PIX VPN problem!
Hello
I have currently having problem with vpn, the pix pix506e works fine yesterday, but today morning that the problem appears, the pix did more than 2 connections vpn client, if the user connected, user B will cut this time... If the user B, user A logs off, I write erase config and rebuild again with the base, but still the problem occurs, what could be the problem, software or... material? Here I am attaching my beginning of basic config and vpn client connection.
Our network is down now... Help, please.
118 17:07:12.460 12/16/04 Sev = Info/6 IKE/0x6300003D
Sending DPD asks 218.xxx.xxx.161, seq # = 1257657895
119 17:07:12.460 12/16/04 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to 218.xxx.xxx.161
120 17:07:17.468 16/12/04 Sev = Info/6 IKE/0x6300003D
Sending DPD asks 218.xxx.xxx.161, seq # = 1257657896
121 17:07:17.468 16/12/04 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to 218.xxx.xxx.161
122 17:07:22.475 12/16/04 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO *(HASH, DEL) to 218.xxx.xxx.161
123 17:07:22.475 12/16/04 Sev = Info/5 IKE / 0 x 63000018
Deleting IPsec security association: (OUTBOUND SPI = 695320B 5 SPI INCOMING = F0A2471)
124 17:07:22.475 12/16/04 Sev = Info/4 IKE / 0 x 63000048
IPsec security association negotiation made scrapped, MsgID = 7A8F1E11
125 17:07:22.475 12/16/04 Sev = Info/4 IKE / 0 x 63000017
Marking of IKE SA delete (I_Cookie = BAF3D743B1D25DD6 R_Cookie = ED5BAEF920BA3244) reason = DEL_REASON_PEER_NOT_RESPONDING
126 17:07:22.475 12/16/04 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO *(HASH, DEL) to 218.xxx.xxx.161
127 17:07:22.475 12/16/04 Sev = Info/4 IPSEC / 0 x 63700013
Delete the internal key with SPI = 0x71240a0f
128 17:07:22.475 12/16/04 Sev = Info/4 IPSEC/0x6370000C
Key removed by SPI 0x71240a0f
129 17:07:22.475 12/16/04 Sev = Info/4 IPSEC / 0 x 63700013
Delete the internal key with SPI = 0xb5205369
130 17:07:22.475 16/12/04 Sev = Info/4 IPSEC/0x6370000C
Key removed by SPI 0xb5205369
131 17:07:22.986 12/16/04 Sev = Info/4 IKE/0x6300004A
IKE negotiation to throw HIS (I_Cookie = BAF3D743B1D25DD6 R_Cookie = ED5BAEF920BA3244) reason = DEL_REASON_PEER_NOT_RESPONDING
132 17:07:22.986 12/16/04 Sev = Info/4 CM / 0 x 63100013
ITS phase 1 deleted because of DEL_REASON_PEER_NOT_RESPONDING. 0 ITS phase 1 currently in the system
133 17:07:22.996 16/12/04 Sev = Info/5 CM / 0 x 63100025
Initializing CVPNDrv
134 17:07:23.106 12/16/04 Sev = Info/6 CM / 0 x 63100031
Head of network device tunnel 218.xxx.xxx.161 disconnected: duration: 0 days 0:16:44
135 17:07:23.286 16/12/04 Sev = Info/4 IKE / 0 x 63000001
Signal received IKE to complete the VPN connection
138 17:07:23.316 12/16/04 Sev = Info/6 CM / 0 x 63100037
The routing table was returned to the original state before virtual card
139 17:07:25.649 12/16/04 Sev = Info/4 CM / 0 x 63100035
The virtual adapter has been disabled
140 17:07:25.699 16/12/04 Sev = Info/4 IKE / 0 x 63000085
Service Microsoft's IPSec Policy Agent started successfully
141 17:07:25.699 16/12/04 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
142 17:07:25.699 16/12/04 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
143 17:07:25.699 12/16/04 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
144 17:07:25.699 12/16/04 Sev = Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Thank you
Tonny
In your PIX, enter the following command:
ISAKMP nat-traversal
Tags: Cisco Security
Similar Questions
-
Hello
I got a pix 501 (6.3 - 4) on a local network and try to use Cisco VPN Client (4.0.2-D) on a remote pc.
I can open a vpn session.
I can't ping from the remote pc to the LAN
I can ping from any station on the LAN to the remote pc
After that I did a ping of a station on the LAN to the remote pc, I ping the remote computer to the local network.
I am so newb, trying for 2 days changing ACLs, no way.
I must say that I am in dynamic ip wan on the local network and the remote pc.
Any idea about this problem?
Any help is welcome.
Here is the configuration of my pix:
6.3 (4) version PIX
interface ethernet0 10baset
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password * encrypted
passwd * encrypted
pixfirewall hostname
domain ciscopix.com
clock timezone THATS 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
fixup protocol dns-length maximum 512
fixup protocol ftp 21
correction... /...
fixup protocol tftp 69
names of
name 192.168.42.0 Dmi
inside_access_in ip access list allow a whole
inside_outbound_nat0_acl ip access list allow any 192.168.229.0 255.255.255.0
outside_cryptomap_dyn_20 ip access list Dmi 255.255.255.0 allow 192.168.229.32 255.255.255.224
access-list outside_cryptomap_dyn_20 allow icmp a whole
pager lines 24
opening of session
logging trap information
Outside 1500 MTU
Within 1500 MTU
IP address outside the 209.x.x.x.255.255.224
IP address inside 192.168.42.40 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool dmivpndhcp 192.168.229.1 - 192.168.229.254
location of PDM 192.168.229.1 255.255.255.255 outside
209.165.x.x.x.255.255 PDM location inside
209.x.x.x.255.255.255 PDM location outdoors
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 209.165.200.225 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
Dmi 255.255.255.0 inside http
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
TFTP server inside the 192.168.42.100.
enable floodguard
Permitted connection ipsec sysopt
AUTH-prompt quick pass
AUTH-guest accept good
AUTH-prompt bad rejection
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
Dynamic crypto map dynmap 20 match address outside_cryptomap_dyn_20
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP identity address
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
vpngroup address dmivpndhcp pool dmivpn
vpngroup dns 192.168.42.20 Server dmivpn
vpngroup dmivpn wins server - 192.168.42.20
vpngroup dmivpn by default-field defi.local
vpngroup idle 1800 dmivpn-time
vpngroup password dmivpn *.
Telnet timeout 5
SSH timeout 5
Console timeout 0
VPDN username vpnuser password *.
VPDN allow outside
VPDN allow inside
dhcpd address 192.168.42.41 - 192.168.42.72 inside
dhcpd lease 3600
dhcpd ping_timeout 750
Terminal width 80
Cryptochecksum: *.
Noelle,
Add the command: (in config mode): isakmp nat-traversal
Let me know if it helps.
Jay
-
Hi, I currently have a site to site vpn upward and running and it works fine. I try to put the other two online and just cannot make them work. I used the same configuration of one operation but I cannot get the next tunnel. I saw several errors when debugging isakmp and ipsec and they are at the end of my configs. Anyone have any ideas? Thank you
Main site - a vpn clients connecting too it and pt to pt vpn to 3 endpoints
Cisco PIX Firewall Version 6.3 (3)
* Main Site Config *.
client_vpn 10.10.0.0 ip access list allow 255.255.0.0 192.168.0.0 255.255.255.0
VPN_to_Site2 10.10.0.0 ip access list allow 255.255.0.0 192.168.0.0 255.255.255.0
NAT (inside) 0-list of access client_vpn
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac fws_encry_set
outside_map 60 ipsec-isakmp crypto map
address for correspondence card crypto outside_map 60 VPN_to_Site2
crypto outside_map 60 peer 64.X.X.19 card game
card crypto outside_map 60 transform-set fws_encry_set
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 64.X.X.19 netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP identity address
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Site 2 config
* only because the pt to pt does not work I have it set up to allow vpn clients to cross to connect to the main site.
Cisco PIX Firewall Version 6.3 (5) *.
permit access ip 192.168.0.0 list VPN_to_Main 255.255.255.0 10.10.0.0 255.255.0.0
NAT (inside) 0-list of access VPN_to_Main
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac fws_encry_set
outside_map 10 ipsec-isakmp crypto map
outside_map card crypto 10 corresponds to the address VPN_to_Main
crypto outside_map 10 peer 207.X.X.13 card game
card crypto outside_map 10 transform-set fws_encry_set
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 207.X.X.13 netmask 255.255.255.255 No.-xauth-no-config-mode
ISAKMP identity address
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Errors
PIX (config) # IPSEC (sa_initiate): ACL = deny; No its created
authenticator is HMAC-MD5IPSEC (validate_proposal): invalid local address
I have a link that works very well. I have copied the config from there, changed the ip info and it does not work. The only differences in the configs are no sysopt route dnat and it's on Version 6.2 (2)
IPSec (sa_initiate): ACL = deny; No its created
I think that you have configured a VPN tunnel without removing the cryptographic card of the external interface. The message above is the error we get in such situation.
I suggest the following solution:
-remove the external interface (the two pix) cryptographic card
-Cree claire isa his and trendy clear ipsec his (the two pix)
-Reapply the card encryption on external interfaces.
If this doesn't solve the problem, restart the equipment.
Kind regards
Ajit
-
I'm trying to implement a simple PIX PIX VPN using the simple PIX - PIX VPN documentation for the sample config page. I have a lot of VPN tunnels with other very happy other PIX devices so it's quite annoying. Anyway, on the source PIX config is as follows:-
access-list 101 permit ip 172.18.138.0 255.255.255.0 172.18.133.0 255.255.255.0
access-list 101 permit ip 172.18.133.0 255.255.255.0 172.18.138.0 255.255.255.0
NAT (phoenix_private) 0-access list 101
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp - esp-md5-hmac chevelle
ntlink 1 ipsec-isakmp crypto map
1 ipsec-isakmp crypto map TransAm
correspondence address 1 card crypto transam 101
card crypto transam 1 set peer 172.18.126.233
card crypto transam 1 transform-set chevelle
interface inside crypto map transam
ISAKMP allows inside
ISAKMP key * address 172.18.126.233 netmask 255.255.255.255
ISAKMP identity address
part of pre authentication ISAKMP policy 1
of ISAKMP policy 1 encryption
ISAKMP policy 1 md5 hash
1 1 ISAKMP policy group
ISAKMP policy 1 lifetime 1000
and if I generate the traffic logs show this: -.
9 August 18:40:15 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)
9 August 18:40:17 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)
9 August 18:40:18 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53
9 August 18:40:18 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)
9 August 18:40:19 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53
No isakmp and ipsec debugging message appears, but you who wait that the PIX does not even link the traffic with the access list or a NAT.
I do something obviously stupid, can someone tell me what it is, thank you.
Jon.
Hello
1. you create a second access as list:
outside_cryptomap ip 172.18.138.0 access list allow 255.255.255.0 172.18.133.0 255.255.255.0
and
2. instead of
correspondence address 1 card crypto transam 101
You must configure
card crypto transam 1 match address outside_cryptomap
the problem is that you configure an ACL for nat and crypto - that does not work
concerning
Alex
-
With PAT on Cisco PIX VPN client
Dear all,
I have a PIX 515 to the main site with the IPSec security is enabled. Homepage user using 3.x VPN client connects to the PIX for VPN access. When user Home use real IP, I can ping to the local network of the main site. However, when the Home user using a router with PAT, the VPN can be established.
Is there a setting I should put on PIX, VPN client or router?
Thank you.
Doug
And if you still have problems, upgrade your pix, 6.3 and usage:
ISAKMP nat-traversal
But the first thing would be to check the IPSEC passthrough as Ade suggested. If the device is a linksys check the version of the firmware as well.
Kind regards
-
Cisco VPN problems after installing the 506e
My apologies if this makes no sense, because it is my 1st install of a PIX.
I distance support external sites and had a Cisco VPN 4.6.00.49 connection through our Linksys router for access, company which worked a treat. We asked to have VPN access to our society, so I replaced the Linksys with a 506th PIX. I ran the Wizards(Yes I heard the gasps from 90% of you then) GUI access Internet out worked, came from e-mail in Exchange server and external users could vpn in our internal network. Great, I thought!
BUT NOW
I have a problem with coming out through the 506th pix VPN.
My client connects to the external site. Authenticates the Logni & assigns a valid IP address. Unfortunately I couldn't make a ping, rdp or anything with the remote network.
Thanks in advance
Paul
Paul
Sorry, I wasn't clear on my post - that the order was necessary on the remote device. In any case I'm glad to hear his work.
-
On Pix VPN tunnel to the same subnet
I have a customer who want to set up a the PIX VPN tunnel located on each site. For some reason, each side has the same subnet number, for example. 10.10.10.x/32. I'm sure we must run NAT, but is it possible.
This can help
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800949f1.shtml
-
VPN clients cannot access remote sites - PIX, routing problem?
I have a problem with routing to remote from our company websites when users connect via their VPN client remotely (i.e. for home workers)
Our headquarters contains a PIX 515E firewall. A number of remote sites to connect (via ADSL) to head office using IPSEC tunnels, ending the PIX.
Behind the PIX is a router 7206 with connections to the seat of LANs and connections to a number of ISDN connected remote sites. The default route on 7206 points to the PIX from traffic firewall which sits to ADSL connected remote sites through the PIX. Internal traffic for LAN and ISDN connected sites is done via the 7206.
Very good and works very well.
When a user connects remotely using their VPN client (connection is interrupted on the PIX) so that they get an IP address from the pool configured on the PIX and they can access resources located on local networks to the office with no problems.
However, the problem arises when a remote user wants access to a server located in one of the remote sites ADSL connected - it is impossible to access all these sites.
On the remote site routers, I configured the access lists to allow access from the pool of IP addresses used by the PIX. But it made no difference. I think that the problem may be the routes configured on the PIX itself, but I don't know what is necessary to solve this problem.
Does anyone have suggestions on what needs to be done to allow access to remote sites for users connected remotely via VPN?
(Note: I suggested a workaround, users can use a server on LAN headquarters as a "jump point" to connect to remote servers from there)
with pix v6, no traffic is allowed to redirect to the same interface.
for example, a remote user initiates an rdp session for one of the barns adsl. PIX decrypts the packet coming from the external interface and looks at the destination. because the destination is one of adsl sites, pix will have to return traffic to the external interface. Unfortunately, pix v6.x has a limitation that would force the pix to drop the packet.
with the v7, this restriction has been removed with the "same-security-traffic control intra-interface permits".
-
Can connect, I see not all network resources.
The Vpn Client, worm: 5.0.01, is running on an xp machine.
It connects to the network is behind a 6.3 (5) pix501-worm.
When the connection is established the remote client gets an address assigned to the pool 192.168.2.10 vpn - 192.168.2.25:
The vpn client log shows:
Line: 45 18:07:27.898 12/08/09 Sev = Info/4 CM / 0 x 63100034
The virtual card has been activated:
IP=192.168.2.10/255.255.255.0
DNS = 0.0.0.0 0.0.0.0
WINS = 0.0.0.0 0.0.0.0
Area =
Split = DNS names
It is followed by these lines:
46 18:07:27.968 12/08/09 Sev = WARNING/2 CVPND/0xE3400013
AddRoute cannot add a route: code 87
Destination 192.168.1.255
Subnet mask 255.255.255.255
Gateway 192.168.2.1
Interface 192.168.2.10
47 18:07:27.968 12/08/09 Sev = WARNING/2 CM/0xA3100024
Failed to add the route. Network: c0a801ff, subnet mask: ffffffff, Interface: c0a8020a Gateway: c0a80201.
48 18:07:28.178 12/08/09 Sev = Info/4 CM / 0 x 63100038
Were saved successfully road to file changes.
49 18:07:28.198 12/08/09 Sev = Info/6 CM / 0 x 63100036
The routing table has been updated for the virtual card
50 18:07:29.760 12/08/09 Sev = Info/4 CM/0x6310001A
A secure connection established
* ...
I can ping the remote client, on an inside ip behind the same pix
When I get the 'route add failure' above, but I cannot ping the computer name.
I activated traversal of NAT using the PDM, but when I connect with this option, I get the error that the "remote endpoint is NOT behind a NAT device this end is behind a NAT device" and ping fails.
Behind the pix are a few computers with no central server, so I'm failed a WINS server for remote clients.
I created the vpn with the wizard.
The configuration file is attached.
Any suggestion would be appreciated.
Kind regards
Hugh
Hugh, sure you can classify based on the whole conversation, but you don't have to do but be certainly provide assessments.
To sum up the shrinking global problems, the main objective was to ensure configuration VPN RA on the PIX501 has been corrected.
1. we have enabled NAT - T on the firewall - even if it wasn't the question, but need it either it should you RA other places - travseral NAT VPN sensitizes the firewall on the other ends NAT devices - here is some good information on NAT - T for reference in the future
http://www.Microsoft.com/technet/community/columns/cableguy/cg0802.mspx
2. we fixed the VPN-POOL/28 network as well as the access list and acl to be coherent crypto sheep.
Here is a link for future reference with many PIX configuration scenarios
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/prod_configuration_examples_list.html
Finally, your only question remaining, we can say is purely isolated with the customer software vpn and MAC machine.
You could maybe try a different version of the client in the MAC, or also look at the release notes for the open caveats to avoid cisco cleint managing versions and MAC versions if there are problems.
http://www.Cisco.com/en/us/products/sw/secursw/ps2308/prod_release_notes_list.html
Concerning
-
Hi all
Here's my problem, I have 2 PIX 515 firewall...
I'm trying to implement a VPN site-to site between 2 of our websites...
Two of these firewalls currently run another site to site VPN so I know who works...
I can't do the second site to the site to launch the VPN... when looking on the syslogs I get refused packages...
Protected networks are:
172.16.48.0/24 and 172.16.4.0/22
If I try to ping from the Cisco (172.16.48.4) to 172.16.4.5, I get the following syslog:
2 sep 02 2008 08:59:47 106001 172.16.48.4 172.16.4.5 incoming TCP connection doesn't deny from 172.16.48.4/1231 to 172.16.4.5/135 SYN flags on the interface inside
It seems that the tunnel is trying to initiate, but something is blocking the internal traffic to penetrate through the VPN.
Don't know what that might be, the other VPN are working properly.
Any help would be great...
I enclose a copy of one of the configs...
Let me know if you need another...
no road inside 172.16.4.0 255.255.252.0 172.16.48.1 1
Remove this path should you get. Please rate if it does. Similarly, if you have a road similar to the other end, it should be deleted as well.
-
VPN to PIX access problem.
I set up PPTP VPN on PIX 515 access with unrestricted license for Windows-based computers. I can connect but I'm unable to access all the resources on the network. I suspect this has something to access the list, but I don't know where to start. Here's the relevant part of the PIX config:
access-list all-traffic ip to allow a whole
access-list 100 permit icmp any any echo response
access-list 100 permit icmp any one time exceed
access-list 100 permit everything all unreachable icmp
.
IP address outside x.x.x.130 255.255.255.252
IP address inside 192.168.254.1 255.255.255.0
IP address x.x.x.97 255.255.255.224 DMZ1
address IP DMZ2 192.168.251.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool vpnpool 192.168.254.201 - 192.168.254.254
.
Global (outside) 1 x.x.x.65 - x.x.x.93 netmask 255.255.255.224
Global (outside) 1 x.x.x.94 netmask 255.255.255.224
NAT (inside) 1 access-list all-traffic 0 0
(DMZ1) 1 access-list all-traffic NAT 0 0
Access-group 100 in external interface
Route outside 0.0.0.0 0.0.0.0 x.x.x.129 1
.
Sysopt connection permit-pptp
Telnet 192.168.254.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
VPDN Group 1 accept dialin pptp
PAP VPDN Group 1 ppp authentication
VPDN Group 1 chap for ppp authentication
VPDN Group 1 ppp authentication mschap
VPDN group ppp 1 encryption mppe auto
VPDN Group 1 client configuration address local vpnpool
VPDN Group 1 pptp echo 60
VPDN Group 1 client authentication local
VPDN username * password *.
VPDN allow outside
dhcpd address 192.168.254.100 - 192.168.254.200 inside
dhcpd dns x.x.x.131 x.x.x.200
dhcpd rental 86400
dhcpd ping_timeout 750
dhcpd allow inside
Looks like you forgot to add a "nat 0" defines that there are no PAT beween your local inside network and the PPTP DHCP pool.
PPTP pool must be different from the inside pool otherwise it is not routable correctly.
no ip local pool vpnpool 192.168.254.201 - 192.168.254.254
# Choose a new network PPTP pool that is not in use
example of dansMon # is 192.168.1.0/24
IP local pool vpnpool 192.168.1.1 - 192.168.1.254
access-list 101 permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
(Inside) NAT 0-list of access 101
See this site for more information:
http://www.Cisco.com/pcgi-bin/support/browse/psp_view.pl?p=hardware:PIX & s = Software_Configuration
see PPTP
sincerely
Patrick
-
VPN connection between two pix firewall problems
Hi, trying to create a VPN between the firewall two pix a 501 and a 506e.
currently on the 506th pdm shows 1 IKE tunnel in the stats, but it displays then return to zero. The two hosts of pix can access the web and ping each other gateways.
I posted the 506th config but the 501 config is the same.
outside IP for pix 506th = a.a.a.a
outside IP for pix 501 = b.b.b.b
Internet service provider ip of the gateway to 506th = x.x.x.x
Thank you
Alex
Hi Alex
See the configuration on the other side (PIX501) it will be difficult to solve, you'll need to be sure when it is a phase failure 1 or phase 2.
Please note between the two PIX IPSec negotiation fails if both of the phases SAs IKE do not match on the peers.
Cordially MJ
-
Hi, I implemented a project some time back which went something like this: a Headquarters site where a PIX515E is installed with a public static IP on its external interface. Three remote sites, each with connecting to the internet through 837 routers ADSL with a dynamic public IP address. I configured the firewall and routers for EzVPN (router is configured in client mode) and the VPN tunnel rises and it works fine. Of course, when there is no interesting traffic through the tunnel and the idle timer on the PIX expires, the tunnel down. It is also very good. The problem is once the tunnel breaks down, it is again automatically when interesting traffic passes through the router (which is assumed). I use the console and ran the debugging on one of the routers and noticed that once the tunnel descends and the router tries to bring it up again, it gives the message:
"Key pair for this"XXX. " XX. XX. Mask XX/XX"already exists." Then, when I give the command "clear crypto isakmp his ', the tunnel rises immediately. I already posted this question before (link:http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd6e4b2). Maybe she has something to do with the Dead Peer Detection on the PIX and the router system. In any case, I have configured the following command on the router and PIX:
ISAKMP crypto keepalive 2 10
but still it does not solve the problem. The router's IOS version 12.3 (2) XC2 and the PIX OS version 6.3 a (3). Also im attaching the PIX and router config for this post. What else can be done to solve the problem?
I replied to your last message.
As I said, you must at least 12.3.7 so that it works correctly.
"You must at least 12.3 (7) T for Dead Peer Detection work and send KeepAlive interval you want.
ISAKMP crypto keepalive [interval] [dry til counted dead] periodical
for example,.
"isakmp crypto 15 5 keepalive periodicals.
the key word is "periodic" is not available until 12.3.7 or later.
ISAKMP crypto keepalive 2 10
without periodic does nothing, you need periodic KeepAlive.
ISAKMP crypto keepalive 2 10 periodicals
will maintain the tunnel and head of network device know if/when it falls. It should be applied to the router and the PIX in your situation.
I worked through this issue before with IOS EzVPN (12.3 (11) T) to PIX (6.3 (3)) and IOS EzVPN hub VPN3000 (4.1) of the basic VPN
also... http://www.Cisco.com/en/us/products/SW/iosswrel/ps5207/products_feature_guide09186a00801ee19a.html
-
All, Hy
I have a problem with IPSec VPN established between a PIX 515e and a Nortel contivity 1010. I do the configuration of the tunnel on both sides and it works correctly, but I can't do the communication between the two LANs.
In the PIX log, I show this:
2010-03-18 08:57:52 Local7.info 172.17.1.250 : 18 Mar 08:57:52 WEST: % PIX-6-602302: SA deletion, (his) sa_dest = 62.48.238.3, sa_prot = 50, sa_spi = 0x3fcc692a (1070360874) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 4
2010-03-18 08:57:52 Local7.info 172.17.1.250 : 18 Mar 08:57:52 WEST: % PIX-6-602302: SA deletion, (his) sa_dest = 213.223.214.52, sa_prot = 50, sa_spi = 0x1f7f65 (2064229), esp-3des esp-sha-hmac = sa_trans, sa_conn_id = 3
This line is delivered every 2 minutes... Is it possible that it may be causing my problem? and what is that message?
I show you my pix configuration:
For me, this configuration is fine, but it's not work very well!
Can you help me please?
Kind regards
In fact, it corresponds to the following:
local ident (addr, mask, prot, port): (AENOR_ALL/255.255.0.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.9.0/255.255.255.0/0/0)
current_peer: 213.223.214.52:500
LICENCE, flags is {origin_is_acl},
#pkts program: 0, #pkts encrypt: 0, #pkts 0 digest
#pkts decaps: 60, #pkts decrypt: 60, #pkts check 60
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
So the packets are received and décapsulés, however, no response to be encapsulated.
Please set 'error fixup protocol icmp' for the icmp inspection.
Please check on the 172.17.1.7 the host itself to see if the default gateway is configured to be 172.17.1.250, and the host has no other specific channels configured. If it is a windows host, you can check "route print" at the DOS prompt.
Please also check if it allows the incoming RDP session? Are you able to RDP from in-house?
Are you able to Telnet on port 3389, from the DOS command prompt (telnet 172.17.1.7 3389)? What have you found?
-
Hi all, I built a site 2 site between an ASA 5510 and a PIX IPsec tunnel. The tunnel is up, and most of the time the traffic flow between source and destination LANs as planned. The problem is that we need the ASA to send syslog messages in the VPN tunnel to a syslog on PIX site server. If I get a router on the ASA website, I ping the site of PIX syslog server. The following statement is in the ASA:
Route out of pix.net.addr sub.net.mask next.hop
But in the journal of the ASA, I see messages "Routing failed" for the traffic of the SAA on the syslog server.
April 8, 2010 08:32:01 ASA5510: % ASA-6-110003: routing could not locate the next hop for icmp NP identity Ifc:10.xx.x.xx/0 to inside:172.xx.x.xx/0
Any thoughts?
Thank you
Robert
Hello
Public IP address of the ASA must be in interesting for this tunnel traffic (since it's the INVESTIGATION period where newspapers are going to be sent from).
Also, the IP address of the syslog server must be in the interesting traffic.
In other words, you should be able to PING from the ASA to syslog (through the tunnel) server.
Federico.
Maybe you are looking for
-
Hello New EliteBook 840 G3 with discrete graphics and 2013 UltraSlim Dock using windows 10. I use 2 HP Z23n screen, there are connected with DisplayPort on Dock UltraSlim 2013 2. I have 1 questions with this (1) my 2 external displays connected to th
-
Satellite Pro M70: "Caps lock" light will not stay
After repairs to toshiba in my brand-new laptop pro M70 (System Board has been replaced) I noticed that the caps light does not work when the caps is on. The bulb works as it lights up when you press the caps, but there are not on.Although the instal
-
Connection of remote offices SPA3102
My boss just bought two SPA3102 VoIP routers in an attempt to set up a VoIP connection to a remote office, thus avoiding expensive international calls. I'm looking for advice on setting up. This is the ideal configuration, we're after. Box, it is i
-
This device cannot start. 6to4 (code 10) card transfer cable & easy usb
Device Manager displays problems with these 2 items. (Code 10) driver is up to date. Shows 2 usb cables. Am clueless about this stuff. Any & all help is greatly appreciated Thank you clueless in Idaho
-
I tried to install Windows 10... didn't like it... to go back to Windows 7... How? My main toolbar has disappeared... How to make that back?