Hello,
I was wondering if someone could help me.
I have a pix 515 and using the Cisco dialer 4.0.3 on a PC with XP SP2. I am able to connect with the dialer but when I try to use remote desktop or citrix I cannot access anything on the LAN. I recently upgraded from 6.2.2 to 6.3.3 and not for sure if the vpn was ever working right. (new project)
When the firewall reboots it says "Cannot select private keyType help or '?' for a list of available commands" I'm not for sure if this is the problem or just another problem. Any help would be greatly appreciated. Thanks in advance. Here is my config
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname dExToR
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.123.0 255.255.255.
0
access-list frominside permit tcp any any eq www
access-list frominside permit tcp any any eq ftp
access-list frominside permit tcp any any eq pop3
access-list frominside permit udp any any eq domain
access-list frominside permit tcp any any eq https
access-list frominside permit tcp any any eq smtp
access-list frominside permit tcp any any eq 5900
access-list frominside permit tcp any any eq 5800
access-list frominside permit tcp any any eq 8080
access-list frominside permit tcp any any eq 8000
access-list frominside permit tcp any any eq 8181
access-list frominside permit tcp any any eq 5061
access-list frominside permit tcp any any eq 5004
access-list frominside permit tcp any any eq 8081
access-list frominside permit tcp any any eq 2280
mtu outside 1500
mtu inside 1500
ip address outside 66.xxx.xxx.60 255.255.255.248
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool usipool 192.168.123.1-192.168.123.10
pdm history enable
arp timeout 14400
global (outside) 1 66.xxx.xxx.59 netmask 255.255.255.248
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group frominside in interface inside
route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partneruath protocol radius
aaa-server partneruath (inside) host 192.168.0.7 EDGVPN timeout 5
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpn esp-3des esp-md5-hmac
crypto dynamic-map dyna-brett 10 set transform-set vpn
crypto map vpnmap 99 ipsec-isakmp dynamic dyna-brett
crypto map vpnmap client configuration address initiate
crypto map vpnmap client configuration address respond
crypto map vpnmap client authentication partneruath
crypto map vpnmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup usi address-pool usipool
vpngroup usi dns-server 192.168.0.7
vpngroup usi default-domain xxx
vpngroup usi idle-time 1800
vpngroup usi password xxx
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxx
: end
[OK]
I would rather have it and not need it, then need it and not have it.
I was wondering if someone could help me.
I have a pix 515 and using the Cisco dialer 4.0.3 on a PC with XP SP2. I am able to connect with the dialer but when I try to use remote desktop or citrix I cannot access anything on the LAN. I recently upgraded from 6.2.2 to 6.3.3 and not for sure if the vpn was ever working right. (new project)
When the firewall reboots it says "Cannot select private keyType help or '?' for a list of available commands" I'm not for sure if this is the problem or just another problem. Any help would be greatly appreciated. Thanks in advance. Here is my config
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname dExToR
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.123.0 255.255.255.
0
access-list frominside permit tcp any any eq www
access-list frominside permit tcp any any eq ftp
access-list frominside permit tcp any any eq pop3
access-list frominside permit udp any any eq domain
access-list frominside permit tcp any any eq https
access-list frominside permit tcp any any eq smtp
access-list frominside permit tcp any any eq 5900
access-list frominside permit tcp any any eq 5800
access-list frominside permit tcp any any eq 8080
access-list frominside permit tcp any any eq 8000
access-list frominside permit tcp any any eq 8181
access-list frominside permit tcp any any eq 5061
access-list frominside permit tcp any any eq 5004
access-list frominside permit tcp any any eq 8081
access-list frominside permit tcp any any eq 2280
mtu outside 1500
mtu inside 1500
ip address outside 66.xxx.xxx.60 255.255.255.248
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool usipool 192.168.123.1-192.168.123.10
pdm history enable
arp timeout 14400
global (outside) 1 66.xxx.xxx.59 netmask 255.255.255.248
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group frominside in interface inside
route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partneruath protocol radius
aaa-server partneruath (inside) host 192.168.0.7 EDGVPN timeout 5
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpn esp-3des esp-md5-hmac
crypto dynamic-map dyna-brett 10 set transform-set vpn
crypto map vpnmap 99 ipsec-isakmp dynamic dyna-brett
crypto map vpnmap client configuration address initiate
crypto map vpnmap client configuration address respond
crypto map vpnmap client authentication partneruath
crypto map vpnmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup usi address-pool usipool
vpngroup usi dns-server 192.168.0.7
vpngroup usi default-domain xxx
vpngroup usi idle-time 1800
vpngroup usi password xxx
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxx
: end
[OK]
I would rather have it and not need it, then need it and not have it.
