Hey David and Group I have done as what you had asked me to change but no luck. Still no traffic can pass thru although it can connect. My new config is at the end of the mail. Anyone have idea why?? I really feel strange, as my username and password can be authenticated by my W2K radius server but why no traffic can pass to LAN after get connected? I saw the traffic statistic of VPN client increase but I can't connect to any thing on the LAN. Why? P/s: why you suggest to change from crypto map from 30 to 35 ?
David Tran II wrote: After looking at your configuration, you need to do this: change from: crypto map lonmap 30 ipsec-isakmp dynamic outside_dyn change to: crypto map lonmap 35 ipsec-isakmp dynamic outside_dyn and add in this line: crypto map lonmap client configuration address respond crypto map lonmap client authentication RS (I think you already have this line) It looks to me like you are using "xtended" authentication, it is a good idea to upgrade your code from 6.0.x to at least 6.2(2) or better yet, 6.3(1). I know for a fact that the configuration above works for version 6.2(2) or higher. 6.3(1) supports NAT traversal. > My New config is > LONPIX# wr term > Building configuration... > : Saved > : > PIX Version 6.2 > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > enable password xxxxxxxx encrypted > passwd xxxxxxxx encrypted > hostname LONPIX > domain-name xxx.co.uk > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol ils 389 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > fixup protocol skinny 2000 > names > name 70.7.75.150 HKpix > name 20.2.25.150 tokpix > access-list 111 permit ip 172.16.3.0 255.255.255.0 192.168.3.0 255.255.255.0 > access-list 112 permit ip 172.16.3.0 255.255.255.0 10.10.0.0 255.255.0.0 > access-list no-nat permit ip 172.16.3.0 255.255.255.0 192.168.3.0 > 255.255.255.0 > access-list no-nat permit ip 172.16.3.0 255.255.255.0 10.10.0.0 255.255.0.0 > access-list no-nat permit ip 172.16.3.0 255.255.255.0 172.16.4.0 > 255.255.255.224 > access-list no-nat permit ip 192.168.3.0 255.255.255.0 172.16.4.0 > 255.255.255.224 > access-list no-nat permit ip 10.10.0.0 255.255.0.0 172.16.4.0 > 255.255.255.255.224 > no pager > logging on > logging buffered errors > logging trap errors > logging history errors > logging facility 18 > logging host inside 172.16.3.101 > no logging message 400010 > interface ethernet0 100basetx > interface ethernet1 100basetx > mtu outside 1500 > mtu inside 1500 > ip address outside 103.103.130.130 255.255.255.240 > ip address inside 172.16.3.254 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > ip local pool IPPOOLS 172.16.4.1-172.16.4.31 > pdm history enable > arp timeout 14400 > global (outside) 1 103.103.103.131 > nat (inside) 0 access-list no-nat > nat (inside) 1 172.16.3.0 255.255.255.0 0 0 > conduit permit icmp any any > route outside 0.0.0.0 0.0.0.0 103.103.103.129 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 > 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > aaa-server LOCAL protocol local > aaa-server RS protocol radius > aaa-server RS (inside) host 172.16.3.101 RSKEY timeout 5 > aaa authentication ssh console LOCAL > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > no sysopt route dnat > crypto ipsec transform-set lonset esp-des esp-md5-hmac > crypto dynamic-map outside_dyn 30 set transform-set lonset > crypto map lonmap 10 ipsec-isakmp > crypto map lonmap 10 match address 111 > crypto map lonmap 10 set peer hkpix > crypto map lonmap 10 set transform-set lonset > crypto map lonmap 20 ipsec-isakmp > crypto map lonmap 20 match address 112 > crypto map lonmap 20 set peer tokpix > crypto map lonmap 20 set transform-set lonset > crypto map lonmap 35 ipsec-isakmp dynamic outside_dyn > crypto map lonmap interface outside >crypto map lonmap client configuration address respond > crypto map lonmap client authentication RS > isakmp enable outside > isakmp key ******** address hkpix netmask 255.255.255.255 > isakmp key ******** address tokpix netmask 255.255.255.255 > isakmp identity address > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption des > isakmp policy 10 hash sha > isakmp policy 10 group 1 > isakmp policy 10 lifetime 86400 > isakmp policy 20 authentication pre-share > isakmp policy 20 encryption des > isakmp policy 20 hash md5 > isakmp policy 20 group 2 > isakmp policy 20 lifetime 86400 > vpngroup GROUP address-pool IPPOOLS > vpngroup GROUP dns-server 172.16.3.101 > vpngroup GROUP wins-server 172.16.3.101 > vpngroup GROUP default-domain company.com > vpngroup GROUP idle-time 1000 > vpngroup GROUP password ******** > telnet 172.16.3.0 255.255.255.0 inside > telnet timeout 60 > ssh 172.16.3.0 255.255.255.0 inside > ssh timeout 60 > username pix password xxxxxxx encrypted privilege 2 > username user1 password xxxxxxxx encrypted privilege 2 > terminal width 100 > Cryptochecksum:xxxxxxxxxxxxxxxxxxx > : end > [OK] --------------------------------- Do you Yahoo!? Free online calendar with sync to Outlook(TM). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70269&t=70084 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
