This is relevant commands for e-mail and Internet access (working well)Īccess-list 100 permit tcp any host 193.x.y.29 eq smtp I'm sure there s something simple I am missing. Isakmp policy 20 authentication pre-share Ip local pool ippool 192.168.0.1-192.168.0.10Ĭrypto ipsec transform-set VPDNDES esp-des esp-md5-hmacĬrypto dynamic-map dynmap 50 set transform-set VPDNDESĬrypto map mapName 10 ipsec-isakmp dynamic dynmap Is anything showing as being blocked in the PIX logs when you ping from VPN3 client ?Īs for VPN client, the following generic config works fine with 3.X clients, check it against yours I guess (IP's and passwords changed,obviously)
This may be blocking the outbound ICMP (this is just a guess, no config info so difficult to tell).
(I'm sure that I'll have fun and games before it all works, but we need to solve this Phase 1 stage first.)įrom the reference to GRC.com I'm guessing you have an outbound access-list on the outside interface. I have tried "Allow IPSec through NAT mode" both on and off on client settings, but no differnce.Ĭan anyone please enlighten me on what PIX statements are related to failures at this stage. The PIX is working for users inside to get to Internet, and is passing SMTP mail, it also passes security tests OK. and have isakmp key ? address 0.0.0.0 netmask 0.0.0.0 with matching key in VPN3 client group access information on Authentication tab, have a vpngroup set up with matching name, have an address-pool set with isakmp client configuration address-pool local outside. I have followed all guidelines, isakmp policies, etc. (62.x.y.z is not the outside interface address it must be the ISP address as it changes if I try when connected to a different ISP). But before I added an access list to pass ip it showed:ĭeny udp src outside:62.x.y.z/500 dst inside.z/500 by access-group "100" so obviously it is reaching the PIX. PIX outside)Įxceeded 3 IKE SA negotiation retransmits. SENDING>ISAKMP OAK AG(SA, KE, NON, ID, VID, VID, VID) to .y (i.e. Thanks for your suggestions.My VPN client 3.0.1 does not even connect to the PIX506 v6.0(1) at Phase 1. I'll make sure this thread is the first to know. > When you find the solution - please share it with us. I will try a simple scenario on a test 501 as you suggest. I've tried so many remote scenarios (PC's, connection types etc), I'm convinced the problem is on my PIX. > If you have a spare pix 501 for the test, you can also try to put a client behind it, allow outbound PAT only, and connect it to your firewall (directly or via ISP). This connection is also behind NAT, but I'm unsure what devices the telco uses. I have tried the client behind a Cisco 827 and a D-Link (can't remember the model). > What NAT router? Try with different devices. > if I put any one of the three above tests behind a NAT router > I would try to also test with different client version like 3.6.3 just to check. RE: ipsec nat-traversal with pix and cisco vpn client yizhar (MIS) 18 Jul 03 16:33 Isakmp policy 10 authentication pre-share "Enable Transparent Tunnelling" is turned on and set to UPD on the client.Ĭrypto ipsec transform-set myset esp-3des esp-md5-hmacĬrypto dynamic-map dynmap 10 set transform-set mysetĬrypto map mymap 10 ipsec-isakmp dynamic dynmap I figure I'm just missing something really silly (I'm new to this so please forgive me). I hope someone can push me in the right direction. The client connects just fine, but the transparent tunnel is inactive. I'm trying to get transparent tunnelling working between a pix running 6.3(1) and cisco vpn client 4.0.1. I know this should be an easy task, but I just can't make it work.
0 kommentar(er)
