Hi James,
It would be nice to have the output of the "show crypto ipsec sa" on the PIX while pinging back and forth. It would be nice to get the output of the "debug icmp trace" and the "sh access-list" as well but in any case my suggestion is this: 1) If you are doing split-tunneling I will suggest and access-list like this: access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 and not: access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any This is because you need to tell the PIX to creat a pair of SAs for Phase II so the VPN client will encrypt data destined to the 192.168.1.0/24 and PIX will encrypt traffic from the local LAN to the pool only. Lastly, if you need to communicate to the DMZ as well, you may add these lines to the access-list for nonat and interesting traffic: access-list nonat permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list VPNUser_splitTunnelAcl permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0 I will recommend to use the same access-list nonat for the line below: nat (dmz) 0 access-l nonat This is in order to avoid some "bugs" surfing around 6.3.1. Hope this helps a little, and if you can send more details it would be nice to follow up in this a little more. Have a good one! My two cents, Frank Costa Rica ----- Original Message ----- From: "James Willard" To: Sent: Monday, August 25, 2003 5:17 PM Subject: PIX VPN Client Configuration - At my wit's end! [7:74363] > Hi all, > > Thanks in advance for reading this message. I am completely boggled on an > issue here that I have literally been trying to troubleshoot for some 12 > hours now. > > I'm trying to configure a PIX 515E for Cisco VPN Client connectivity. > > Here are the relevant parts of my config: > > :PIX Version 6.3(1) > interface ethernet0 auto > interface ethernet1 auto > interface ethernet2 auto > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 dmz security50 > access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 > 255.255.255.0 > access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any > ip local pool vpnusers 192.168.2.100-192.168.2.254 > nat (inside) 0 access-list nonat > nat (inside) 10 0.0.0.0 0.0.0.0 0 0 > sysopt connection permit-ipsec > crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac > crypto ipsec transform-set vpn esp-3des esp-md5-hmac > crypto ipsec security-association lifetime seconds 300 > crypto dynamic-map dynmap 30 set transform-set vpn > crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap > crypto map crypto-map-swa interface outside > isakmp enable outside > isakmp identity address > isakmp nat-traversal 20 > isakmp policy 1 authentication pre-share > isakmp policy 1 encryption 3des > isakmp policy 1 hash sha > isakmp policy 1 group 2 > isakmp policy 1 lifetime 300 > vpngroup VPNUser address-pool vpnusers > vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22 > vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21 > vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl > vpngroup VPNUser idle-time 1800 > vpngroup VPNUser password ******** > > Let's say the outside interface is 100.100.100.28. These are the networks: > > 100.100.100.28 255.255.255.240 (outside) > 192.168.1.0 255.255.255.0 (inside) > 192.168.2.0 255.255.255.0 (vpn IP pool) > 10.0.1.0 255.255.255.0 (dmz) > > I can connect with the client just fine, but neither end can ping the other. > Say the client machine gets the IP 192.168.2.100 from the pool, it cannot > ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping > 192.168.2.100. The VPN Client side shows packets being encrypted but none > decrypted. The IPSec SA on the PIX shows packets being encrypted and none > decrypted. > > Also worth noting is that the VPN client status shows "Transparent > Tunneling: Inactive" on the status page while connecting, even though isakmp > nat-traversal is enabled. An ethereal capture shows the client sending ESP > packets to the PIX but none are coming back. > > Please, if anyone has any ideas I would love to hear them. This has been > driving me crazy! > > Thanks, > > James Willard > [EMAIL PROTECTED] > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74384&t=74363 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
