OK, Im a little confused as to what are "lan" sites. " Allow Local Lan Access" just allows the PC that is running the VPN software to be able to interact with ITS local lan. If your wanting the remote PC to access the INSIDE lan, then you need to make sure that both your NAT 0 access-list allows it,as well as your inside acl, and that the PC's know now to get to the range of address's that you assigned to your remote users.
Thanks Larry -----Original Message----- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 6:07 PM To: [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] thanks for the config i can't seem to ping from the remote client to any lan sites, though...any ideas? the "allow local lan access" line is disabled in the statistics, though i have it enabled in the client... thanks, ed -----Original Message----- From: Roberts, Larry [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 1:26 PM To: 'Edward Sohn'; [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] Share the knowledge I say... OK, this has been edited to protect my information, but other than that its directly off of a PIX that has 2 lan 2 Lan tunnels and also allows VPN remote access... I think I got all the leftover junk cleaned out as well... ! access-list 100 permit ip m.y.h.o u.s.e.! 10.0.0.0 255.0.0.0 access-list 100 permit ip m.y.h.o u.s.e.! 172.16.0.0 255.240.0.0 access-list 100 permit ip m.y.h.o u.s.e.! 192.168.1.0 255.255.255.0 access-list 100 permit ip m.y.h.o u.s.e.! 192.168.2.0 255.255.255.0 access-list 120 permit ip m.y.h.o u.s.e.! 192.168.1.0 255.255.255.0 access-list 110 permit ip m.y.h.o u.s.e.! 10.0.0.0 255.0.0.0 access-list 110 permit ip m.y.h.o u.s.e.! 172.16.0.0 255.240.0.0 ip local pool REMOTEUSER 192.168.2.1-192.168.2.255 nat (inside) 0 access-list 100 crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac crypto dynamic-map DYNOMAP 30 set transform-set TRANSFORM crypto map MYMAP 10 ipsec-isakmp crypto map MYMAP 10 match address 110 crypto map MYMAP 10 set peer e.f.g.h crypto map MYMAP 10 set transform-set TRANSFORM crypto map MYMAP 30 ipsec-isakmp crypto map MYMAP 30 match address 120 crypto map MYMAP 30 set peer a.b.c.d crypto map MYMAP 30 set transform-set TRANSFORM crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP crypto map MYMAP interface outside isakmp enable outside isakmp key ******** address a.b.c.d netmask 255.255.255.255 isakmp key ******** address e.f.g.h netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup DONTTHINK address-pool REMOTEUSER vpngroup DONTTHINK dns-server 192.168.24.22 vpngroup DONTTHINK default-domain groupstudy.rocks vpngroup DONTTHINK idle-time 1800 vpngroup DONTTHINK password ******** Thanks Larry -----Original Message----- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: more VPN fun... [7:58818] anyone have any working configs of a PIX set up for a site-to-site IPSec tunnel with another PIX (at a remote site), as well as set up for mobile user VPN access (through dialup/dsl/cable/etc)? the client will user secure VPN client 3.0 for windows. i have the docs from CCO, but someone told me that their config for the remote user is wrong and does not work right. appreciate your help. please email me directly. ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58859&t=58818 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
