[fw-wiz] cisco crypto dynamic map problem?

From: Meindert Uitman (meindert.uitman_at_avic.nl)
Date: 05/01/03

  • Next message: Sloane, David: "RE: [fw-wiz] PIX and IIS issue"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Thu, 1 May 2003 17:04:35 +0200
    

    cisco crypto dynamic map problem?

    Here's the story:
    Cisco's vpn client 3.5 once connected to my pix515. all worked fine. After
    accidentally overwriting configuration, and reentering it, :-{ , clients
    can connect, but traffic through the pix isn't possible.

    In short:

    ip local pool defined
    acl 101 permit ip for ip local pool
    acl 102 permit ip for cryptomap 'q'
    nat 0 for acl 101
    static(inside,outside) public_ip_TS_server local_ip netmask

    sysopt connection permit ipsec
    isakmp and vpngroup defined

    crypto ipsec transform-set 'a'
    crypto dynamic-map 'q' nn match adr acl 102
    crypto dynamic-map 'q' nn set transform set 'a'

    crypto map oustside-map nnnn ipsec-isakmp dynamic 'q'
    crypto map oustside-map interface outside

    vpn client connects to outside intf of pix.
    Terminal services tries to connect to static for TS-server.
    vpn client states 'connected' (correct adress from ip local pool). Pix
    Logging shows: sa's established.
    After attempts to 'terminal-service' through the Pix, Pix logging shows:
    deny inbound, no xlate src correct_ip_local_pool dst
    outside_publ_addr_client_machine

    Overlooked config several times, could use a pointed stick towards
    solution..
    Thanks in advance..

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Sloane, David: "RE: [fw-wiz] PIX and IIS issue"

    Relevant Pages

    • Re: Pix 501 Tunnelling problem
      ... You may also need to add the deny rule to your Crypto Access-List ... otherwise the PIX will still try to send the packets over the VPN. ... but the packet never exits the outside interface. ...
      (comp.dcom.sys.cisco)
    • Re: Pix 501 Tunnelling problem
      ... You may also need to add the deny rule to your Crypto Access-List ... otherwise the PIX will still try to send the packets over the VPN. ... but the packet never exits the outside interface. ...
      (comp.dcom.sys.cisco)
    • Re: PIX 6.3.4 - misc questions on VPN
      ... 150k of text is to much, using | grep is not reliable ... You've been discussing the PIX 501, which cannot have a DMZ interface. ... You could in theory attach a VPN to the PIX 501 inside interface, ... to only -be- one crypto map, and you could see it by ...
      (comp.dcom.sys.cisco)