12-22-2004 07:44 AM
Hello,
I got a pix 501 (6.3-4) over a lan and trying to use Cisco VPN Client (4.0.2-D) on a remote pc.
I can open a vpn session.
I can't ping from the remote pc to the lan
I can ping from any station on the lan to the remote pc
After I've made a ping from a station on the lan to the remote pc, I can ping from the remote pc to the lan.
I'm so newb, trying for 2 days modifying acls, no way.
I have to say that I'm in dynamic wan ip on the lan and on the remote pc.
Any idea about this problem ?
Any help is welcome.
Here is my pix configuration :
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************** encrypted
passwd ************* encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup .../...
fixup protocol tftp 69
names
name 192.168.42.0 Dmi
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.229.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip Dmi 255.255.255.0 192.168.229.32 255.255.255.224
access-list outside_cryptomap_dyn_20 permit icmp any any
pager lines 24
logging on
logging trap informational
mtu outside 1500
mtu inside 1500
ip address outside 209.x.x.x.255.255.224
ip address inside 192.168.42.40 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool dmivpndhcp 192.168.229.1-192.168.229.254
pdm location 192.168.229.1 255.255.255.255 outside
pdm location 209.165.x.x.x.255.255 inside
pdm location 209.x.x.x.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 209.165.200.225 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Dmi 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.42.100 /
floodguard enable
sysopt connection permit-ipsec
auth-prompt prompt pass
auth-prompt accept good
auth-prompt reject bad
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmap 20 match address outside_cryptomap_dyn_20
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup dmivpn address-pool dmivpndhcp
vpngroup dmivpn dns-server 192.168.42.20
vpngroup dmivpn wins-server 192.168.42.20
vpngroup dmivpn default-domain defi.local
vpngroup dmivpn idle-time 1800
vpngroup dmivpn password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username vpnuser password ********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.42.41-192.168.42.72 inside
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:****************************
Solved! Go to Solution.
12-22-2004 09:01 AM
Noelle,
Add command: (in config mode) : isakmp nat-traversal
Let me know if this helps.
Jay
12-22-2004 09:01 AM
Noelle,
Add command: (in config mode) : isakmp nat-traversal
Let me know if this helps.
Jay
12-23-2004 01:19 AM
yes ! it works !!
many thanks.
01-12-2005 10:57 AM
Jay, I am having the same problem, but my PIX won't accept the isakmp nat-traversal command, I just get the information for other isakmp commands. Any ideas.
01-12-2005 11:47 PM
hello dianad,
you need to upgrade you PIX to the latest IOS.. try uploading it to 6.3 (3) or 6.3 (4). it isnt supported on the older IOS. try it and let us know..
All the best..
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide