03-10-2004 12:22 PM
I am trying to get the Cisco VPN client (winXP) to connect to a PIX, but the client is also behind a PIX and its not passing traffic (connects OK). The diagram goes like this...
vpnclient-->pix_1-->internet--pix_2-->target_network
Everthing looks good in the stats and I authenticate, but no traffic is passed. The virtual interface on the client PC shows up and the route tables look good. I recall there is something I need to do in PIX_1 to allow this to happen but I don't remember what it would be. PIX_2 is configured OK and accepts VPN connections for others just fine.
Additional info, PIX_1 is a 506E, PIX_2 is a 515. PIX_1 is in a SOHO DSL environment and has only one outside IP address. PIX_2 is in a corporate environment. For various reasons it is not desireable to set up a PIX-PIX vpn.
Has anyone dealt with this before?
03-10-2004 12:31 PM
Hi,
Can you post your PIX configs? Did you allow ESP traffic from the outside coming in on PIX_1?
03-10-2004 02:31 PM
I haven't done anything to allow ESP inbound on PIX_1. I'll check CCO and see how to do allow it. Here is the pix-1 config (shortened). The ipsec config is to allow me to connect from outside and hopefully isn't going to affect what I am trying to do.
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any interface outside eq ssh
access-list outside_access_in permit tcp any interface outside eq 3389
access-list outside_access_in permit tcp any interface outside eq www
access-list inside_outbound_nat0_acl permit ip 192.168.99.0 255.255.255.0 192.168.99.192 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.99.192 255.255.255.224
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.99.1 255.255.255.0
ip local pool anse 192.168.99.201-192.168.99.211
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ssh 192.168.99.11 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp mailhost smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.99.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.99.11 www netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server radius (inside) host 192.168.99.3 (password) timeout 10
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication radius
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup homeboy address-pool anse
vpngroup homeboy dns-server 192.168.99.3
vpngroup homeboy wins-server 192.168.99.3
vpngroup homeboy default-domain kendall.local
vpngroup homeboy idle-time 1800
vpngroup homeboy password ********
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname (name)
vpdn group pppoe_group ppp authentication pap
vpdn username jandlfogg password *********
03-10-2004 06:50 PM
Hi,
Try this...
access-list outside_access_in permit esp host
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide