[fw-wiz] cisco crypto dynamic map problem?

From: Meindert Uitman (meindert.uitman_at_avic.nl)
Date: 05/01/03

  • Next message: Sloane, David: "RE: [fw-wiz] PIX and IIS issue"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Thu, 1 May 2003 17:04:35 +0200

    cisco crypto dynamic map problem?

    Here's the story:
    Cisco's vpn client 3.5 once connected to my pix515. all worked fine. After
    accidentally overwriting configuration, and reentering it, :-{ , clients
    can connect, but traffic through the pix isn't possible.

    In short:

    ip local pool defined
    acl 101 permit ip for ip local pool
    acl 102 permit ip for cryptomap 'q'
    nat 0 for acl 101
    static(inside,outside) public_ip_TS_server local_ip netmask

    sysopt connection permit ipsec
    isakmp and vpngroup defined

    crypto ipsec transform-set 'a'
    crypto dynamic-map 'q' nn match adr acl 102
    crypto dynamic-map 'q' nn set transform set 'a'

    crypto map oustside-map nnnn ipsec-isakmp dynamic 'q'
    crypto map oustside-map interface outside

    vpn client connects to outside intf of pix.
    Terminal services tries to connect to static for TS-server.
    vpn client states 'connected' (correct adress from ip local pool). Pix
    Logging shows: sa's established.
    After attempts to 'terminal-service' through the Pix, Pix logging shows:
    deny inbound, no xlate src correct_ip_local_pool dst

    Overlooked config several times, could use a pointed stick towards
    Thanks in advance..

    firewall-wizards mailing list

  • Next message: Sloane, David: "RE: [fw-wiz] PIX and IIS issue"