06-06-2006 11:17 AM
Greetings all,
I need some help going thru this configuration. Previous post, I would like the head quarter PIX 515 configure so that it can accept Cisco VPN client and at the same time l2l with a remote office. I tested out the VPN client and it does not accept username in Windows active directory. But will accept local username within the pix. For my l2l, it does not work. Please review the config in attachment and see if you find something wrong.
Thank you very much!
06-06-2006 09:41 PM
Hello,
The pix code 6.3.5 will not talk to Active Directory. You must install MS IAS server (RADIUS) so that the VPN clients can talk to the IAS then IAS will talk to the AD.
On the cisco site look for 'ipsec configuration examples' and you will find a page full of IPSEC configuration examples on every cisco device (well, nearly) you will also find configuration of IAS to talk to PIX.
Support for AD is in 7.X code.
Vikas
06-06-2006 09:54 PM
Hello,
Could you post the debugs also?
Vikas
06-07-2006 09:34 PM
Hi Vikas,
Thank you for your respond. My 515E pix has version 7.1.2. It is the pix that is acting as the concentrator or the end point for the Cisco vpn clients. I configured it to use radius and it is point to a windows 2000 radius server (IAS). Previously, when i setup vpn client using ADSM, it works fine but the configurations seems not very clean. By the way, my l2l is up and working. The reason it was not working because the remote office turn off the computer. Right now, i am still having problem with the client VPN. I configure local vpn user and i can vpn but i can not access any resources. Not sure if it has anything to do with my ip pool or the access list. Also, I am attached the debug. level 1-255 debug? I turned on level 7.
Thanks
06-07-2006 10:12 PM
Update.
After I added these command, i can authenticate agains the IAS radius server.
tunnel-group IDSDYNAMICMAP general-attributes
address-pool VPNclient
authentication-server-group IDSDC02
But the problem is still this. I can't access anything inside while the VPN tunnel is establish. The error is ADSM reported:
no translation group found for tcp src outside:192.168.0.1/1817 des inside 192.168.100.10
06-08-2006 04:08 PM
Updating on this problem.
Since this PIX is version 7, it has the Cisco router IOS commands. So, the problem is the access-list IP address subnetmask. For example:
My IP local pool for remote VPN clients:
ip local pool VPNclient 172.16.0.10-172.16.0.15 mask 255.255.0.0
In PIX version 6, i can type:
access-list noNAT_inside extended permit ip any 172.16.0.0 255.255.0.0
In PIX version 7, I type the above and my VPN client will not connect to my internal network.
So, i modified it to:
access-list noNAT_inside extended permit ip any 172.16.0.8 255.255.255.248
for subneting review, take 254-248 will give me 6 IP addresses. Since in my ip pool, i defined 172.16.0.10 to .15.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide