[c-nsp] PIX 515e VPN

Fri Jul 22 11:02:58 EDT 2005

That allows internet access, but I still can't ping inside hosts :(

Thanks

On 7/22/05, Tim Bulger <timb at phreakocious.net> wrote:
> How about:
> 
> access-list split-tunnel permit ip 10.159.1.0 255.255.255.0 any
> vpngroup road split-tunnel split-tunnel
> 
> ?
> 
> -Tim
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alvaro R
> Sent: Thursday, July 21, 2005 8:16 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] PIX 515e VPN
> 
> I'm 6.3(3), and per your advice I added
> 
> isakmp nat-traversal 20
> 
> 
> didn't work either :(
> 
> 
> 
> On 7/21/05, Jim McBurnett <jim at tgasolutions.com> wrote:
> > Look up the ISAKMP nat-transparency command....
> > Later,
> > Jim
> >
> > -----Original Message-----
> > From: Alvaro R [mailto:askxfs at gmail.com]
> > Sent: Thursday, July 21, 2005 5:26 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] PIX 515e VPN
> >
> > Hello, I would like some advice regarding a Cisco PIX 515e.
> >
> > I am trying to allow road warriors to get access to the inside LAN,
> > using the Cisco client (tried versions 4.0.5 and 4.6).
> >
> > I am able to get the IP for client/dns/wins but I cannot ping or
> > anything else, it just won't work.
> >
> > this PIX is used as a gateway and does NAT for the internal LAN, also
> > it connects to a remote PIX via pre-share keys, that works just fine.
> >
> > pertinent config follows:
> >
> > access-list ipsec-remote permit ip 10.159.1.0 255.255.255.0 10.0.0.0
> > 255.0.0.0 access-list ipsec-remote permit ip 10.159.1.0 255.255.255.0
> > 192.168.0.0 255.255.0.0 access-list nonat-inside permit ip 10.159.1.0
> > 255.255.255.0 10.0.0.0 255.0.0.0 access-list nonat-inside permit ip
> > 10.159.1.0 255.255.255.0 192.168.0.0 255.255.0.0 access-list
> > nonat-inside permit ip 10.159.1.0 255.255.255.0 10.159.2.0
> > 255.255.255.0 access-list ipsec-road permit ip 10.159.1.0
> > 255.255.255.0 10.159.2.0 255.255.255.0 access-list
> > outside_cryptomap_dyn_20 permit ip any 10.159.2.0 255.255.255.0
> >
> > ip local pool ippool1 10.159.2.2-10.159.2.253
> >
> > global (outside) 10 interface
> > nat (inside) 0 access-list nonat-inside nat (inside) 10 0.0.0.0
> > 0.0.0.0 dns 0 0 access-group acl_out in interface outside route
> > outside 0.0.0.0 0.0.0.0 ext.gw.ip.here 1
> >
> > sysopt connection permit-ipsec
> > crypto ipsec transform-set remote esp-3des esp-md5-hmac crypto ipsec
> > security-association lifetime seconds 5000 crypto dynamic-map
> > outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto
> > dynamic-map outside_dyn_map 20 set transform-set remote crypto map
> > remote 10 ipsec-isakmp crypto map remote 10 match address ipsec-remote
> > crypto map remote 10 set peer *.*.91.112 crypto map remote 10 set
> > transform-set remote crypto map remote 65535 ipsec-isakmp dynamic
> > outside_dyn_map crypto map remote interface outside
> >
> > isakmp enable outside
> > isakmp key ******** address *.*.91.112 netmask 255.255.255.255 isakmp
> > identity address isakmp policy 10 authentication pre-share isakmp
> > policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10
> > group 2 isakmp policy 10 lifetime 5000
> >
> > vpngroup road address-pool ippool1
> > vpngroup road dns-server 10.159.1.1 10.159.1.4 vpngroup road
> > wins-server 10.159.1.2 vpngroup road default-domain bla.com vpngroup
> > road idle-time 1800 vpngroup road password ********
> >
> > Any hints?
> >
> >
> > Thanks,
> >
> > Alvaro
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
>