Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Not so EASYVPN

Status
Not open for further replies.
br0ck

br0ck

MIS
Apr 25, 2002
467
US
i have a 506 as a server and a 501 as a client

now i want to add a 3.x VPN client in to the mix

are there any changes this i need to make to the server end for this to work

i have atttempted to connect the client but i can not pass pings or access the 506's LAN


TIA
b-
 
Sort by date Sort by votes
Are you trying to connect through the 501 to the 506 or from another point?
 
Upvote 0 Downvote
no,

i have a internet user on a cable modem
with the vpn client
 
Upvote 0 Downvote
OK, just to make sure, you are trying to have them connect to the PIX 506 with the 3.x client, correct.

Under this assumption, you will have to make some changes on the PIX 506 for it to work propperly. Could you post the VPN config that you have running now? Protecting, of course any sensitive data. This will make it easier to see what commands you might be missing.



 
Upvote 0 Downvote

PIX Version 6.3(3)


access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


ip local pool ipsecpool 192.168.2.1-192.168.2.254

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

sysopt connection permit-ipsec
sysopt connection permit-pptp

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map vpn 10 ipsec-isakmp dynamic dynmap
crypto map vpn interface outside

isakmp enable outside
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup groupname address-pool ipsecpool
vpngroup groupname dns-server 192.168.1.250
vpngroup groupname default-domain lan.net
vpngroup groupname split-tunnel nonat
vpngroup groupname idle-time 1800
vpngroup groupname password ********
vpngroup idle-time idle-time 1800
 
Upvote 0 Downvote
HI.

The VPN 3.x (or 4.x a recommended newer version) client should be able to connect without modification to the pix acting as VPN server.

Some side notes:
> isakmp policy 5
What do you need it for?
I think that your "isakmp policy 10" is good enough so why use both of them?

You should also consider using XAUTH (AAA for incoming VPN clients) for a more secure VPN configuration.



Yizhar Hurwitz
 
Upvote 0 Downvote
well that was configured by a cisco support tech

AAA is the next step
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

disturbedone
  • Locked
  • Question
proxy.pac not working correctly in IE11
Replies
0
Views
171
disturbedone
disturbedone
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
138
gbayi_omo
gbayi_omo
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
581
nnaarrnn
nnaarrnn
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
795
Shmid
Shmid
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
151
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top