Hello Everybody,
Sorry for comming out with problem to the list.
I am trying to setup VPN PIX1-to-PIX2 &
PIX1-to-remote users(Cisco secure VPN client 1.1)
PIX to PIX works fine but I am having problem with
cisco secure client getting into network behind the
PIX. Secure client establises SA with PIX, but I can't
ping anything behind. I think I am doing something
wrong with config but can't figureout wht is that. Can
somebody check these configs & tell me where i am
doing wrong. Here are my configs
Cisco PIX 1 (vpn related configs only)
access-list acl_out permit icmp any any
access-list 110 permit ip 192.168.172.0 255.255.255.0
10.1.0.0 255.255.255.0
access-list 100 permit ip 192.168.172.0 255.255.255.0
10.1.0.0 255.255.255.0
ip address outside XX.XX.XX.XX 255.255.255.0
ip address inside 192.168.172.1 255.255.255.0
ip local pool vpnpool 192.168.172.200-192.168.172.225
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 192.168.172.0 255.255.255.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
crypto ipsec transform-set standard esp-3des
esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set
standard
crypto map peer_map 10 ipsec-isakmp
crypto map peer_map 10 match address 110
crypto map peer_map 10 set peer xx.xx.xx.xx
crypto map peer_map 10 set transform-set standard
crypto map peer_map 5 ipsec-isakmp dynamic dynmap
crypto map peer_map client configuration address
initiate
crypto map peer_map client configuration address
respond
crypto map peer_map interface outside
isakmp enable outside
isakmp key xxxxxx address xx.xx.xx.xx netmask
255.255.255.255 no-config-mode
isakmp key xxxxxxxx address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local vpnpool
outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 3600
Cisco Secure Client 1.1
Connection 1: Secure
Remote Party Identity:
ID Type: IP Subnet
Subnet 192.168.172.0
Mask: 255.255.255.0
Protocol: All
Gateway: PIX IP address
Phase1 : Pre-shared Key, 3DES, MD5, DH Group1
Phase2: 3DES, MD5, Tunnel
Other Connections: Non Secure
I am hoping this secure client 1.1 config is correct.
Does this do split tunnel allowing all connections
except except 192.168.172.0 to internet without going
to PIX?
Can I use Cisco's new Unified Client with PIX without
using authentication server along with PIX ?
Thanks in advance
john
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=15206&t=15206
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
