pix 501 vpn problem

Similar Questions

• Pix 501 connection problems

  I am very new to cisco equipment and I was wondering if someone could help me with this (probably very simple question).

  When connecting to my pix via the browser (https://192.168.1.1/startup.html), the browser never took the start screen with the message that says "loading, please wait." This leads me to believe that the firewall is rejecting connections from my machine (which uses dhcp to get an ip address of the pix).

  To work around this problem, I tried to connect to the CLI using hyperterminal. I can connect and run a few basic commands as 'show version', but cannot log on as a user with permissions.

  If the web interface has a default connection of void & empty, surely the cli should be the same?

  Is anyone able to tell me what is the default login, so that I can start confguring the pix via the cli?

  Thanks in advance.

  Justin Spencer.

  Please see below for info pix:

  Cisco PIX Firewall Version 6.3 (3)

  Cisco PIX Device Manager Version 3.0 (1)

  Updated Thursday, August 13 03 13:55 by Manu

  pixfirewall until 12 minutes 18 seconds

  Material: PIX - 501, 16 MB RAM, 133 MHz Am5x86 CPU

  Flash E28F640J3 @ 0 x 3000000, 8 MB

  BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

  0: ethernet0: the address is 0011.937e.0486, irq 9

  1: ethernet1: the address is 0011.937e.0487, irq 10

  Features licensed:

  Failover: disabled

  VPN - A: enabled

  VPN-3DES-AES: enabled

  The maximum physical Interfaces: 2

  Maximum Interfaces: 2

  Cut - through Proxy: enabled

  Guardians: enabled

  URL filtering: enabled

  Internal guests: 10

  Throughput: unlimited

  Peer IKE: 10

  This PIX has a restricted license (R).

  Serial number: 808301473 (0x302db3a1)

  Activation key running: 0xb53be54d 0x26da18f9 0xb2b78cef 0x8fe1abb6

  Configuration changed from enable_1 to 15:36:42.554 UTC, Monday, November 8, 2004

  pixfirewall >

  long live java.

  Please this mark as resolved, others won't waste time.

  Thank you

• Adding a pix 501 VPN 2

  Hello.. I am beginner in this kind of things cisco...

  I'm trying to set up multiple VPN on a Cisco PIX 501 firewall with routers Linksys BEFVP41...

  Since not very familiar with the CLI, I use the PDM utility and it was very easy for the first... Unfortunately, I get this error when I try to add the second VPN using the VPN Wizard:

  Outside_map map (ERR) crypto set peer 200.20.10.3

  WARNING: This encryption card is incomplete

  To remedy the situation even and a list of valid to add this encryption card

  Hi garcia

  for each vpn/peer, you need to a separate instance of crypto card, the card will have the same name, but different sequence... numbers one map encryption can be attributed to an interface, but you can have several instance of cards inside a main...

  for configuration, you can go through the URL below... It has all the details on IPSEC config:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/config/ipsecint.htm

  I hope this helps... all the best... the rate of responses if deemed useful...

  REDA

• PIX 501 - VPN - based

  Hello

  I am considering the implementation of a vpn pptp on win2k server behind a pix 501 firewall (+ nat) with only 1 static IP address. I will also have to have at least 2-3 Terminal Server client connected simultaneously.

  The Terminal Server service will pass through vpn tunnel.

  Can this be achieved? A local Tech told me that I need at least 2 IP addresses.

  Thank you

  Mike

  For Terminal Server services, you can do it with just an IP address that is assigned to the external interface of the PIX, just create a static mapped port to port 3389 thru peripheral inward.

  For PPTP, you must however an IP address separate, different from that assigned to the PIX outside the int. This is because PPTP uses two TCP/1723 and GRE protocols. You can create a static mapped ports for TCP/1723 through the PPTP server, but you can't do it for the GRE. This is because GRE is not a TCP/UDP protocol, it is located just above IP and has therefore no port number to map through. You need an IP address unique address and card. You config should look like this:

  list of allowed inbound tcp access any host 200.1.1.1 eq 1723

  list of allowed incoming access will any host 200.1.1.1

  Access-group interface incoming outside

  public static 200.1.1.1 (indoor, outdoor) 10.1.1.1 netmask 255.255.255.255

  where 200.1.1.1 is your second (different from the PIX off int) routable IP address 10.1.1.1 is your PPTP server inside

  If you only want to use an IP address, why don't the PIX not set itself up as a PPTP server and put an end to your connections on this. The PPTP client end simply on the PIX outside IP address, and you will not need all the others.

  See http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml for more details.

• Customer Cisco PIX 501 VPN connects but no connection to the local network

  Hi all:

  I am able to make a VPN connection to a PIX 501. The remote client is assigned an IP (192.168.2.1) also, but not able to access all the machines in the local network connected to the PIX.

  I have attached the PIX configuration.

  Advice will be greatly appreciated.

  ********************

  6.3 (5) PIX version

  interface ethernet0 car

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  enable password xxxx

  passwd xxxxx

  pixfirewall hostname

  domain ciscopix.com

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside dhcp setroute

  IP address inside 192.168.1.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool ippool 192.168.2.1 - 192.168.2.5

  location of PDM 192.168.2.0 255.255.255.0 outside

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) - 0 102 access list

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

  Crypto-map dynamic dynmap 10 transform-set RIGHT

  map mymap 10-isakmp ipsec crypto dynamic dynmap

  mymap outside crypto map interface

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup vpn3000 ippool address pool

  vpngroup vpn3000 Server dns 68.87.72.130

  vpngroup vpn3000-wins 192.168.1.100 Server

  vpngroup vpn3000 split tunnel 101

  vpngroup vpn3000 downtime 1800

  password vpngroup vpn3000 *.

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd address 192.168.1.2 - 192.168.1.33 inside

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd outside auto_config

  dhcpd allow inside

  Terminal width 80

  Cryptochecksum:xxxx

  ****************

  The DNS server is the one assigned to me by my ISP.

  My internal network connected to the PIX is 192.168.1.1 - 192.168.1.33 and the VPN ip pool is 192.168.2.1 - 192.168.2.5

  "isakmp nat-traversal 20" can do the trick.

• Cisco Pix 515 VPN problems

  Hi all

  Here's my problem, I have 2 PIX 515 firewall...

  I'm trying to implement a VPN site-to site between 2 of our websites...

  Two of these firewalls currently run another site to site VPN so I know who works...

  I can't do the second site to the site to launch the VPN... when looking on the syslogs I get refused packages...

  Protected networks are:

  172.16.48.0/24 and 172.16.4.0/22

  If I try to ping from the Cisco (172.16.48.4) to 172.16.4.5, I get the following syslog:

  2 sep 02 2008 08:59:47 106001 172.16.48.4 172.16.4.5 incoming TCP connection doesn't deny from 172.16.48.4/1231 to 172.16.4.5/135 SYN flags on the interface inside

  It seems that the tunnel is trying to initiate, but something is blocking the internal traffic to penetrate through the VPN.

  Don't know what that might be, the other VPN are working properly.

  Any help would be great...

  I enclose a copy of one of the configs...

  Let me know if you need another...

  no road inside 172.16.4.0 255.255.252.0 172.16.48.1 1

  Remove this path should you get. Please rate if it does. Similarly, if you have a road similar to the other end, it should be deleted as well.

• PIX 501 & VPN Client unable to ping or encrypt traffic?

  I'm new and I work on my CCNA. I have a Setup pix behind a dsl with NAT router that I can not turn off. I create a pin hole for IPSec traffic to port 500 to my pix off if. I can connect correctly the Client VPN software. I think I establish an IKE and IPSec tunnel very well. I used the wizard to configure the VPN. I have a pool dhcp which issues an IP address correctly, and user group with set password. There is no site-to-site VPN, the network is a network of peers without any DNS or WINS server on the local network. I'm lost, frustrated and tired of 45 minutes of driving on this site whenever I want to try to set up a new configuration. It is essentially a off the pix of the box. There not here all configurations at all really. Here is my config.

  6.3 (1) version PIX

  interface ethernet0 car

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate the password * encrypted

  passwd * encrypted

  hostname pix

  domain ciscopix.com

  clock timezone CST - 6

  clock to summer time recurring CDT

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol they 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  names of

  inside_outbound_nat0_acl ip access list allow any 10.10.10.0 255.255.255.240

  outside_cryptomap_dyn_20 ip access list allow any 10.10.10.0 255.255.255.240

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside dhcp setroute

  IP address inside 192.168.1.1 255.255.255.0

  alarm action IP verification of information

  reset the IP audit attack alarm drop action

  IP local pool pool1 10.10.10.1 - 10.10.10.10

  location of PDM 192.168.12.0 255.255.255.240 outside

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_outbound_nat0_acl

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20

  Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-3DES-MD5 value

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  ISAKMP allows outside

  part of pre authentication ISAKMP policy 20

  ISAKMP policy 20 3des encryption

  ISAKMP policy 20 md5 hash

  20 2 ISAKMP policy group

  ISAKMP duration strategy of life 20 86400

  vpngroup address pool1 pool test

  vpngroup test 1800 idle time

  test vpngroup password *.

  Telnet timeout 5

  SSH timeout 5

  Console timeout 15

  VPDN allow outside

  dhcpd address 192.168.1.2 - 192.168.1.33 inside

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd outside auto_config

  dhcpd allow inside

  Terminal width 80

  exec banner prohibited unauthorized access

  connection of the banner prohibited unauthorized access

  Banner motd prohibits unauthorized access

  Cryptochecksum:xxx

  : end

  Thank you...

  Hi gkotlin

  mark the request as a problem solved, so that its not seen by others. The rate of the position, if deemed useful... Thank you

• PIX 501 VPN

  Hi, I just got my PIX configured based on the clear capability statement, I got one of you this morning. Now, I'm trying to set up the VPN, I looked at the Cisco site (http://cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html#anchor14) but could not understand that we need to follow. Could you please send me the instruction or the link to configure vpn? Also, I don't have the vpn client to test my vpn, how what to do? As you can understand my question, I am new to cisco gear... Thank you.

  Hello

  I'm guessing that you need one of these two virtual private networks.

  -Remote access VPN: where remote allows the Cisco VPN client users to access the resources of the company

  -Site to site VPN: where two systems with IPSEC support establish a VPN tunnel, allowing the internal LAN from different termination points (offices) communicate.

  You can find these two examples on the url you gave.

  If the remote access, I'd watch

  http://Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080702992.shtml

  And then also look at how to set up the split tunneling, then the home user can access the resources of the business AND Internet.

  For the site to site VPN, it depends if your device is a PIX / ASA or a router.

  It will be useful,

  Paulo

• Another "Tough" Pix 501 firewall problem

  Hello

  the other day, I posted a message of support to allow access to the servers from outside. I had recreated the real client installation in a laboratory test - including a simulated bridge - and everything worked perfectly well.

  Now that I tried to install the firewall on the site, I have a BIG problem - no client inside can connect to what anyone on the Internet.

  Here's the relevant part of the config:

  interface ethernet0 car

  interface ethernet1 100full

  access list outside permit tcp any host xxx.115.216.50 eq 3389

  access list outside permit tcp any host xxx.115.216.50 eq 25

  IP address outside xxx.115.216.50 255.255.255.0

  IP address inside 192.168.1.1 255.255.255.0

  Global 1 xxx.115.216.49 (outside)

  NAT (inside) 1 192.168.1.0 255.255.255.0 0 0

  static (inside, outside) tcp 3389 192.168.1.155 interface 3389 netmask 255.255.255.0 0 0

  public static tcp (indoor, outdoor) interface 25 192.168.1.199 25 netmask 255.255.255.0 0 0

  Access-group outside-outside interface

  Route outside 0.0.0.0 0.0.0.0 xxx.115.216.125 1

  dhcpd address 192.168.1.100 - 192.168.1.150 inside

  xxx.185.225.10 dns 192.168.1.199 dhcpd

  dhcpd wins 192.168.1.199

  dhcpd lease 921600

  dhcpd ping_timeout 750

  dhcpd field xxx.local

  dhcpd allow inside

  I ping the PIX inside interface from inside clients... and I can ping anything on the Internet from in the PIX firewall.

  In addition, the servers inside are accessed from the outside (tested to make sure).

  The problem is obviously - no inside clients can access the Internet.

  When I show xlate, I see that translations are actually happening, but there is no connectivity.

  According to the TAC knowledge base article, this configuration should work... by default for connections between the inside and outside are not blocked in any way, unless there is an access list configured. I also tried to disable the access list associated with the external interface. In the last step, I tried to use an IP address in another range for the address part (xxx.185.225.151 and I have addedd a route to the gateway proper with a metric of 2). I guess that nothing has worked...

  Suggestions very apprechiated!

  Cisco routers default arp cache time is 4 hours. I'm not sure of other possible suppliers. Try to install the avec.51 premise to check the operation, if it works, try the adresse.50 again. If you do not have a problem with mail not being is not accessible for about 4 hours maybe let it run long enough to test the theory of the arp...

• Pix 501 VPN no internet Assistant

  Via the VPN right front

  The VPN remote access

  Cisco-Client 3.x or later version

  Group & pre-shared key (no cert)

  EECA, Local

  Pool configured VPN

  .. all the standard stuff.

  I can connect but I can't access the internet.

  Issues related to the:

  Why can I not see my network server? I can sort of map a drive by typing in the folder \\myserve\shared

  Why I can't go on the internet when connected to the VPN?

  5.0.07.0410 VPN client

  PDM 3.0.4

  PIX 6.3.5

  Thank you

  Yes, you can change it.

  By the way, here is a good link to MS:

  Troubleshooting the Network Neighborhood from Microsoft after establishing a VPN Tunnel with the Cisco VPN Client

  HTH.

  Portu.

• Help with vpn pix 501

  I'm setting up a cisco pix 501 vpn tunnel but will have questions. The Firewall works although I am able to get out of the internet, but the VPN does not work. On the primary side, I see that the tunnel is up and the traffic is sent but not received.

  Currently I'm sitting at the secondary location but don't know what the problem maybe. Anyone know what I have wrong which could prevent the data to send from this device?

  Here is my config

  Here's my config if it would help

  See the race
  : Saved
  :
  6.3 (5) PIX version
  interface ethernet0 car
  interface ethernet1 100full
  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100
  activate 2KFQnbNIdI.2KYOU encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  hostname ciscofirewall
  domain hillsanddales.com
  fixup protocol dns-length maximum 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 5
  fixup protocol rtsp 55
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol 2000 skinny
  fixup protocol smtp 25

  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names of
  access-list 101 permit ip 192.168.80.0 255.255.255.0 192.168.50.0 255.255.255.0
  192.168.80.0 IP Access-list sheep 255.255.255.0 allow 192.168.50.0 255.255.255.0
  in_outside list access permit tcp any host 192.168.50.240
  in_outside list access permit tcp any host 64.90.xxx.xx
  pager lines 24
  Outside 1500 MTU
  Within 1500 MTU
  IP address outside 66.84.xxx.xx 255.255.255.252
  IP address inside 192.168.80.1 255.255.255.0
  alarm action IP verification of information
  alarm action attack IP audit
  location of PDM 192.168.50.0 255.255.255.0 outside
  location of PDM 192.168.80.2 255.255.255.255 inside
  location of PDM 192.168.50.0 255.255.255.0 inside
  location of PDM 182.168.80.0 255.255.255.255 inside
  location of PDM 0.0.0.0 255.255.255.0 inside
  location of PDM 0.0.0.0 255.255.255.255 inside
  location of PDM 192.168.80.5 255.255.255.255 inside
  location of PDM 192.168.80.7 255.255.255.255 inside
  PDM logging 100 information
  history of PDM activate

  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
  Route outside 0.0.0.0 0.0.0.0 66.84.xxx.x
  Route inside 192.168.50.0 255.255.255.0 192.168.50.240 1
  Timeout xlate 0:05:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
  Timeout, uauth 0:05:00 absolute
  GANYMEDE + Protocol Ganymede + AAA-server
  AAA-server GANYMEDE + 3 max-failed-attempts
  AAA-server GANYMEDE + deadtime 10
  RADIUS Protocol RADIUS AAA server
  AAA-server RADIUS 3 max-failed-attempts
  AAA-RADIUS deadtime 10 Server
  AAA-server local LOCAL Protocol
  Enable http server
  http 192.168.80.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  SNMP-Server Community public
  No trap to activate snmp Server
  enable floodguard
  <--- more="" ---="">

  Permitted connection ipsec sysopt
  Crypto ipsec transform-set esp-3des esp-md5-hmac aptset
  aptmap 10 ipsec-isakmp crypto map
  correspondence address card crypto aptmap 10 101
  card crypto aptmap 10 peers set 64.90.xxx.xx
  card crypto aptmap 10 transform-set aptset
  aptmap interface card crypto outside
  ISAKMP allows outside
  ISAKMP key * address 64.90.xxx.xx netmask 255.255.255.255
  ISAKMP identity address
  ISAKMP nat-traversal 20
  part of pre authentication ISAKMP policy 10
  ISAKMP policy 10 3des encryption
  ISAKMP policy 10 md5 hash
  10 2 ISAKMP policy group
  ISAKMP life duration strategy 10 86400
  Telnet 192.168.80.2 255.255.255.255 inside
  Telnet 182.168.80.0 255.255.255.255 inside
  Telnet 192.168.80.5 255.255.255.255 inside
  Telnet 192.168.80.0 255.255.255.0 inside
  Telnet 192.168.80.7 255.255.255.255 inside
  Telnet timeout 5
  SSH timeout 5
  management-access inside

  Console timeout 0
  dhcpd address 192.168.80.2 - 192.168.80.33 inside
  dhcpd dns 64.90.xxx.xx 64.90.xxx.xx
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd outside auto_config
  dhcpd allow inside
  Terminal width 80
  Cryptochecksum:01532689fac9491fae8f86e91e2bd4c0
  : end

  Hello

  At least the NAT0 ACL is not in use

  You should have this added to the configuration

  NAT (inside) 0 access-list sheep

  -Jouni

• PAT on IPSEC VPN (Pix 501)

  Hello

  I work to connect a PIX 501 VPN for a 3rd party hub 3015. The hub requires all traffic to come from a single source IP address. This IP address is assigned to me as z.z.z.z. I have successfully built the VPN and tested by mapping staticly internal IP with the IP address assigned, but cannot get the orders right to do with PAT in order to have more than one computer on the subnet 10.x.x.0. This Pix is also a backup for internet routing and NAT work currently as well for this.

  I can redirect traffic to my subnet to the remote subnet via the VPN, but I can't seem to get the right stuff PAT to the VPN using the assigned IP address. If anyone can give me some advice that would be great.

  lines of current config interesting configuration with static mapping:

  --------------------------------------------------------------------------

  access-list 101 permit ip 10.0.0.0 255.255.255.0 y.y.y.0 255.255.255.0

  access-list 102 permit ip y.y.y.0 255.255.255.0 z.z.z.z host

  access-list 103 allow host ip y.y.y.0 255.255.255.0 z.z.z.z

  IP address outside w.w.w.1 255.255.255.248

  IP address inside 10.0.0.1 255.255.255.0

  Global 1 interface (outside)

  NAT (inside) - 0 102 access list

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  public static z.z.z.z (Interior, exterior) 10.x.x.50 netmask 255.255.255.255 0 0

  Route outside 0.0.0.0 0.0.0.0 w.w.w.2 1

  correspondence address card crypto mymap 10 103

  mymap outside crypto map interface

  ISAKMP allows outside

  Thank you!

  Dave

  Dave,

  (1) get rid of static electricity. Use more Global/NAT. The static method will create a permanent

  translation for your guests inside and they will always be this way natted. Use

  NAT of politics, on the contrary, as shown here:

  not static (inside, outside) z.z.z.z 10.x.x.50 netmask 255.255.255.255 0 0

  Global (outside) 2 z.z.z.z netmask 255.255.255.255

  (Inside) NAT 2-list of access 101

  (2) the statement, "nat (inside) access 0 2' list will prevent nat of your valuable traffic."

  Delete this because you need to nat 2 nat/global card. (as a general rule, simply you

  If you terminate VPN clients on your device and do not want inside the traffic which

  is intended for the vpn clients to be natted on the external interface).

  (3) with the instructions of Global/nat 2, all traffic destined for the remote network will be first

  translated into z.z.z.z. Then your card crypto using the ACL 103 will encrypt all traffic which

  sources of z.z.z.z for y.y.y.0 24. This translation wil happen only when traffic is destined for the vpn.

  I hope this helps. I have this work on many tunnels as you describe.

  Jamison

• ping for the pix vpn problem

  Hello

  I got a pix 501 (6.3 - 4) on a local network and try to use Cisco VPN Client (4.0.2-D) on a remote pc.

  I can open a vpn session.

  I can't ping from the remote pc to the LAN

  I can ping from any station on the LAN to the remote pc

  After that I did a ping of a station on the LAN to the remote pc, I ping the remote computer to the local network.

  I am so newb, trying for 2 days changing ACLs, no way.

  I must say that I am in dynamic ip wan on the local network and the remote pc.

  Any idea about this problem?

  Any help is welcome.

  Here is the configuration of my pix:

  6.3 (4) version PIX

  interface ethernet0 10baset

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate the password * encrypted

  passwd * encrypted

  pixfirewall hostname

  domain ciscopix.com

  clock timezone THATS 1

  clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  correction... /...

  fixup protocol tftp 69

  names of

  name 192.168.42.0 Dmi

  inside_access_in ip access list allow a whole

  inside_outbound_nat0_acl ip access list allow any 192.168.229.0 255.255.255.0

  outside_cryptomap_dyn_20 ip access list Dmi 255.255.255.0 allow 192.168.229.32 255.255.255.224

  access-list outside_cryptomap_dyn_20 allow icmp a whole

  pager lines 24

  opening of session

  logging trap information

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside the 209.x.x.x.255.255.224

  IP address inside 192.168.42.40 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool dmivpndhcp 192.168.229.1 - 192.168.229.254

  location of PDM 192.168.229.1 255.255.255.255 outside

  209.165.x.x.x.255.255 PDM location inside

  209.x.x.x.255.255.255 PDM location outdoors

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_outbound_nat0_acl

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Route outside 0.0.0.0 0.0.0.0 209.165.200.225 1

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  Dmi 255.255.255.0 inside http

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  TFTP server inside the 192.168.42.100.

  enable floodguard

  Permitted connection ipsec sysopt

  AUTH-prompt quick pass

  AUTH-guest accept good

  AUTH-prompt bad rejection

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

  Dynamic crypto map dynmap 20 match address outside_cryptomap_dyn_20

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 20

  ISAKMP policy 20 3des encryption

  ISAKMP policy 20 chopping sha

  20 2 ISAKMP policy group

  ISAKMP duration strategy of life 20 86400

  vpngroup address dmivpndhcp pool dmivpn

  vpngroup dns 192.168.42.20 Server dmivpn

  vpngroup dmivpn wins server - 192.168.42.20

  vpngroup dmivpn by default-field defi.local

  vpngroup idle 1800 dmivpn-time

  vpngroup password dmivpn *.

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  VPDN username vpnuser password *.

  VPDN allow outside

  VPDN allow inside

  dhcpd address 192.168.42.41 - 192.168.42.72 inside

  dhcpd lease 3600

  dhcpd ping_timeout 750

  Terminal width 80

  Cryptochecksum: *.

  Noelle,

  Add the command: (in config mode): isakmp nat-traversal

  Let me know if it helps.

  Jay

• VPN between cisco unified customer 3.6.3 and Pix 501 6.2 (1) with the MS CA server

  Hello

  I have Microsoft CA server with the latest support CEP and pix 501 that gets the digital certificate. I also have the client certificate of Cisco, but VPN doesn't work

  In the IPSec Log Viewer, I constantly "CM_IKE_ESTABLISH_FAIL."

  It worked well prior to Win2k server has been completely updated with the latest patches.

  The pix configuration is identical to that of article http://www.cisco.com/warp/public/471/configipsecsmart.html

  I reinstall the stand-alone CA and support CEP server but not had any luck.

  What could be wrong?

  It looks like IKE implementation problem. Make DH group 2 policy ISAKMP.

  Visit this link:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_v53/IPSec/exvpncl.htm

• Problems with PIX 501 and Server MS Cert

  Hi all

  I have two problems with my PIX 501:

  1. registration works well. The pix has a certificate and use it with SSL and VPN connections. But after a refill, the pix certificate is lost and it has regenerated again self-signed certificate!

  Yes, I wrote mem and ca records all!

  2. at the request of ca CRL , I get the following debugging:

  Crypto CA thread wakes!

  CRYPTO_PKI: Cannot be named County ava

  CRYPTO_PKI: transaction GetCRL completed

  Crypto CA thread sleeps!

  CI thread wakes!

  And the CRL is empty.

  Does anyone have any idea?

  Bert Koelewijn

  Not sure about 1, but 2 is usually caused by the COP (Point of Distribution of CRL, basically the situation where the PIX can download the Revocation list from) listed in cert CA is in a format the PIX does not, generally an LDAP URL.

  Check the following prayer:

  Open the administration tool of CA (Certification Authority) then

  (1) right click on the name of CA and choose 'properties '.

  2) click on the tab "Policy Module".

  3) click on the button "configure."

  4) click on the tab "X.509 extensions".

  > From there, it can display the list of the "CRL Distribution Points".

  Turn off everything that isn't HTTP.

  You need to reinstall the CERT in the PIX, I think, but then it should be able to download the CRL through HTTP instead of LDAP.