- Posts: 3
- Thank you received: 0
Cisco VPN Client behind PIX
19 years 5 months ago #8633
by Evermick
Cisco VPN Client behind PIX was created by Evermick
Dear experts,
I have problem to connect VPN to my company. My company use Cisco PIX / router to host VPN and I am using Cisco VPN client to connect to company. I can connect to my company without any problem when not using my PIX 501.
However when I use my PIX 501, I still can connect to my company but traffic cannot pass through (i.e. cannot ping or VNC to company).
Please kindly suggest configuration! Thank you very much!
My current setup is like this:
|My PC|
|My PIX 501|
|DSL|
Internet
|Company Cisco PIX or router|
My home PC IP = 10.1.0.1
My company VPN server = 202.202.202.202
My company subnet = 192.168.251.x (VPN client is assigned an IP from this subnet)
My company PC IP = 172.x.x.103
Relavent PIX config.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list acl_out permit tcp any host 123.123.123.42 range 6881 6999
access-list acl_out permit tcp any host 123.123.123.42 eq 2000
access-list acl_out permit tcp any host 123.123.123.42 eq 6112
access-list acl_out permit tcp any host 123.123.123.42 eq 4000
access-list acl_out permit tcp any host 123.123.123.42 eq 3724
access-list acl_out permit tcp any host 123.123.123.42 range 20000 20019
access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any unreachable
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit icmp any any source-quench
access-list acl_out permit tcp any host 123.123.123.42 eq 3389
access-list acl_out permit esp host 202.202.202.202 host 123.123.123.42
access-list acl_out permit ip host 202.202.202.202 host 123.123.123.42
access-list acl_in permit ip any any
access-list nonat permit ip 10.1.0.0 255.255.255.0 172.0.0.0 255.0.0.0
access-list nonat permit ip 10.1.0.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list crypto-address permit ip 10.1.0.0 255.255.255.0 172.0.0.0 255.0.0.0
access-list crypto-address permit ip 10.1.0.0 255.255.255.0 192.168.251.0 255.255.255.0
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
logging trap warnings
logging host inside 10.1.0.200
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 10.1.0.254 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 123.123.123.42 10.1.0.1 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
sysopt connection timewait
sysopt connection tcpmss 1402
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt ipsec pl-compatible
service resetinbound
service resetoutside
crypto ipsec transform-set myset ah-sha-hmac esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address crypto-address
crypto map newmap 10 set peer 202.202.202.202
crypto map newmap 10 set transform-set myset ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-128-MD5 ESP-DES-SHA
crypto map newmap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
PS: I tried fixup protocol esp-ike, but no luck
I have problem to connect VPN to my company. My company use Cisco PIX / router to host VPN and I am using Cisco VPN client to connect to company. I can connect to my company without any problem when not using my PIX 501.
However when I use my PIX 501, I still can connect to my company but traffic cannot pass through (i.e. cannot ping or VNC to company).
Please kindly suggest configuration! Thank you very much!
My current setup is like this:
|My PC|
|My PIX 501|
|DSL|
Internet
|Company Cisco PIX or router|
My home PC IP = 10.1.0.1
My company VPN server = 202.202.202.202
My company subnet = 192.168.251.x (VPN client is assigned an IP from this subnet)
My company PC IP = 172.x.x.103
Relavent PIX config.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list acl_out permit tcp any host 123.123.123.42 range 6881 6999
access-list acl_out permit tcp any host 123.123.123.42 eq 2000
access-list acl_out permit tcp any host 123.123.123.42 eq 6112
access-list acl_out permit tcp any host 123.123.123.42 eq 4000
access-list acl_out permit tcp any host 123.123.123.42 eq 3724
access-list acl_out permit tcp any host 123.123.123.42 range 20000 20019
access-list acl_out permit icmp any any echo-reply
access-list acl_out permit icmp any any unreachable
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit icmp any any source-quench
access-list acl_out permit tcp any host 123.123.123.42 eq 3389
access-list acl_out permit esp host 202.202.202.202 host 123.123.123.42
access-list acl_out permit ip host 202.202.202.202 host 123.123.123.42
access-list acl_in permit ip any any
access-list nonat permit ip 10.1.0.0 255.255.255.0 172.0.0.0 255.0.0.0
access-list nonat permit ip 10.1.0.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list crypto-address permit ip 10.1.0.0 255.255.255.0 172.0.0.0 255.0.0.0
access-list crypto-address permit ip 10.1.0.0 255.255.255.0 192.168.251.0 255.255.255.0
pager lines 24
logging on
logging monitor warnings
logging buffered warnings
logging trap warnings
logging host inside 10.1.0.200
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 10.1.0.254 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 123.123.123.42 10.1.0.1 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
sysopt connection timewait
sysopt connection tcpmss 1402
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt ipsec pl-compatible
service resetinbound
service resetoutside
crypto ipsec transform-set myset ah-sha-hmac esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address crypto-address
crypto map newmap 10 set peer 202.202.202.202
crypto map newmap 10 set transform-set myset ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-128-MD5 ESP-DES-SHA
crypto map newmap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
PS: I tried fixup protocol esp-ike, but no luck
Time to create page: 0.113 seconds