[c-nsp] PIX 515e VPN
Alvaro R
askxfs at gmail.com
Thu Jul 21 17:26:10 EDT 2005
Hello, I would like some advice regarding a Cisco PIX 515e.
I am trying to allow road warriors to get access to the inside LAN,
using the Cisco client (tried versions 4.0.5 and 4.6).
I am able to get the IP for client/dns/wins but I cannot ping or
anything else, it just won't work.
this PIX is used as a gateway and does NAT for the internal LAN, also
it connects to a remote PIX via pre-share keys, that works just fine.
pertinent config follows:
access-list ipsec-remote permit ip 10.159.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list ipsec-remote permit ip 10.159.1.0 255.255.255.0
192.168.0.0 255.255.0.0
access-list nonat-inside permit ip 10.159.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat-inside permit ip 10.159.1.0 255.255.255.0
192.168.0.0 255.255.0.0
access-list nonat-inside permit ip 10.159.1.0 255.255.255.0 10.159.2.0
255.255.255.0
access-list ipsec-road permit ip 10.159.1.0 255.255.255.0 10.159.2.0
255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.159.2.0 255.255.255.0
ip local pool ippool1 10.159.2.2-10.159.2.253
global (outside) 10 interface
nat (inside) 0 access-list nonat-inside
nat (inside) 10 0.0.0.0 0.0.0.0 dns 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 ext.gw.ip.here 1
sysopt connection permit-ipsec
crypto ipsec transform-set remote esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 5000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set remote
crypto map remote 10 ipsec-isakmp
crypto map remote 10 match address ipsec-remote
crypto map remote 10 set peer *.*.91.112
crypto map remote 10 set transform-set remote
crypto map remote 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map remote interface outside
isakmp enable outside
isakmp key ******** address *.*.91.112 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 5000
vpngroup road address-pool ippool1
vpngroup road dns-server 10.159.1.1 10.159.1.4
vpngroup road wins-server 10.159.1.2
vpngroup road default-domain bla.com
vpngroup road idle-time 1800
vpngroup road password ********
Any hints?
Thanks,
Alvaro
More information about the cisco-nsp
mailing list