RE: OTT: VPN Connects & Auths to PIX but cannot get

From: OzgurG@garanti.com.tr
Date: Thu Sep 16 2004 - 07:35:07 GMT-3

• Next message: Swaroop Potdar: "RE: Multiple ways of configuring things"
• Previous message: OzgurG@garanti.com.tr: "RE: mroute woes - help!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You probably have a routing issue.
Check your vpn client statistics to see packets get encrypted but no
packet ever gets decrypted.
put a route to outside for your vpn client pool on your pix.

Ozgur

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Phil
Sent: 09 September 2004 23:06
To: James R. Yeo
Cc: ccielab@groupstudy.com
Subject: Re: OTT: VPN Connects & Auths to PIX but cannot get
toanything!!

James,

Is the client you are coming from behind NAT? If it is you need the
"isakmp nat-traversal" in the PIX.

Phil

On Wed, 8 Sep 2004 18:10:36 +0200, James R. Yeo <james@net-brigade.com>
wrote:
> I have followed the documentation with regards to setup. I can connect

> and authenticate but cannot get to anything!? Need access to the
> inside
>
> HELP!
> access-list 121 permit icmp any any
> access-list 121 permit ip 192.168.4.0 255.255.255.0 192.168.10.0
> 255.255.255.0 !
> ip local pool vpn_pool 192.168.10.1-192.168.10.254 !
> nat (inside) 0 access-list 121
> !
> sysopt connection permit-ipsec
> crypto ipsec transform-set mytrans esp-des esp-md5-hmac crypto
> dynamic-map dynmap 10 set transform-set mytrans crypto map mymap 10
> ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp
> enable outside isakmp identity address isakmp policy 10 authentication

> pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5
> isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 !
> vpngroup RSS_Azcom address-pool vpn_pool vpngroup RSS_Azcom dns-server

> 192.168.4.101 vpngroup RSS_Azcom wins-server 192.168.4.101 vpngroup
> RSS_Azcom default-domain rssa.co.za vpngroup RSS_Azcom split-tunnel
> 121 vpngroup RSS_Azcom idle-time 1800 vpngroup RSS_Azcom max-time
> 86400 vpngroup RSS_Azcom password ******** !
>
> Thanks
>
> James
>
> ______________________________________________________________________
> _ Please help support GroupStudy by purchasing your study materials
> from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Swaroop Potdar: "RE: Multiple ways of configuring things"
• Previous message: OzgurG@garanti.com.tr: "RE: mroute woes - help!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:44 GMT-3