[fw-wiz] Cisco VPN Client Behind a Cisco PIX or Router
From: Al Cooper (alc_at_tlynx.com)
Date: 09/01/04
- Previous message: Paul D. Robertson: "Re: [fw-wiz] VPN endpoints"
- Next in thread: Al Cooper: "Re: [fw-wiz] Cisco VPN Client Behind a Cisco PIX or Router"
- Maybe reply: Al Cooper: "Re: [fw-wiz] Cisco VPN Client Behind a Cisco PIX or Router"
- Maybe reply: Melson, Paul: "RE: [fw-wiz] Cisco VPN Client Behind a Cisco PIX or Router"
- Reply: james: "Re: [fw-wiz] Cisco VPN Client Behind a Cisco PIX or Router"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Wed, 01 Sep 2004 10:42:22 -0600
I have configured a Cisco VPN Client (4.6.00) to connect to a Cisco PIX
515E [6.3(3)]. The VPN works great except when the VPN client is behind
another PIX or a Cisco router. If the VPN client behind a PIX or a Cisco
router I can make the initial connect fine but I cannot pass any traffic
(pings time out and protocols do not connect).
If I am behind my Linux (IPCop) firewall or at a hotel (unknown firewall,
probably a cable modem) I do not have a problem. I can connect and pass
traffic.
The terminating PIX has 4 PIX to PIX VPN's configured and they all work
great.
I have searched Cisco's site and spent more that an hour Googling to no luck.
Any suggestions on why the VPN client will not work from behind another
Cisco device?
Here is the relevant config for the PIX 515E that terminates the client VPN:
access-list nonat permit ip 192.168.99.0 255.255.255.0 192.168.100.0
255.255.255.0
ip address inside 192.168.100.1 255.255.255.0
ip local pool clientvpn-admin 192.168.99.1-192.168.99.254
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
sysopt connection permit-ipsec
crypto ipsec transform-set clvpn esp-aes-256 esp-sha-hmac
crypto dynamic-map vpn-client 10 set transform-set clvpn
crypto map gate 50 ipsec-isakmp dynamic vpn-client
crypto map gate interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup admin address-pool clientvpn-admin
vpngroup admin dns-server xxx.xxx.xxx.xxx
vpngroup admin default-domain domain.com
vpngroup admin split-tunnel vpn-client-admin
vpngroup admin idle-time 2700
vpngroup admin password ********
Thanks for any help you can offer,
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Paul D. Robertson: "Re: [fw-wiz] VPN endpoints"
- Next in thread: Al Cooper: "Re: [fw-wiz] Cisco VPN Client Behind a Cisco PIX or Router"
- Maybe reply: Al Cooper: "Re: [fw-wiz] Cisco VPN Client Behind a Cisco PIX or Router"
- Maybe reply: Melson, Paul: "RE: [fw-wiz] Cisco VPN Client Behind a Cisco PIX or Router"
- Reply: james: "Re: [fw-wiz] Cisco VPN Client Behind a Cisco PIX or Router"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
