[c-nsp] Pix - Configuring as a VPN conc.

Fri Feb 25 20:07:39 EST 2005

Hi,

I am trying this config from the same LAN (the outside and test VPN
client) . When I sat sh crypto isakmp sa it shows the association with
the client and tells the state as QM_IDLE .No tunnels created .

I tried clear the isakmp put again , modify access-list still the same
.Please help.

Thanks ,

Rijas
EPBX : 6226
VoIP : 248-994-4858

This E-Mail is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged,
confidential, and exempt from disclosure. If the reader of this document
is not the intended recipient or an employee or agent responsible for
delivering this document to the intended recipient, you are hereby
notified that any dissemination, distribution, or copying of this
document is strictly prohibited. If you have received this document in
error, please delete it. Thank you. 

-----Original Message-----
From: Brian Feeny [mailto:signal at shreve.net] 
Sent: Saturday, February 26, 2005 3:05 AM
To: ALI Rijas Mannanthara
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Pix - Configuring as a VPN conc.

Was there a question in here somewhere that we missed?

Lets start with "What is the problem you're having?"

Brian

On Feb 25, 2005, at 9:26 AM, ALI Rijas Mannanthara wrote:

> Pease help me ... does version have some problem...
>
>
>
> I attach the config also . I am able to ping the pix outside from my
> test pc.
>
>
>
> PIX Version 6.2(2)
>
> nameif ethernet0 outside security0
>
> nameif ethernet1 inside security100
>
> enable password 8Ry2YjIyt7RRXU24 encrypted
>
> passwd 2KFQnbNIdI.2KYOU encrypted
>
> hostname vpnserver
>
> domain-name covansys.com
>
> fixup protocol ftp 21
>
> fixup protocol http 80
>
> fixup protocol h323 h225 1720
>
> fixup protocol h323 ras 1718-1719
>
> fixup protocol ils 389
>
> fixup protocol rsh 514
>
> fixup protocol rtsp 554
>
> fixup protocol smtp 25
>
> fixup protocol sqlnet 1521
>
> fixup protocol sip 5060
>
> fixup protocol skinny 2000
>
> names
>
> pager lines 24
>
> logging buffered debugging
>
> logging facility 7
>
> interface ethernet0 auto
>
> interface ethernet1 auto
>
> mtu outside 1500
>
> mtu inside 1500
>
> ip address outside 10.6.85.34 255.255.255.0
>
> ip address inside 172.16.17.1 255.255.255.0
>
> ip audit info action alarm
>
> ip audit attack action alarm
>
> ip local pool vpnpool 100.100.100.1-100.100.100.50
>
> pdm history enable
>
> arp timeout 14400
>
> conduit permit icmp any any
>
> route outside 0.0.0.0 0.0.0.0 10.6.85.1 1
>
> timeout xlate 3:00:00
>
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:0
>
> 2:00
>
> timeout uauth 0:05:00 absolute
>
> aaa-server TACACS+ protocol tacacs+
>
> aaa-server RADIUS protocol radius
>
> aaa-server LOCAL protocol local
>
> no snmp-server location
>
> no snmp-server contact
>
> snmp-server community public
>
> no snmp-server enable traps
>
> floodguard enable
>
> sysopt connection permit-ipsec
>
> no sysopt route dnat
>
> crypto ipsec transform-set vpnset esp-des esp-sha-hmac
>
> crypto dynamic-map dynmap 10 set transform-set vpnset
>
> crypto map dialinmap 10 ipsec-isakmp dynamic dynmap
>
> crypto map dialinmap client configuration address initiate
>
> crypto map dialinmap interface outside
>
> isakmp enable outside
>
> isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
>
> isakmp client configuration address-pool local vpnpool outside
>
> isakmp policy 10 authentication pre-share
>
> isakmp policy 10 encryption 3des
>
> isakmp policy 10 hash md5
>
> isakmp policy 10 group 2
>
> isakmp policy 10 lifetime 86400
>
> vpngroup mygroup address-pool vpnpool
>
> vpngroup mygroup idle-time 1800
>
> vpngroup mygroup password ********
>
> telnet timeout 5
>
> ssh 10.6.85.0 255.255.255.0 outside
>
> ssh timeout 60
>
> terminal width 80
>
> Cryptochecksum:d6cd560dfbf65bd2c901641d762dc318
>
> : end
>
>
>
>
>
> Thanks ,
>
>
>
> Rijas
>
> EPBX : 6226
>
> VoIP : 248-994-4858
>
>
>
> This E-Mail is intended only for the use of the individual or entity
to
> which it is addressed and may contain information that is privileged,
> confidential, and exempt from disclosure. If the reader of this  
> document
> is not the intended recipient or an employee or agent responsible for
> delivering this document to the intended recipient, you are hereby
> notified that any dissemination, distribution, or copying of this
> document is strictly prohibited. If you have received this document in
> error, please delete it. Thank you.
>
>
>
> Confidentiality Statement:
>
> This message is intended only for the individual or entity to which it

> is addressed. It may contain privileged, confidential information  
> which is exempt from disclosure under applicable laws. If you are not

> the intended recipient, please note that you are strictly prohibited  
> from disseminating or distributing this information (other than to the

> intended recipient) or copying this information. If you have received

> this communication in error, please notify us immediately by return  
> email.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
------------------------------------------------------------------------

------
Brian Feeny, CCIE #8036, CISSP    	e: signal at shreve.net
Network Engineer           			p: 318.213.4709
ShreveNet Inc.             			f: 318.221.6612

Confidentiality Statement:

This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, please note that you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by return email.