All, I am trying to get the RSA ACE Server to authenticate VPN remote users that terminate VPN connection to my Pix firewall. So far it is not working and here is my scenario: Pix FW: Outside IP: 12.1.1.100 (netmask /21) Inside IP: 172.161.254 (netmask /24) DMZ IP: 172.18.1.254 (netmask /24) The IP address of the RSA ACE-Server is 172.18.1.2. Here is the configuration on my pix firewall. By the way, I am using Pix OS 6.3(1): ip local pool test 172.30.1.1-172.30.1.254 aaa-server radius-authport 1812 aaa-server radius-acctport 1813 aaa-server ACE-SERVER protocol radius aaa-server ACE-SERVER (dmz) host 172.18.1.2 123456 timeout 5 sysopt connection permit-ipsec crypto ipsec transform-set set1 ah-md5-hmac esp-des esp-md5-hmac crypto ipsec transform-set set2 esp-des esp-sha-hmac crypto ipsec transform-set set3 esp-des esp-md5-hmac crypto ipsec security-association lifetime seconds 3600 crypto dynamic-map vpnremote 10 set transform-set set1 set2 set3 crypto map outside 20 ipsec-isakmp dynamic vpnremote crypto map outside client configuration address respond crypto map outside client authentication ACE-SERVER outside interface outside isakmp enable outside isakmp key ******* address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp client configuration address-pool local test outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup default address-pool test vpngroup default dns-server 129.174.1.8 vpngroup default wins-server 129.174.1.8 vpngroup default default-domain test.com vpngroup default split-tunnel 100 vpngroup default split-dns test.com vpngroup default idle-time 1800 The problem is that whenever the pix sends an "access-request" to the RSA ACE Server, the ACE Server sends back an "access-reject" to the pix. It seems like the ACE Server thinks that the pix is an "unauthorized" host to communicate with the ACE Server. Now, I add the pix as an "Agent Hosts" on the ACE Server (Is this similar to the clients.conf to FreeRadius?) and it still wouldn't work. Radius is also running on the ACE Server so I know that the communication is there. Furthermore, the is NO blocking of communication between the Pix and the ACE Server. Can someone with experience with ACE Server help me out with this problem? It has been a frustrating week. I am running ACE Server version 5.1 on both Windows 2000 Server. D
--------------------------------- Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69995&t=69995 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
