Hi,
I installed 4 pixs working at hub-spoken mode, and plan to config the hub pix as the remote vpn client access server.The site-to-site pix worked well, but when I try the vpn client, it has problem.
I followed the guide "Cisco-configuring IPSEC Between Hub andRemote PIXes with VPN Client and Extended Authentication" the debug message is same as sample and the isakmp sa is built well.when I try to telnet the as400 in internal , i can't reach it, no traffic over VPN. In the log the message is
"%pix-6-302013:Built inbound TCP connection 720 for outside 10.0.2.1/1123(10.0.2.1/1123) to inside 172.28.13.4/23 (172.28.12.4.23)
"%pix-6-302013:Built inbound TCP connection 721 for outside 10.0.2.1/1124(10.0.2.1/1124) to inside 172.28.13.4/23 (172.28.12.4/23)
and so on. if I not stop the telnet, the 10.0.2.1 port number will growing one by one.
what I do is :
(1) ip local pool -- 10.0.2.0 /24
(2) acl 100 permit ip 172.28.13.0/24 172.28.14.0/24
acl 100 permit ip 172.28.13.0/24 10.0.2.0/24
acl 110 permit ip 172.28.13.0/24 172.28.14.0/24
(3) global (outside) 1 218.22.xx.xx-218.22.xx.xx
global (outside) 1 218.22.xx.xx
nat (inside) 0 acl 100
nat (inside) 1 172.28.13.0 255.255.255.0 0 0
other configuraitons I think is correct.
what is the problem?
I have 2 question:
(1) should we add the routing map in my other router working as a default gateway like
"ip route 172.28.13.0/24 10.0.2.0/24 172.28.13.30"
the ip 172.28.13.30 is the ip of HUB pix.
(2) The guide have a entry like
"isakmp key **** address 0.0.0.0 netmask 0.0.0.0"
but in cisco vpn client 3.5 I can't find way to input the pre-share key, only in secure client 1.1
so I not use this command. is this a problem?
thanks
oh
I installed 4 pixs working at hub-spoken mode, and plan to config the hub pix as the remote vpn client access server.The site-to-site pix worked well, but when I try the vpn client, it has problem.
I followed the guide "Cisco-configuring IPSEC Between Hub andRemote PIXes with VPN Client and Extended Authentication" the debug message is same as sample and the isakmp sa is built well.when I try to telnet the as400 in internal , i can't reach it, no traffic over VPN. In the log the message is
"%pix-6-302013:Built inbound TCP connection 720 for outside 10.0.2.1/1123(10.0.2.1/1123) to inside 172.28.13.4/23 (172.28.12.4.23)
"%pix-6-302013:Built inbound TCP connection 721 for outside 10.0.2.1/1124(10.0.2.1/1124) to inside 172.28.13.4/23 (172.28.12.4/23)
and so on. if I not stop the telnet, the 10.0.2.1 port number will growing one by one.
what I do is :
(1) ip local pool -- 10.0.2.0 /24
(2) acl 100 permit ip 172.28.13.0/24 172.28.14.0/24
acl 100 permit ip 172.28.13.0/24 10.0.2.0/24
acl 110 permit ip 172.28.13.0/24 172.28.14.0/24
(3) global (outside) 1 218.22.xx.xx-218.22.xx.xx
global (outside) 1 218.22.xx.xx
nat (inside) 0 acl 100
nat (inside) 1 172.28.13.0 255.255.255.0 0 0
other configuraitons I think is correct.
what is the problem?
I have 2 question:
(1) should we add the routing map in my other router working as a default gateway like
"ip route 172.28.13.0/24 10.0.2.0/24 172.28.13.30"
the ip 172.28.13.30 is the ip of HUB pix.
(2) The guide have a entry like
"isakmp key **** address 0.0.0.0 netmask 0.0.0.0"
but in cisco vpn client 3.5 I can't find way to input the pre-share key, only in secure client 1.1
so I not use this command. is this a problem?
thanks
oh
