11-18-2005 01:14 AM - edited 02-21-2020 02:06 PM
Hi Sir,
I'm configuring a PIX 525 Firewall running Security Appliance Software version 7.0(4), to support remote access VPNs using IPSec-over-TCP (port 80).
ISAKMP is enabled and crypto map set is applied on the inside interface which terminates the VPN tunnel from VPN clients. An ACL is applied inbound on inside interface which permits "ip any any" (for troubleshooting purpose).
I also have configured these commands:
sysopt connection permit-ipsec
isakmp nat-traversal 3600
isakmp ipsec-over-tcp port 80
I used Cisco VPN Client Version 4.0.2 (A) to connect to the PIX but failed. The following is error messages on the PIX:
Nov 18 2005 16:48:14: %PIX-6-302013: Built inbound TCP connection 4 for inside:10.230.5.133/1487 (10.230.5.133/1487) to NP Identity Ifc:10.1.1.1/80 (10.1.1.1/80)
Nov 18 2005 16:48:19: %PIX-6-302014: Teardown TCP connection 4 for inside:10.230.5.133/1487 to NP Identity Ifc:10.1.1.1/80 duration 0:00:04 bytes 0 TCP Reset-I
Nov 18 2005 16:48:35: %PIX-6-106015: Deny TCP (no connection) from 10.230.5.133/1487 to 10.1.1.1/80 flags RST on interface inside
Nov 18 2005 16:48:35: %PIX-7-710005: TCP request discarded from 10.230.5.133/1487 to inside:10.1.1.1/80
Note:
10.1.1.1 - IP address of PIX
10.230.5.133 - IP address of my workstation from which I launched VPN
Attached is screenshot of my VPN client configuration settings.
Anyone please kindly tell me what's missing to make the setup work (i.e. IPSec over TCP with port 80)?
Thank you.
B.Rgds,
Lim TS
11-18-2005 05:04 AM
did you configure:
crypto ipsec transform-set
crypto dynamic-map
crypto map xxx 10 ipsec-isakmp dynamic
crypto map xxx interface inside
isakmp enable inside
isakmp policy
vpngroup ???
11-19-2005 07:23 PM
Hi,
My VPN config was working fine before I posted this problem. FYI, the command "vpngroup" is deprecated in version 7.0 and replaced by "tunnel-group".
My problem is, there's a requirement to enable IPSec over TCP on port 80 for remote VPN clients. To the best of my knowledge, the only command needed is "isakmp ipsec-over-tcp port 80" which I configured but failed to work.
I included the PIX system error messages in my earlier post. Also, attached was screenshot of VPN client 4.0.2 (A).
Please help.
Thank you.
B.Rgds,
Lim TS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide