Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
495
Views
0
Helpful
3
Replies

VPN client 3.1 connecting to PIX 515

mjhagen
Level 1
Level 1

‎03-07-2002 01:48 PM - edited ‎02-21-2020 11:38 AM

I have setup the PIX to allow IPSec clients and I am able to connect to the PIX but I cannot access anything on the inside network. My config is:

access-list 101 permit ip 171.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0

ip address outside x.x.x.x 255.255.255.128

ip address inside 172.16.1.254 255.255.255.0

ip local pool vpnclients 172.16.2.100-172.16.2.150

global (outside) 1 x.x.x.x

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 1 set transform-set myset

crypto map mymap 1 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp client configuration address-pool local vpnclients outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

vpngroup vpn3000 address-pool vpnclients

vpngroup vpn3000 split-tunnel 101

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

Labels:
0 Helpful
3 Replies 3

cjacinto
Cisco Employee
Cisco Employee

‎03-09-2002 09:41 PM

Check if the inside clients have their default g/w set to the inside of the PIX, or if not set to this and it is set to a router, check if the router has a

def route pointing to the internal ip of the PIX, or at least have a static route to the ip pool you assign to the client, via the pix inside interface.

Possible issue 1, is that you have an network card on the PC that has the same address range as your ip address of the vpn client pool. Do an ipconfig /release all, then reconnect if you have this issue.

Another one, is that your client is behind a device doing PAT/NAT, in its current code, the PIX doesn't support IPSec thru nat, so you have to bypass the NAT

device when you connect to the PIX via VPN.

0 Helpful

mjhagen
Level 1
Level 1
In response to cjacinto

‎03-11-2002 11:23 AM

My PC's are set to use a router on the inside as their default gateway. I have static routes on the router to send inside interface traffic (172.16.1.x) to the PIX inside interface (172.16.1.254) and inside interface traffice (172.16.2.x) to the PIX inside interface (172.16.1.254. My VPN client is not behind a NAT/PAT device as I have connected my PC to the outside network of the PIX for testing.

0 Helpful

mkalat
Level 1
Level 1

‎03-22-2002 06:30 AM

I think you are missing a static rule.

Something like

static (inside,outside) CallcenterRwell CallcenterRwell netmask 255.255.255.255 0 0

0 Helpful
Customers Also Viewed These Support Documents
li.common.scroll-to.top