Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1077
Views
9
Helpful
10
Replies

vpn client can't access to internal pix/asa

xbw
Level 1
Level 1

‎04-25-2006 02:48 PM

I am using pix 7.0 and vpn client 4.8 .

I can connect with the pix outside (208.87.60.177).but the vpn client I can't see the subnet of the pix inside (168.x.x.0).VPN client can't access internal subnet .Please help

me,thanks!

1、Network Diagram

vpn client-----(Internet)------pix---168.x.x.x

2、CONFIGURATION

pixfirewall(config)# show run

: Saved

:

PIX Version 7.0(4)12

!

interface Ethernet0

nameif outside

security-level 0

ip address isp_addr 255.255.255.192 standby isp_addr

!

interface Ethernet1

nameif inside

security-level 100

ip address 168.x.x.x.255.255.0 standby 168.50.6.151

!

access-list inside_nat0_outbound extended permit ip any 172.16.16.0 255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip any 172.16.16.0 255.255.255.0

ip local pool hpcisco 172.16.16.1-172.16.16.254 mask 255.255.255.0

failover

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 168.x.x.x.255.255.0

route outside 0.0.0.0 0.0.0.0 isp 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

tunnel-group hpcisco type ipsec-ra

tunnel-group hpcisco general-attributes

address-pool hpcisco

tunnel-group hpcisco ipsec-attributes

pre-shared-key *

Labels:
0 Helpful
10 Replies 10

Fernando_Meza
Level 7
Level 7

‎04-25-2006 10:48 PM

have you enabled nat traversal ..? If you are behind a device doing NAT the you need to enabled this feature

isakmp nat-traversal 30

xbw
Level 1
Level 1
In response to Fernando_Meza

‎04-26-2006 12:56 AM

very thanks,I had added this command.but situation is the same.

isakmp nat-traversal 30

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to xbw

‎04-26-2006 04:45 AM

Can you post the output of

show running-config sysopt

xbw
Level 1
Level 1
In response to Fernando_Meza

‎04-26-2006 05:47 AM

thanks,Result of the command: "show running-config sysopt"

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

sysopt connection permit-ipsec

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to xbw

‎04-26-2006 04:08 PM

Can you please add the following access list and apply it to the Internal interface

access-list Inside_out extended permit ip any

172.16.16.0 255.255.255.0

access-group Inside_out in interface Inside

xbw
Level 1
Level 1
In response to Fernando_Meza

‎04-26-2006 07:15 PM

I had added the access-list,but showing access-list

indicat hitcnt=0,as following.thanks!

access-list Inside_out; 1 elements

access-list Inside_out line 1 extended permit ip any 172.16.16.0 255.255.255.0 (hitcnt=0)

0 Helpful

stevenklong
Level 1
Level 1
In response to xbw

‎04-27-2006 07:32 AM

Does your inside router know what to do with 172.16.16.0? You may have to add a static route to it:

ip route 172.16.16.0 255.255.255.0 168.x.x.x (where 168.x.x.x is the inside address of the pix).

0 Helpful

xbw
Level 1
Level 1
In response to stevenklong

‎04-27-2006 07:44 AM

I had tried.but Can't work.

0 Helpful

gopikrish
Level 1
Level 1

‎05-24-2006 03:11 AM

hi

can you change your access-list configuration

like

access-list outside_cryptomap_dyn_20 extended permit ip 168.50.x.x 255.255.255.0 172.16.16.0 255.255.255.0

gopikrish

0 Helpful

Vikas Saxena
Cisco Employee
Cisco Employee

‎05-28-2006 01:36 AM

Hello,

I hope that the problem is solved by now. In case if it is not could you paste the complete configuration please. Probably an attachment.

There could be many posibilities for the VPN client not to communicate. With 7.0 I have limited experience however, conceptually it is not very different from 6.x.

Please paste the complete configuration.

Connect with the VPN client.

Ping somthing on the inside.

Check the encryption, decryption status on the Client.

Check the sh cry ipsec sa and note the decryption counter. If you see somethin here that means you received what Client had sent.

Then check if you are (PIX) is encrypting something.

Vikas

0 Helpful
Customers Also Viewed These Support Documents