VPN Issue

[HTY]

Hi all,
I am using a PIX on my own network, so both inside and outside interfaces are on the local network (none of the interfaces is connecting to the internet), all addresses are statically assigned no DHCP, no DNS, no WINS!!
A few servers lie on the outside interface, all i want to do is to make a secure connection between a Cisco VPN Client istalled on my station which is on the inside to the PIX, it's a basic thing!
the problem that all the configuration examples i found are dealing with IP pools, I don't need to assign addresses dynimcally!
any ideas?
thanks for your help

HTY

 

[EddieVenus]

I do not think you can do this. But if you could I would think you maybe could fool it somehow, like make a pool of one address, then make sure that address is available on the existing subnet. It might even work if you give it your IP, but I think that would cause an ARP problem.

Why would you want to do this? VPN to a network you are already on? That boggles my mind. Please explain, maybe there is a way to get where you are going without VPNing to a network where you already are a local user.

Eddie Venus

 

[themut]

You cannot configure the PIX in such a way. The inside and outside interfaces need to be on different networks otherwise it will not work. Regarding the VPN question... If you want to configure the PIX for remote VPN access using a VPN client you need to configure a pool of IP addresses to assign them to the clients when they connect there is no other option. The pool needs to be on a completely different subnet than the inside or outside subnets.

 

[HTY]

I am trying to use one IP in the pool addresses, it worked:
The client is connected, but i receives nothing from the PIX!
received: 0 bytes.
decrypted:0
any ideas?


HTY

 

[themut]

Can you post your configuration related to VPN? What version of code are you running? This issue may be related to IPSec through a PAT device. You may want to enable NAT-T on the PIX but it is availalbe on 6.3 code only.

 

[HTY]

sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map inside_dyn_map 20 set security-association lifetime seconds 900 kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface inside
isakmp enable inside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool pool1
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
ip local pool pool1 10.7.1.7
nat (inside) 0 access-list 101
access-list 101 permit ip host 10.7.1.9 10.6.32.0 255.255.255.0 (hitcnt=3)

HTY

 

[themut]

The pool needs to be on a different and unused subnet than either interface on the PIX.

 

[HTY]

it's what i am doing, the pool is a subnet that differs from the inside and the outside network it's a subnet lying behind router,
do you know how can i check the the sent/recieved statistics of the IPSec tunnel on a PIX?
(like the Statistics that i can see on the Cisco VPN client)

HTY

 

[themut]

Well... if that is the case then your ACL shold be:

access-list 101 permit ip <internal subnet> <subnet mask> 10.7.1.0 255.255.255.0

Regarding your second question... show debug crypto ipsec sa