Replies 28

Either the internal network is not included in the split-tunneling or NAT0 ACL or most likely, internally there's no route back to the

VPN pool pointing to the PIX.

Federico.

hmm,

my route at the pix is just the "default" one:

route outside 0.0.0.0 0.0.0.0 192.168.0.250 1

My Split-tunnel-configs are

vpngroup mygroup split-tunnel 101

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

additional I have this nat-settings:

nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Kristian,

You're saying that from the VPN client you can PING the inside of the PIX but not the internal network correct?

What I meant is to check that the default gateway for the internal network is the PIX.

The actual route that you posted is the default gateway on the PIX (that is fine), but I'm talking about the route that uses the internal network to reach the PIX (is it a default gateway on the machines)?

Federico.

OK, now I understand.

There was no gateway on the machine I connect from. Why does the VPN Client Software does not that automaticaly?

I entered a gateway but no change. I am still able to ping the pix but not the machine

I tried some more pings:

Ping from connected Softwareclient to Pix: successful

Ping from connected Softwareclient to a machine in the network: fail (with and without a gateway)

Ping from Pix to Softwareclient: successful

Ping from Pix to machine: successful

Ping from machine to softwareclient: fail (with and without a gateway)

Ping from machine to Pix: successful

I tried out several things but I don't get the traffic to work

Has anybody any Ideas how to fix this problem?

Can you pls repost the latest configuration on the server?

I am interested to see what is the vpn client ip pool subnet. Hopefully it is not the same subnet as your internal network. If it is, please change it to a unique subnet.

yes, the IP-Pool is the same subnet as the inside interface.

I will try to change this and will report the result.

Thanks for the hint!

OK,

I tried it out but it didn't changed anything.

Here my current config


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
domain-name *********
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.220 255.255.255.0
ip address inside 192.168.1.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.120.221-192.168.120.225
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.1.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.1.60
vpngroup mygroup wins-server 192.168.1.60
vpngroup mygroup default-domain ***********
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80

Yes, you would need to add the following ACL:

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.120.0 255.255.255.0

and also add this if vpn client is behind PAT device: isakmp nat-traversal 25

You would need to reconnect with your vpn client after the above changes.

your something like a cisco-god!

It works!!!

Thank you very very much!

Great to hear it's working now. Thanks for the rating.

I start crying ;(

everything worked in my homenet, then I installed the Pix at the final destination after changing the outside interface to PPPOE.

So now I have the two Pixes connected over the internet.

The Server is directly connected to the modem, the Client get the internetconnection over an existing network and it is using the gateway in that network for connecting to the internet.

Now I can ping the server-Pix from the remoteclient - and ONLY the server-Pix, no other clients.

If I connect from a softclient it is the same.

Here my final configs:

Server:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password LLkMi3KcZgYfuWCi encrypted
passwd LLkMi3KcZgYfuWCi encrypted
hostname kr01icr02
domain-name ........
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389
access-list 102 permit tcp host 192.168.128.78 any eq https
access-list 102 permit tcp host 192.168.128.78 any eq ftp
access-list 102 permit tcp host 192.168.128.78 any eq 27
access-list 102 permit tcp host 192.168.128.78 any eq www
access-list 102 permit tcp host 192.168.128.78 any eq 5938
access-list 102 permit tcp host 192.168.128.78 any eq 5959
access-list 102 permit ip any any (Just for having access from my current PC)
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.128.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.120.221-192.168.120.225
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.128.10 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
access-group 102 in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 25
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.128.60
vpngroup mygroup wins-server 192.168.128.60
vpngroup mygroup default-domain .......
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname -user-
vpdn group pppoe_group ppp authentication pap
vpdn username -user- password ********* store-local
terminal width 80
Cryptochecksum:1a8f27c3a10328f56b798f7634d2c691
: end
kr01icr02#

Client:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr03
domain-name ........
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.221 255.255.255.0
ip address inside 192.168.129.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.129.0 255.255.255.0 inside
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
http 192.168.129.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.128.0 255.255.255.0 inside
telnet 192.168.129.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.129.0 255.255.255.0 inside
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpnclient server wan-serverip
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup mygroup password ********
vpnclient enable
terminal width 80

Has anybody an idea?

I have to fix it today..

Here some more information that my help:

Ping from ServerPix to ClientPix - OK
Ping from ClientPix to ServerPix - OK
Ping from PC aus Server-Net to ServerPix - OK
Ping from PC aus Client-Net to ClientPix - OK
Ping from PC aus Client-Net to ServerPix - OK
Ping from PC aus Server-Net to ClientPix - OK
Ping from PC aus Server-Net to PC from Client-Netz - FAIL
Ping from PC aus Client-Net to PC from Server-Netz - FAIL

Ping from PC, via CiscoVPN-Client connected, to ServerPix - OK
Ping from PC, via CiscoVPN-Client connected, to ClientPix - FAIL - but you told me that it is normal, sh** happens...

Here the current configs:

Server
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password LLkMi3KcZgYfuWCi encrypted
passwd LLkMi3KcZgYfuWCi encrypted
hostname kr01icr02
domain-name e***
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389
access-list 102 permit tcp host 192.168.128.78 any eq https
access-list 102 permit tcp host 192.168.128.78 any eq ftp
access-list 102 permit tcp host 192.168.128.78 any eq 27
access-list 102 permit tcp host 192.168.128.78 any eq www
access-list 102 permit tcp host 192.168.128.78 any eq 5938
access-list 102 permit tcp host 192.168.128.78 any eq 5959
access-list 102 permit tcp host 192.168.128.78 any eq domain
access-list 102 permit ip host 192.168.128.104 any
access-list 102 permit udp host 192.168.128.78 any eq domain
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.128.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.120.221-192.168.120.225
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.128.104 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
access-group 102 in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 25
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.128.60
vpngroup mygroup wins-server 192.168.128.60
vpngroup mygroup default-domain e****
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 60
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname ***
vpdn group pppoe_group ppp authentication pap
vpdn username *** password ********* store-local
terminal width 80


Client:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr03
domain-name hamburg.praxis
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.221 255.255.255.0
ip address inside 192.168.129.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.129.0 255.255.255.0 inside
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
http 192.168.129.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.128.0 255.255.255.0 inside
telnet 192.168.129.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.129.0 255.255.255.0 inside
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpnclient server 85.1**.**.**
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup mygroup password ********
vpnclient enable
terminal width 80

show route-Command shows:

Server:
kr01icr02# sh route
outside 0.0.0.0 0.0.0.0 213.191.84.232 1 PPPOE static
outside 85.1**.**.** 255.255.255.255 85.1**.**.** 1 CONNECT static
inside 192.168.128.0 255.255.255.0 192.168.128.220 1 CONNECT static

Client:
kr01icr03(config)# sh route
outside 0.0.0.0 0.0.0.0 192.168.0.250 1 OTHER static
outside 192.168.0.0 255.255.255.0 192.168.0.221 1 CONNECT static
inside 192.168.129.0 255.255.255.0 192.168.129.220 1 CONNECT static


show access-list shows:

Server:
kr01icr02# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list 101; 2 elements
access-list 101 line 1 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0 (hitcnt=12)
access-list 101 line 2 permit ip 192.168.128.0 255.255.255.0 192.168.120.0 255.255.255.0 (hitcnt=0)
access-list ftpin; 2 elements
access-list ftpin line 1 permit tcp any host 192.168.0.220 eq ftp (hitcnt=0)
access-list ftpin line 2 permit tcp any host 192.168.0.220 eq 3389 (hitcnt=0)
access-list 102; 10 elements
access-list 102 line 1 permit tcp host 192.168.128.78 any eq https (hitcnt=3329)
access-list 102 line 2 permit tcp host 192.168.128.78 any eq ftp (hitcnt=0)
access-list 102 line 3 permit tcp host 192.168.128.78 any eq 27 (hitcnt=0)
access-list 102 line 4 permit tcp host 192.168.128.78 any eq www (hitcnt=27)
access-list 102 line 5 permit tcp host 192.168.128.78 any eq 5938 (hitcnt=6)
access-list 102 line 6 permit tcp host 192.168.128.78 any eq 5959 (hitcnt=0)
access-list 102 line 7 permit tcp host 192.168.128.78 any eq domain (hitcnt=0)
access-list 102 line 8 permit ip host 192.168.128.104 any (hitcnt=974)
access-list 102 line 9 permit udp host 192.168.128.78 any eq domain (hitcnt=0)
access-list dynacl58; 1 elements
access-list dynacl58 line 1 permit ip 192.168.128.0 255.255.255.0 host 192.168.0.221 (hitcnt=0)
access-list dynacl59; 1 elements
access-list dynacl59 line 1 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0 (hitcnt=8)

Client:
kr01icr03(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list _vpnc_acl; 2 elements
access-list _vpnc_acl line 1 permit ip 192.168.129.0 255.255.255.0 192.168.128.0 255.255.255.0 (hitcnt=19)
access-list _vpnc_acl line 2 permit ip host 192.168.0.221 192.168.128.0 255.255.255.0 (hitcnt=3)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: