[VPN] Pix 515E VPN tunnel Via Cisco Client 4.0 thru a Nattted homeDSL router

Dana J. Dawson Dana.Dawson at qwest.com
Mon Sep 13 13:08:13 EDT 2004 

It sounds like you might have a simple routing issue, since you're using 
the 192.168.0.0 network at both locations.  Try configuring a different 
network for the LAN behind your DSL modem, like a 10.x.x.x network and 
see if that helps.

Also, things don't look quite right with the PIX config.  The 
access-list 102 defines the subnet at the PIX end to be 192.168.0.0/22, 
but the PIX inside interface is 192.168.8.17, which is on a different 
subnet and there don't appear to be any routes pointing to the 
192.168.0.0/22 network in the PIX.  Perhaps the listing below isn't the 
current config.

Finally, you really should think about migrating away from the "conduit" 
command entirely.  I know they're sometime more convenient to use than 
access-lists, but they're going away in the next release of PIX software 
so they have a very limited future now.  Cisco has a tool you can either 
run on their web site or download for converting your PIX config to 
replace conduits with the appropriate access-list(s).  Since your 
conduit is so simple, however, it'd be trivial to replace now before 
things get more complex.  It really would be better in the long run.

HTH - Good luck!

Dana

Dana J. Dawson                     djdawso at qwest.com
Sr. Staff Engineer                 CCIE #1937
Qwest Communications
600 Stinson Blvd., Suite 1S
Minneapolis  MN  55413-2620

"Hard is where the money is."


Marc Stavale wrote:
> Scenario:  I have a Pix 515E configured to access a VPN tunnel.  If I 
> dial into the internet thru AT&T and get an IP of 206.x.x.x (internet 
> routable), address and try to negotiate a tunnel using the Cisco VPN 
> Client I can do so no problems.  However, if I try to do one from my 
> ‘house’ which is behind my DSL modem and thus has a natted address  (IE: 
> my modem outside is routable but my inside address on my computer is a 
> 192.168.0.x address’s), my tunnel fails.  Here is a copy of my Pix 
> config and I do have the ‘isakmp nat-traversal’ command in it but it 
> still fails.  I havn’t configured my inside conduits yet as just want to 
> get the tunnel working first.  Any ideas?
> 
>  
> 
> Building configuration...
> 
> : Saved
> 
> :
> 
> PIX Version 6.3(3)133
> 
> interface ethernet0 100full
> 
> interface ethernet1 100full
> 
> interface ethernet2 auto shutdown
> 
> nameif ethernet0 outside security0
> 
> nameif ethernet1 inside security100
> 
> nameif ethernet2 intf2 security4
> 
> enable password fOtLfvYl90/VEkOk encrypted
> 
> passwd 2KFQnbNIdI.2KYOU encrypted
> 
> hostname denvervpn
> 
> fixup protocol dns maximum-length 512
> 
> fixup protocol ftp 21
> 
> fixup protocol h323 h225 1720
> 
> fixup protocol h323 ras 1718-1719
> 
> fixup protocol http 80
> 
> fixup protocol rsh 514
> 
> fixup protocol rtsp 554
> 
> fixup protocol sip 5060
> 
> fixup protocol sip udp 5060
> 
> fixup protocol skinny 2000
> 
> fixup protocol smtp 25
> 
> fixup protocol sqlnet 1521
> 
> fixup protocol tftp 69
> 
> names
> 
> access-list 102 permit ip 192.168.0.0 255.255.252.0 192.168.113.0 
> 255.255.255.0
> 
> pager lines 24
> 
> mtu outside 1500
> 
> mtu inside 1500
> 
> mtu intf2 1500
> 
> ip address outside 12.45.111.234 255.255.255.248
> 
> ip address inside 192.168.8.17 255.255.255.248
> 
> no ip address intf2
> 
> ip audit info action alarm
> 
> ip audit attack action alarm
> 
> ip local pool vpnpool 192.168.113.1-192.168.113.254
> 
> pdm history enable
> 
> arp timeout 14400
> 
> nat (inside) 0 access-list 102
> 
> conduit permit icmp any any
> 
> route outside 0.0.0.0 0.0.0.0 12.45.111.225 1
> 
> timeout xlate 3:00:00
> 
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 
> 1:00:00
> 
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> 
> timeout uauth 0:05:00 absolute
> 
> aaa-server TACACS+ protocol tacacs+
> 
> aaa-server RADIUS protocol radius
> 
> aaa-server LOCAL protocol local
> 
> no snmp-server location
> 
> no snmp-server contact
> 
> snmp-server community public
> 
> no snmp-server enable traps
> 
> floodguard enable
> 
> sysopt connection permit-ipsec
> 
> crypto ipsec transform-set myset esp-des esp-md5-hmac
> 
> crypto dynamic-map dynmap 10 set transform-set myset
> 
> crypto map mymap 10 ipsec-isakmp dynamic dynmap
> 
> crypto map mymap client configuration address initiate
> 
> crypto map mymap client configuration address respond
> 
> crypto map mymap interface outside
> 
> crypto map map1 10 ipsec-isakmp dynamic map2
> 
> isakmp enable outside
> 
> isakmp identity address
> 
> isakmp client configuration address-pool local vpnpool outside
> 
> isakmp nat-traversal 10
> 
> isakmp policy 10 authentication pre-share
> 
> isakmp policy 10 encryption des
> 
> isakmp policy 10 hash md5
> 
> isakmp policy 10 group 2
> 
> isakmp policy 10 lifetime 86400
> 
> vpngroup base1 address-pool vpnpool
> 
> vpngroup base1 dns-server 192.168.0.125
> 
> vpngroup base1 wins-server 192.168.0.126
> 
> vpngroup base1 default-domain amc.local
> 
> vpngroup base1 idle-time 1800
> 
> vpngroup base1 password ********
> 
> vpngroup base2 address-pool vpnpool
> 
> vpngroup base2 dns-server 192.168.0.125
> 
> vpngroup base2 wins-server 192.168.0.126
> 
> vpngroup base2 default-domain amc.local
> 
> vpngroup base2 split-tunnel 102
> 
> vpngroup base2 idle-time 1800
> 
> vpngroup base2 password ********
> 
> telnet timeout 5
> 
> ssh timeout 60
> 
> console timeout 0
> 
> terminal width 80
> 
> Cryptochecksum:5ddd4c6f87bb9677e21fdff9262b50ac
> 
> : end
> 
> [OK]
> 
>  
> 
>  
> 
> Marc Stavale
> 
> Network Engineer
> 
> Airmethods
> 
> 7211 S. Peoria St.
> 
> Englewood Co. 80112
> 
> 303-792-7491
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn

More information about the VPN mailing list