Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX VPN Connection Problem

Status
Not open for further replies.
strai81

strai81

IS-IT--Management
May 2, 2002
28
0
0
US
Hello,

I have recently replaced my PIX 515 with a 515e. I saved the config off of the old PIX and copied it to the new. Everything is working good except for the VPN connection from the remote host using the Cisco VPN client software. I have found where the problem begins in the log, and the error is below. Any suggestions would be appreciated.

Thanks,

Steven

1503 15:57:55.281 11/10/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from x.x.x.x

 
Sort by date Sort by votes
Did you copy the startup-config or merely cut and paste the config? If you did the later then the issue is probably the VPNgroup password.
 
Upvote 0 Downvote
I copied the startup config, and I also replaced the vpngroup password. One thing that I left out is that I am testing this PIX to make sure everything works before downing the old PIX, and I have changed the ip address on the both the inside and outside interface. The addresses on the new PIX are in the same subnets as the old one.
 
Upvote 0 Downvote
Here you go...

: Saved
: Written by enable_15 at 19:41:08.310 CST Sun Nov 11 2007
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password JXbhNJ.UGPsshuTS encrypted
passwd JXbhNJ.UGPsshuTS encrypted
hostname Exxxxxx
domain-name xxxx.xxx
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1726
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
object-group service outbound_tcp tcp
description To replace Outbound Command
port-object eq www
port-object eq 123
port-object range 1500 5000
port-object eq 37
port-object eq 10000
port-object eq 449
port-object eq 520
port-object eq nntp
port-object eq daytime
port-object eq whois
port-object eq 42
port-object eq h323
port-object eq pop3
port-object eq echo
port-object eq talk
port-object eq 10022
port-object eq smtp
port-object eq cmd
port-object eq 10021
port-object eq telnet
port-object eq exec
port-object range 1 5000
port-object eq domain
port-object eq 3389
port-object eq 1731
port-object eq ldap
port-object eq 522
port-object eq 1503
port-object eq 50
port-object eq https
port-object eq 47
port-object eq citrix-ica
port-object eq 69
object-group service outbound_udp udp
description To replace Outbound Command
port-object eq isakmp
port-object eq 10000
port-object eq 257
port-object eq domain
port-object eq 32
port-object eq 4500
port-object eq 1701
port-object eq 50
port-object eq 443
port-object eq 1494
port-object eq tftp
port-object eq 4999
access-list 102 permit ip 10.1.3.0 255.255.255.0 10.100.0.0 255.255.0.0
access-list 102 permit ip 10.1.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 102 permit ip 10.1.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 102 permit ip 10.1.3.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 102 permit ip 10.1.4.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list 102 permit ip 10.1.0.0 255.255.0.0 10.10.1.0 255.255.255.0
access-list 102 permit ip 10.1.0.0 255.255.0.0 192.168.101.0 255.255.255.0
access-list 102 permit ip 10.1.1.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list inside_out permit tcp any any object-group outbound_tcp
access-list inside_out permit udp any any object-group outbound_udp
access-list inside_out permit icmp any any
access-list inside_out permit ip any any
access-list outside_in permit icmp any any
access-list tunnel permit ip 10.1.3.0 255.255.255.0 10.100.0.0 255.255.0.0
access-list splittunnel_teametex permit ip 10.1.1.0 255.255.255.0 any
access-list splittunnel_teametex permit ip 10.1.2.0 255.255.255.0 any
access-list splittunnel_teametex permit ip 10.1.3.0 255.255.255.0 any
access-list splittunnel_teametex permit ip 10.1.4.0 255.255.255.0 any
access-list splittunnel_teametex permit ip 10.7.0.0 255.255.0.0 any
access-list hollylake_ipsec permit ip 10.1.0.0 255.255.0.0 10.10.1.0 255.255.255.0
access-list hollylake_ipsec permit ip 10.1.0.0 255.255.0.0 192.168.101.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging monitor warnings
logging buffered warnings
logging trap debugging
logging history errors
logging host inside 10.1.1.15
no logging message 106011
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 207.x.x.x 255.255.255.224
ip address inside 10.1.1.7 255.255.0.0
ip audit name Attack attack action alarm
ip audit interface outside Attack
ip audit info action alarm
ip audit attack action alarm
ip local pool dealer 192.168.100.1-192.168.100.254
pdm logging debugging 500
pdm history enable
arp timeout 14400
global (outside) 1 207.x.x.x-207.x.x.x
global (outside) 1 207.x.x.x
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_in in interface outside
access-group inside_out in interface inside
rip outside passive version 2
rip inside default version 2
route outside 0.0.0.0 0.0.0.0 207.xxx.xxx.xxx 1
route inside 10.3.0.0 255.255.0.0 10.1.1.1 1
route inside 10.7.0.0 255.255.0.0 10.1.1.1 1
timeout xlate 1:00:00
timeout conn 0:00:00 half-closed 0:10:00 udp 0:00:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:10:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.1.1.17 255.255.255.255 inside
http 10.1.1.15 255.255.255.255 inside
http 10.1.1.10 255.255.255.255 inside
http 10.1.1.122 255.255.255.255 inside
http 10.1.1.130 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 1200
sysopt connection permit-ipsec
sysopt connection permit-pptp
service resetinbound
service resetoutside
crypto ipsec transform-set etexset esp-3des esp-md5-hmac
crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
crypto ipsec transform-set afcset esp-3des esp-md5-hmac
crypto ipsec transform-set hlakeset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map etexmap 1 set transform-set etexset
crypto dynamic-map etexmap 1 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map corpmap 5 ipsec-isakmp
crypto map corpmap 5 match address tunnel
crypto map corpmap 5 set peer 12.x.x.x
crypto map corpmap 5 set transform-set afcset
crypto map corpmap 5 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map corpmap 10 ipsec-isakmp
crypto map corpmap 10 match address hollylake_ipsec
crypto map corpmap 10 set peer 209.x.x.x
crypto map corpmap 10 set transform-set hlak
crypto map corpmap 20 ipsec-isakmp dynamic etexmap
crypto map corpmap interface outside
isakmp enable outside
isakmp key ******** address 12.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 209.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 28800
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup teametex address-pool dealer
vpngroup teametex dns-server 10.1.1.4
vpngroup teametex default-domain etex.net
vpngroup teametex split-tunnel splittunnel_teametex
vpngroup teametex split-dns xxxxxx.xxx
vpngroup teametex idle-time 28800
vpngroup teametex password ********
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:5a4e25430c1c38731ee4fce513835a50
 
Upvote 0 Downvote
Problem solved. Removed the crypto map from the outside interface and reapplied it.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
146
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
70
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
167
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
52
WhosYourDiffie
WhosYourDiffie
Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
40
Garbear
Garbear

Part and Inventory Search

Sponsor

Back
Top