[c-nsp] PIX 515e VPN

Mark Kelly markk at indigo.ie
Thu Jul 21 20:27:01 EDT 2005


Try remove the below line.

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

----- Original Message ----- 
From: "Alvaro R" <askxfs at gmail.com>
To: <cisco-nsp at puck.nether.net>
Sent: Thursday, July 21, 2005 10:26 PM
Subject: [c-nsp] PIX 515e VPN


> Hello, I would like some advice regarding a Cisco PIX 515e.
>
> I am trying to allow road warriors to get access to the inside LAN,
> using the Cisco client (tried versions 4.0.5 and 4.6).
>
> I am able to get the IP for client/dns/wins but I cannot ping or
> anything else, it just won't work.
>
> this PIX is used as a gateway and does NAT for the internal LAN, also
> it connects to a remote PIX via pre-share keys, that works just fine.
>
> pertinent config follows:
>
> access-list ipsec-remote permit ip 10.159.1.0 255.255.255.0 10.0.0.0
255.0.0.0
> access-list ipsec-remote permit ip 10.159.1.0 255.255.255.0
> 192.168.0.0 255.255.0.0
> access-list nonat-inside permit ip 10.159.1.0 255.255.255.0 10.0.0.0
255.0.0.0
> access-list nonat-inside permit ip 10.159.1.0 255.255.255.0
> 192.168.0.0 255.255.0.0
> access-list nonat-inside permit ip 10.159.1.0 255.255.255.0 10.159.2.0
> 255.255.255.0
> access-list ipsec-road permit ip 10.159.1.0 255.255.255.0 10.159.2.0
> 255.255.255.0
> access-list outside_cryptomap_dyn_20 permit ip any 10.159.2.0
255.255.255.0
>
> ip local pool ippool1 10.159.2.2-10.159.2.253
>
> global (outside) 10 interface
> nat (inside) 0 access-list nonat-inside
> nat (inside) 10 0.0.0.0 0.0.0.0 dns 0 0
> access-group acl_out in interface outside
> route outside 0.0.0.0 0.0.0.0 ext.gw.ip.here 1
>
> sysopt connection permit-ipsec
> crypto ipsec transform-set remote esp-3des esp-md5-hmac
> crypto ipsec security-association lifetime seconds 5000
> crypto dynamic-map outside_dyn_map 20 match address
outside_cryptomap_dyn_20
> crypto dynamic-map outside_dyn_map 20 set transform-set remote
> crypto map remote 10 ipsec-isakmp
> crypto map remote 10 match address ipsec-remote
> crypto map remote 10 set peer *.*.91.112
> crypto map remote 10 set transform-set remote
> crypto map remote 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map remote interface outside
>
> isakmp enable outside
> isakmp key ******** address *.*.91.112 netmask 255.255.255.255
> isakmp identity address
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 5000
>
> vpngroup road address-pool ippool1
> vpngroup road dns-server 10.159.1.1 10.159.1.4
> vpngroup road wins-server 10.159.1.2
> vpngroup road default-domain bla.com
> vpngroup road idle-time 1800
> vpngroup road password ********
>
> Any hints?
>
>
> Thanks,
>
> Alvaro
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list