[VPN] Pix 515E VPN tunnel Via Cisco Client 4.0 thru a Nattted homeDSL router
Dana J. Dawson
Dana.Dawson at qwest.com
Mon Sep 13 13:08:13 EDT 2004
It sounds like you might have a simple routing issue, since you're using
the 192.168.0.0 network at both locations. Try configuring a different
network for the LAN behind your DSL modem, like a 10.x.x.x network and
see if that helps.
Also, things don't look quite right with the PIX config. The
access-list 102 defines the subnet at the PIX end to be 192.168.0.0/22,
but the PIX inside interface is 192.168.8.17, which is on a different
subnet and there don't appear to be any routes pointing to the
192.168.0.0/22 network in the PIX. Perhaps the listing below isn't the
current config.
Finally, you really should think about migrating away from the "conduit"
command entirely. I know they're sometime more convenient to use than
access-lists, but they're going away in the next release of PIX software
so they have a very limited future now. Cisco has a tool you can either
run on their web site or download for converting your PIX config to
replace conduits with the appropriate access-list(s). Since your
conduit is so simple, however, it'd be trivial to replace now before
things get more complex. It really would be better in the long run.
HTH - Good luck!
Dana
Dana J. Dawson djdawso at qwest.com
Sr. Staff Engineer CCIE #1937
Qwest Communications
600 Stinson Blvd., Suite 1S
Minneapolis MN 55413-2620
"Hard is where the money is."
Marc Stavale wrote:
> Scenario: I have a Pix 515E configured to access a VPN tunnel. If I
> dial into the internet thru AT&T and get an IP of 206.x.x.x (internet
> routable), address and try to negotiate a tunnel using the Cisco VPN
> Client I can do so no problems. However, if I try to do one from my
> ‘house’ which is behind my DSL modem and thus has a natted address (IE:
> my modem outside is routable but my inside address on my computer is a
> 192.168.0.x address’s), my tunnel fails. Here is a copy of my Pix
> config and I do have the ‘isakmp nat-traversal’ command in it but it
> still fails. I havn’t configured my inside conduits yet as just want to
> get the tunnel working first. Any ideas?
>
>
>
> Building configuration...
>
> : Saved
>
> :
>
> PIX Version 6.3(3)133
>
> interface ethernet0 100full
>
> interface ethernet1 100full
>
> interface ethernet2 auto shutdown
>
> nameif ethernet0 outside security0
>
> nameif ethernet1 inside security100
>
> nameif ethernet2 intf2 security4
>
> enable password fOtLfvYl90/VEkOk encrypted
>
> passwd 2KFQnbNIdI.2KYOU encrypted
>
> hostname denvervpn
>
> fixup protocol dns maximum-length 512
>
> fixup protocol ftp 21
>
> fixup protocol h323 h225 1720
>
> fixup protocol h323 ras 1718-1719
>
> fixup protocol http 80
>
> fixup protocol rsh 514
>
> fixup protocol rtsp 554
>
> fixup protocol sip 5060
>
> fixup protocol sip udp 5060
>
> fixup protocol skinny 2000
>
> fixup protocol smtp 25
>
> fixup protocol sqlnet 1521
>
> fixup protocol tftp 69
>
> names
>
> access-list 102 permit ip 192.168.0.0 255.255.252.0 192.168.113.0
> 255.255.255.0
>
> pager lines 24
>
> mtu outside 1500
>
> mtu inside 1500
>
> mtu intf2 1500
>
> ip address outside 12.45.111.234 255.255.255.248
>
> ip address inside 192.168.8.17 255.255.255.248
>
> no ip address intf2
>
> ip audit info action alarm
>
> ip audit attack action alarm
>
> ip local pool vpnpool 192.168.113.1-192.168.113.254
>
> pdm history enable
>
> arp timeout 14400
>
> nat (inside) 0 access-list 102
>
> conduit permit icmp any any
>
> route outside 0.0.0.0 0.0.0.0 12.45.111.225 1
>
> timeout xlate 3:00:00
>
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
>
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
>
> timeout uauth 0:05:00 absolute
>
> aaa-server TACACS+ protocol tacacs+
>
> aaa-server RADIUS protocol radius
>
> aaa-server LOCAL protocol local
>
> no snmp-server location
>
> no snmp-server contact
>
> snmp-server community public
>
> no snmp-server enable traps
>
> floodguard enable
>
> sysopt connection permit-ipsec
>
> crypto ipsec transform-set myset esp-des esp-md5-hmac
>
> crypto dynamic-map dynmap 10 set transform-set myset
>
> crypto map mymap 10 ipsec-isakmp dynamic dynmap
>
> crypto map mymap client configuration address initiate
>
> crypto map mymap client configuration address respond
>
> crypto map mymap interface outside
>
> crypto map map1 10 ipsec-isakmp dynamic map2
>
> isakmp enable outside
>
> isakmp identity address
>
> isakmp client configuration address-pool local vpnpool outside
>
> isakmp nat-traversal 10
>
> isakmp policy 10 authentication pre-share
>
> isakmp policy 10 encryption des
>
> isakmp policy 10 hash md5
>
> isakmp policy 10 group 2
>
> isakmp policy 10 lifetime 86400
>
> vpngroup base1 address-pool vpnpool
>
> vpngroup base1 dns-server 192.168.0.125
>
> vpngroup base1 wins-server 192.168.0.126
>
> vpngroup base1 default-domain amc.local
>
> vpngroup base1 idle-time 1800
>
> vpngroup base1 password ********
>
> vpngroup base2 address-pool vpnpool
>
> vpngroup base2 dns-server 192.168.0.125
>
> vpngroup base2 wins-server 192.168.0.126
>
> vpngroup base2 default-domain amc.local
>
> vpngroup base2 split-tunnel 102
>
> vpngroup base2 idle-time 1800
>
> vpngroup base2 password ********
>
> telnet timeout 5
>
> ssh timeout 60
>
> console timeout 0
>
> terminal width 80
>
> Cryptochecksum:5ddd4c6f87bb9677e21fdff9262b50ac
>
> : end
>
> [OK]
>
>
>
>
>
> Marc Stavale
>
> Network Engineer
>
> Airmethods
>
> 7211 S. Peoria St.
>
> Englewood Co. 80112
>
> 303-792-7491
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
More information about the VPN
mailing list