Hi all, Thanks in advance for reading this message. I am completely boggled on an issue here that I have literally been trying to troubleshoot for some 12 hours now.
I'm trying to configure a PIX 515E for Cisco VPN Client connectivity. Here are the relevant parts of my config: :PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any ip local pool vpnusers 192.168.2.100-192.168.2.254 nat (inside) 0 access-list nonat nat (inside) 10 0.0.0.0 0.0.0.0 0 0 sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set vpn esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 300 crypto dynamic-map dynmap 30 set transform-set vpn crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap crypto map crypto-map-swa interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 300 vpngroup VPNUser address-pool vpnusers vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22 vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21 vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl vpngroup VPNUser idle-time 1800 vpngroup VPNUser password ******** Let's say the outside interface is 100.100.100.28. These are the networks: 100.100.100.28 255.255.255.240 (outside) 192.168.1.0 255.255.255.0 (inside) 192.168.2.0 255.255.255.0 (vpn IP pool) 10.0.1.0 255.255.255.0 (dmz) I can connect with the client just fine, but neither end can ping the other. Say the client machine gets the IP 192.168.2.100 from the pool, it cannot ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping 192.168.2.100. The VPN Client side shows packets being encrypted but none decrypted. The IPSec SA on the PIX shows packets being encrypted and none decrypted. Also worth noting is that the VPN client status shows "Transparent Tunneling: Inactive" on the status page while connecting, even though isakmp nat-traversal is enabled. An ethereal capture shows the client sending ESP packets to the PIX but none are coming back. Please, if anyone has any ideas I would love to hear them. This has been driving me crazy! Thanks, James Willard [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74363&t=74363 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
