Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
0
Helpful
3
Replies

PIX 506 remote access VPN problem

rahul.raina
Level 1
Level 1

‎04-06-2005 10:03 PM - edited ‎02-21-2020 01:42 PM

hi,

I am using PIX 506 with DSL connection. We are able to access the Internet through PIX. But when i am creating the remote access VPN on PIX , the tunnel is getting created . But i am not able to ping into inside LAN on PIX side.

When i am checking on VPN client status , the packets recevied are zero and packets sent are only changing , when i am trying to Ping inside network on PIX side.We are using the Zyxel Prestige ADSL router 645 for Internet connectivity . I am also able to gain access to PIX PDM from outside, as i have allowed that for testing purposes. Can any one help me on that.

Thks.

Labels:
0 Helpful
3 Replies 3

jmia
Level 7
Level 7

‎04-06-2005 11:28 PM

Rahul,

Firstly, add (in config mode) on you pix config :

> isakmp nat-traversal

Test again and see if this resolves your problem. If it does not then can you post your pix config (taking out any sensitive info) please.

If this post helps in your problem then please rate post as others might be looking for the same solution.

Thanks,

Jay

0 Helpful

rahul.raina
Level 1
Level 1
In response to jmia

‎04-07-2005 02:20 AM

Thanks Jay,

i have already tried >isakmp nat-traversal.

THe bytes out are there on VPN client when tunnel is created , but bytes in is zero.I am posting some of pix config like access-lists and vpn config.

The access lists and vpn config :

access-list inside_access_in permit ip any any

access-list inside_access_in permit icmp any any echo

access-list outside_access_in permit icmp any any echo-reply

access-list inside_outbound_nat0_acl permit ip 192.168.x.x 255.255.255.0 192.168.x.x 255.255.255.240

access-list splitTunnelAcl permit ip 192.168.x.x 255.255.255.0 any

access-list outside_cryptomap_dyn_20 permit ip any 192.168.x.x 255.255.255.240

ip local pool cisco 192.168.x.x-192.168.x.y

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 a.b.c.d 1

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup cisco address-pool cisco

vpngroup cisco split-tunnel splitTunnelAcl

vpngroup cisco idle-time 1800

vpngroup cisco password *******

0 Helpful

jmia
Level 7
Level 7
In response to rahul.raina

‎04-07-2005 02:48 AM

Rahul,

The config looks okay, as a test can you take out the PDM setup and follow the instructions from the following document, also take out those ACLs for icmp. If you are still having problems then let me know, if you like you can contact me direct at jmia@ohgroup.co.uk

http://www.cisco.com/warp/public/110/pix3000.html

Let me know - Good luck.

Jay

0 Helpful
Customers Also Viewed These Support Documents