Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN via PIX 515e

Status
Not open for further replies.
iiiiss

iiiiss

Technical User
Oct 28, 2002
63
AT
HI !

I have a problem setting up a VPN connection via my PIX 515e. I´m using the cisco VPN client Version 5.2.3
and this is my configuration of the PIX. I think I must have overlooked something basically. Every help would be appreciated.

THX

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password bJ720n9.K/1QbBt5 encrypted
passwd 4OYLvXDaekNQjFEp encrypted
hostname Firewall
domain-name *************
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside permit ip any any
access-list inside permit icmp any any
access-list inside deny tcp any host ***.***.***.203 neq ftp
access-list inside deny tcp any host ***.***.***.203 neq www
access-list outside permit icmp any any
access-list outside permit ip any any
access-list outside permit tcp any any
access-list dmz permit tcp any any
access-list dmz permit ip any any
access-list dmz permit icmp any any
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
pager lines 22
logging on
logging buffered informational
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp permit any outside
icmp permit any inside
icmp permit any dmz
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside ***.***.***.204 255.255.255.248
ip address inside 10.1.1.1 255.255.255.0
ip address dmz ***.***.***.8 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 101
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 ***.***.***.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
no snmp-server location
no snmp-server contact
snmp-server community ********
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn5000 address-pool ippool
vpngroup vpn5000 dns-server 10.1.1.2
vpngroup vpn5000 wins-server 10.1.1.2
vpngroup vpn5000 default-domain *********
vpngroup vpn5000 split-tunnel 101
vpngroup vpn5000 idle-time 1800
vpngroup vpn5000 password ********
vpngroup vpn3000 idle-time 1800
telnet timeout 5
ssh timeout 5
 
Sort by date Sort by votes
BTW

I´ve forgotten to tell that I try this in a simple LAN for practising. Just 2 workstations. For some seconds the connection seems to work but after a few seconds the client says no connection .

THX a lot for every help
 
Upvote 0 Downvote
OH.. another thing I´ve forgotten. During the connection attempt the PIX displays a lot of those messages. What exactly does that mean or where is my problem ?

THX a lot


ISAKMP (0): Checking ISAKMP transform 1 against priority 65535 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 65535 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): no offers accepted!
ISAKMP (0): SA not acceptable!
return status is IKMP_ERR_TRANS
crypto_isakmp_process_block: src ***.***.***.203, dest ***.***.***.204
VPN Peer: ISAKMP: Peer ip:***.***.***.203 Ref cnt incremented to:2 Total VPN Peers
:1
VPN Peer: ISAKMP: Peer ip:***.***.***.203 Ref cnt decremented to:1 Total VPN Peers
:1
 
Upvote 0 Downvote
Here's two ideas:
1. Try using the 3.x version of the client.
2. It seems the remote connections are attempting to use DH group 1. This PIX is configured to use group 2.

hope this helps,
-gbiello
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
603
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
213
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
741
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
162
WhosYourDiffie
WhosYourDiffie
DivemasterBill
  • Locked
  • Question
Cannot connect via the SonicWall Login webpage
Replies
0
Views
146
DivemasterBill
DivemasterBill

Part and Inventory Search

Sponsor

Back
Top