James Your missing the command "vpdn enable outside" from your config.
regards derek ----- Original Message ----- From: "James Willard" To: Sent: Tuesday, August 26, 2003 12:17 AM Subject: PIX VPN Client Configuration - At my wit's end! [7:74363] > Hi all, > > Thanks in advance for reading this message. I am completely boggled on an > issue here that I have literally been trying to troubleshoot for some 12 > hours now. > > I'm trying to configure a PIX 515E for Cisco VPN Client connectivity. > > Here are the relevant parts of my config: > > :PIX Version 6.3(1) > interface ethernet0 auto > interface ethernet1 auto > interface ethernet2 auto > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 dmz security50 > access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 > 255.255.255.0 > access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any > ip local pool vpnusers 192.168.2.100-192.168.2.254 > nat (inside) 0 access-list nonat > nat (inside) 10 0.0.0.0 0.0.0.0 0 0 > sysopt connection permit-ipsec > crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac > crypto ipsec transform-set vpn esp-3des esp-md5-hmac > crypto ipsec security-association lifetime seconds 300 > crypto dynamic-map dynmap 30 set transform-set vpn > crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap > crypto map crypto-map-swa interface outside > isakmp enable outside > isakmp identity address > isakmp nat-traversal 20 > isakmp policy 1 authentication pre-share > isakmp policy 1 encryption 3des > isakmp policy 1 hash sha > isakmp policy 1 group 2 > isakmp policy 1 lifetime 300 > vpngroup VPNUser address-pool vpnusers > vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22 > vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21 > vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl > vpngroup VPNUser idle-time 1800 > vpngroup VPNUser password ******** > > Let's say the outside interface is 100.100.100.28. These are the networks: > > 100.100.100.28 255.255.255.240 (outside) > 192.168.1.0 255.255.255.0 (inside) > 192.168.2.0 255.255.255.0 (vpn IP pool) > 10.0.1.0 255.255.255.0 (dmz) > > I can connect with the client just fine, but neither end can ping the other. > Say the client machine gets the IP 192.168.2.100 from the pool, it cannot > ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping > 192.168.2.100. The VPN Client side shows packets being encrypted but none > decrypted. The IPSec SA on the PIX shows packets being encrypted and none > decrypted. > > Also worth noting is that the VPN client status shows "Transparent > Tunneling: Inactive" on the status page while connecting, even though isakmp > nat-traversal is enabled. An ethereal capture shows the client sending ESP > packets to the PIX but none are coming back. > > Please, if anyone has any ideas I would love to hear them. This has been > driving me crazy! > > Thanks, > > James Willard > [EMAIL PROTECTED] > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74391&t=74363 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
