Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix 525 easy vpn server vs Pix 501 easy vpn client

Status
Not open for further replies.
Namik

Namik

Technical User
Jul 16, 2007
39
0
0
AZ
Hi
I have Pix525 with configured Easy vpn server and Pix501 as client, when I configuring 501 as easy vpn remote client in "client mode" everything works fine, I can ping,or browse network behind the vpn,in network extension mode I can't
Anyone can help with this configuration?

PIX525 config (Easy VPN Server)

Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 172.16.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 172.16.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.253 255.255.255.0
ip address inside 172.16.1.239 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool test 172.16.1.100-172.16.1.200 mask 255.255.255.0
pdm location 172.16.1.4 255.255.255.255 inside
pdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.4 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup test address-pool test
vpngroup test dns-server 172.16.1.1
vpngroup test idle-time 1800
vpngroup test password ********
telnet timeout 5
ssh timeout 5
console timeout 0
username test password P4ttSyrm33SV8TYp encrypted privilege 15
terminal width 80
Cryptochecksum:f9082623fee98a143c35ecfd701cba70
: end
[OK]

Thats the downloaded config at network extension mode


LOCAL CONFIGURATION
vpnclient server 192.168.1.253
vpnclient mode network-extension-mode
vpnclient vpngroup mvd password ********
vpnclient username test password ********
vpnclient enable

DOWNLOADED DYNAMIC POLICY
Current Server : 192.168.1.253
PFS Enabled : No
Secure Unit Authentication Enabled : No
User Authentication Enabled : No
Backup Servers : None

STORED POLICY
Secure Unit Authentication Enabled : No
Split Networks : None
Backup Servers : None

RELATED CONFIGURATION
sysopt connection permit-ipsec
global (outside) 1 interface
nat (inside) 0 access-list _vpnc_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list _vpnc_acl permit ip 192.168.110.0 255.255.255.0 any
access-list _vpnc_acl permit ip host 192.168.1.250 any
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 outside
http 192.168.110.100 255.255.255.255 inside
http 192.168.110.0 255.255.255.0 inside
crypto ipsec transform-set _vpnc_tset_1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_2 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_3 esp-aes-192 esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_4 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_5 esp-aes esp-sha-hmac
crypto ipsec transform-set _vpnc_test_6 esp-aes esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_7 esp-3des esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_8 esp-3des esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_9 esp-des esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_10 esp-null esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_11 esp-null esp-sha-hmac
crypto map _vpnc_cm 10 ipsec-isakmp
crypto map _vpnc_cm 10 match address _vpnc_acl
crypto map _vpnc_cm 10 set peer 192.168.1.253
crypto map _vpnc_cm 10 set transform-set _vpnc_tset_1 _vpnc_tset_2 _vpnc_tset_3 _vpnc_tset_4 _vpnc_tset_5 _vpnc_test_6 _vpnc_tset_7 _vpnc_tset_8 _vpnc_tset_9 _vpnc_tset_10 _vpnc_tset_11
crypto map _vpnc_cm interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.253 netmask 255.255.255.255
isakmp keepalive 10 5
isakmp nat-traversal 20
isakmp policy 65001 authentication xauth-pre-share
isakmp policy 65001 encryption aes-256
isakmp policy 65001 hash sha
isakmp policy 65001 group 2
isakmp policy 65001 lifetime 86400
isakmp policy 65002 authentication xauth-pre-share
isakmp policy 65002 encryption aes-256
isakmp policy 65002 hash md5
isakmp policy 65002 group 2
isakmp policy 65002 lifetime 86400
isakmp policy 65003 authentication xauth-pre-share
isakmp policy 65003 encryption aes-192
isakmp policy 65003 hash sha
isakmp policy 65003 group 2
isakmp policy 65003 lifetime 86400
isakmp policy 65004 authentication xauth-pre-share
isakmp policy 65004 encryption aes-192
isakmp policy 65004 hash md5
isakmp policy 65004 group 2
isakmp policy 65004 lifetime 86400
isakmp policy 65005 authentication xauth-pre-share
isakmp policy 65005 encryption aes
isakmp policy 65005 hash sha
isakmp policy 65005 group 2
isakmp policy 65005 lifetime 86400
isakmp policy 65006 authentication xauth-pre-share
isakmp policy 65006 encryption aes
isakmp policy 65006 hash md5
isakmp policy 65006 group 2
isakmp policy 65006 lifetime 86400
isakmp policy 65007 authentication xauth-pre-share
isakmp policy 65007 encryption 3des
isakmp policy 65007 hash sha
isakmp policy 65007 group 2
isakmp policy 65007 lifetime 86400
isakmp policy 65008 authentication xauth-pre-share
isakmp policy 65008 encryption 3des
isakmp policy 65008 hash md5
isakmp policy 65008 group 2
isakmp policy 65008 lifetime 86400
isakmp policy 65009 authentication xauth-pre-share
isakmp policy 65009 encryption des
isakmp policy 65009 hash md5
isakmp policy 65009 group 2
isakmp policy 65009 lifetime 86400
isakmp policy 65010 authentication pre-share
isakmp policy 65010 encryption aes-256
isakmp policy 65010 hash sha
isakmp policy 65010 group 2
isakmp policy 65010 lifetime 86400
isakmp policy 65011 authentication pre-share
isakmp policy 65011 encryption aes-256
isakmp policy 65011 hash md5
isakmp policy 65011 group 2
isakmp policy 65011 lifetime 86400
isakmp policy 65012 authentication pre-share
isakmp policy 65012 encryption aes-192
isakmp policy 65012 hash sha
isakmp policy 65012 group 2
isakmp policy 65012 lifetime 86400
isakmp policy 65013 authentication pre-share
isakmp policy 65013 encryption aes-192
isakmp policy 65013 hash md5
isakmp policy 65013 group 2
isakmp policy 65013 lifetime 86400
isakmp policy 65014 authentication pre-share
isakmp policy 65014 encryption aes
isakmp policy 65014 hash sha
isakmp policy 65014 group 2
isakmp policy 65014 lifetime 86400
isakmp policy 65015 authentication pre-share
isakmp policy 65015 encryption aes
isakmp policy 65015 hash md5
isakmp policy 65015 group 2
isakmp policy 65015 lifetime 86400
isakmp policy 65016 authentication pre-share
isakmp policy 65016 encryption 3des
isakmp policy 65016 hash sha
isakmp policy 65016 group 2
isakmp policy 65016 lifetime 86400
isakmp policy 65017 authentication pre-share
isakmp policy 65017 encryption 3des
isakmp policy 65017 hash md5
isakmp policy 65017 group 2
isakmp policy 65017 lifetime 86400
isakmp policy 65018 authentication pre-share
isakmp policy 65018 encryption des
isakmp policy 65018 hash md5
isakmp policy 65018 group 2
isakmp policy 65018 lifetime 86400


and thats the downloaded config at client mode


LOCAL CONFIGURATION
vpnclient server 192.168.1.253
vpnclient mode client-mode
vpnclient vpngroup mvd password ********
vpnclient username test password ********
vpnclient enable

DOWNLOADED DYNAMIC POLICY
Current Server : 192.168.1.253
NAT addr : 172.16.1.100
PFS Enabled : No
Secure Unit Authentication Enabled : No
User Authentication Enabled : No
Backup Servers : None

STORED POLICY
Secure Unit Authentication Enabled : No
Split Networks : None
Backup Servers : None

RELATED CONFIGURATION
sysopt connection permit-ipsec
global (outside) 1 interface
global (outside) 65001 172.16.1.100
nat (inside) 65001 access-list _vpnc_pat_acl 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list _vpnc_acl permit ip host 172.16.1.100 any
access-list _vpnc_acl permit ip host 192.168.1.250 any
access-list _vpnc_pat_acl permit ip any any
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 outside
http 192.168.110.100 255.255.255.255 inside
http 192.168.110.0 255.255.255.0 inside
crypto ipsec transform-set _vpnc_tset_1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_2 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_3 esp-aes-192 esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_4 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_5 esp-aes esp-sha-hmac
crypto ipsec transform-set _vpnc_test_6 esp-aes esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_7 esp-3des esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_8 esp-3des esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_9 esp-des esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_10 esp-null esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_11 esp-null esp-sha-hmac
crypto map _vpnc_cm 10 ipsec-isakmp
crypto map _vpnc_cm 10 match address _vpnc_acl
crypto map _vpnc_cm 10 set peer 192.168.1.253
crypto map _vpnc_cm 10 set transform-set _vpnc_tset_1 _vpnc_tset_2 _vpnc_tset_3 _vpnc_tset_4 _vpnc_tset_5 _vpnc_test_6 _vpnc_tset_7 _vpnc_tset_8 _vpnc_tset_9 _vpnc_tset_10 _vpnc_tset_11
crypto map _vpnc_cm interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.253 netmask 255.255.255.255
isakmp keepalive 10 5
isakmp nat-traversal 20
isakmp policy 65001 authentication xauth-pre-share
isakmp policy 65001 encryption aes-256
isakmp policy 65001 hash sha
isakmp policy 65001 group 2
isakmp policy 65001 lifetime 86400
isakmp policy 65002 authentication xauth-pre-share
isakmp policy 65002 encryption aes-256
isakmp policy 65002 hash md5
isakmp policy 65002 group 2
isakmp policy 65002 lifetime 86400
isakmp policy 65003 authentication xauth-pre-share
isakmp policy 65003 encryption aes-192
isakmp policy 65003 hash sha
isakmp policy 65003 group 2
isakmp policy 65003 lifetime 86400
isakmp policy 65004 authentication xauth-pre-share
isakmp policy 65004 encryption aes-192
isakmp policy 65004 hash md5
isakmp policy 65004 group 2
isakmp policy 65004 lifetime 86400
isakmp policy 65005 authentication xauth-pre-share
isakmp policy 65005 encryption aes
isakmp policy 65005 hash sha
isakmp policy 65005 group 2
isakmp policy 65005 lifetime 86400
isakmp policy 65006 authentication xauth-pre-share
isakmp policy 65006 encryption aes
isakmp policy 65006 hash md5
isakmp policy 65006 group 2
isakmp policy 65006 lifetime 86400
isakmp policy 65007 authentication xauth-pre-share
isakmp policy 65007 encryption 3des
isakmp policy 65007 hash sha
isakmp policy 65007 group 2
isakmp policy 65007 lifetime 86400
isakmp policy 65008 authentication xauth-pre-share
isakmp policy 65008 encryption 3des
isakmp policy 65008 hash md5
isakmp policy 65008 group 2
isakmp policy 65008 lifetime 86400
isakmp policy 65009 authentication xauth-pre-share
isakmp policy 65009 encryption des
isakmp policy 65009 hash md5
isakmp policy 65009 group 2
isakmp policy 65009 lifetime 86400
isakmp policy 65010 authentication pre-share
isakmp policy 65010 encryption aes-256
isakmp policy 65010 hash sha
isakmp policy 65010 group 2
isakmp policy 65010 lifetime 86400
isakmp policy 65011 authentication pre-share
isakmp policy 65011 encryption aes-256
isakmp policy 65011 hash md5
isakmp policy 65011 group 2
isakmp policy 65011 lifetime 86400
isakmp policy 65012 authentication pre-share
isakmp policy 65012 encryption aes-192
isakmp policy 65012 hash sha
isakmp policy 65012 group 2
isakmp policy 65012 lifetime 86400
isakmp policy 65013 authentication pre-share
isakmp policy 65013 encryption aes-192
isakmp policy 65013 hash md5
isakmp policy 65013 group 2
isakmp policy 65013 lifetime 86400
isakmp policy 65014 authentication pre-share
isakmp policy 65014 encryption aes
isakmp policy 65014 hash sha
isakmp policy 65014 group 2
isakmp policy 65014 lifetime 86400
isakmp policy 65015 authentication pre-share
isakmp policy 65015 encryption aes
isakmp policy 65015 hash md5
isakmp policy 65015 group 2
isakmp policy 65015 lifetime 86400
isakmp policy 65016 authentication pre-share
isakmp policy 65016 encryption 3des
isakmp policy 65016 hash sha
isakmp policy 65016 group 2
isakmp policy 65016 lifetime 86400
isakmp policy 65017 authentication pre-share
isakmp policy 65017 encryption 3des
isakmp policy 65017 hash md5
isakmp policy 65017 group 2
isakmp policy 65017 lifetime 86400
isakmp policy 65018 authentication pre-share
isakmp policy 65018 encryption des
isakmp policy 65018 hash md5
isakmp policy 65018 group 2
isakmp policy 65018 lifetime 86400
 
Sort by date Sort by votes
The link that U gave want CCO username password, I don't have:(
There is a route at Pix501
ip route 172.16.1.0 255.255.255.0 192.168.1.253
You think that I have to add route at 525? ip route 0.0.0.0 0.0.0.0 172.16.1.239 inside ?
 
Upvote 0 Downvote
At this guide everything about client mode, at client mode everything works super fine in my configuration i can ping browse and etc lan behind vpn, problem exist if i changing mode to network extension
At the client pix 501 i have route
ip route 172.16.1.0 255.255.255.0 192.168.1.253
do i need route at vpn server like:
ip route 0.0.0.0 0.0.0.0 172.16.1.239 inside ?
 
Upvote 0 Downvote
I cannot use site to site model cause I have to connect 12 office to 1 point
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
241
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
106
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
297
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
80
WhosYourDiffie
WhosYourDiffie
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
58
xwray
xwray

Part and Inventory Search

Sponsor

Back
Top