Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco VPn client 1

Status
Not open for further replies.

dloz

Technical User
Apr 12, 2005
48
US
This is kind of a strange one if anyone can help it would be appreciated.

I have a cisco pix 501 that already has a working site to site vpn. Now I am trying to connect with the vpn client. From XP machines (I've tried three) with the windows firewall turned off the client connects but no traffic is being passed through the vpn. Statistics show packets being sent and encrypted but not received and decrypted. This makes me think its access list problem but this does work on a windows 98 machine from the same LAN as the XP machines. The windows Xp machine works when connecting to a different Cisco vpn with the same client. Unfortunately this connection is managed by a third party and I cannot look at the config on the VPN side. The vpn client says version 4.7.00.0533. I have also tried version 4.8.??.???. Here is the config which I tend to think is okay since the windows 98 machine works.


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
name 192.168.100.1 server
object-group service ssh tcp
port-object eq ssh
access-list inside_nat0_outbound permit ip 192.168.100.0 255.255.255.0 host peoplesoft
access-list inside_nat0_outbound permit ip 192.168.100.0 255.255.255.0 host chdescup
access-list inside_nat0_outbound permit ip 192.168.100.0 255.255.255.0 192.168.105.0 255.255.255.0
access-list inside_nat0_outbound permit ip any 192.168.105.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 host peoplesoft
access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 host chdescup
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any unreachable
access-list SSH_INBOUND permit tcp any interface outside eq ssh
access-list SSH_INBOUND permit tcp any interface outside eq https
access-list SSH_INBOUND permit udp any interface outside eq ntp
access-list pedseast_splitTunnelAcl permit ip 192.168.100.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.105.0 255.255.255.0
pager lines 24
logging on
logging standby
logging trap notifications
logging facility 22
logging host inside server
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.100.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remote 192.168.105.1-192.168.105.254 mask 255.255.255.0
pdm location 146.145.56.190 255.255.255.255 outside
pdm location chdescup 255.255.255.255 outside
pdm location peoplesoft 255.255.255.255 outside
pdm location server 255.255.255.255 inside
pdm location 192.168.101.0 255.255.255.0 inside
pdm location 192.168.100.0 255.255.252.0 inside
pdm location 192.168.105.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ssh server ssh netmask 255.255.255.255 0 0
access-group SSH_INBOUND in interface outside
access-group inside_access_in in interface inside
rip inside default version 2
route inside 192.168.101.0 255.255.255.0 192.168.100.250 2
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server LOCAL protocol local
ntp server 129.6.15.28 source outside
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set myse esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myse
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer ***.***.***.***
crypto map outside_map 20 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
crypto map mymap 30 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
isakmp enable outside
isakmp key ******** address ***.***.***.**** netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 1
isakmp policy 50 lifetime 86400
vpngroup pedseast address-pool remote
vpngroup pedseast dns-server server
vpngroup pedseast wins-server server
vpngroup pedseast split-tunnel pedseast_splitTunnelAcl
vpngroup pedseast idle-time 1800
vpngroup pedseast password ********
telnet 192.168.100.0 255.255.255.0 inside
telnet server 255.255.255.255 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname *********
vpdn group pppoe_group ppp authentication pap
vpdn username *********** password ********* store-local
vpdn username ******* password *********
username ***** password ********** encrypted privilege 15
terminal width 80
 
hi,

do this:

isakmp nat 10

You need to tell the pix 501 that the client may be behind
a firewall. That way, pix will use nat-T and it will work.
Try it and let us know.

wirelesspeap
CCIE security
 
Thanks that worked. You saved my weekend.

I could of sworn I tried this before and the fact that one machine worked was really messing me up.

I owe you one.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top