	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

Question

	[x] Attachment Details

Cisco PIX 7.2(3) RA VPN

Asked by ddiazp in Virtual Private Networking (VPN), IPSec Security Protocol, Cisco PIX Firewall

Tags: Cisco PIX Firewall, VPN, ASA

Hi Everyone.

I've spent countless hours on trying to get this to work, but it got to a point where my brain hurts and I need a second opinion.

I have a firewall (Cisco PIX 515e) running version 7.2(3). This firewall has currently 2 L2L VPNs set up which work fine. I need to set up a third VPN which is going to be a remote-access VPN. Using the ASDM is useless for the VPN Wizard because once I finish the wizard and click Finish, nothing happens. It won't let me click Finish.

So I went ahead and used the command line.

The config posted below works perfectly on a PIX 515e version 7.2(2) which we use at a different site.

however, after changing a couple of values to fit my needs on this firewall, the VPN session is established (both phases) but when i try to communicate to the inside of the remote lan, I get the following from the Firewall:

%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
Oct 29 2009 22:15:08: %ASA-3-713042: IKE Initiator unable to find policy: Intf Outside, Src: 172.16.1.101, Dst: 10.100.1.2

I then decided to add a 'match address vpnacl' along with a vpnacl access-list to identify vpn traffic, but then PHASE2 failed and I couldn't connect so I removed it.

I think the different versions would have something to do with it although I looked at the list of changes on the 7.2.(3) for an hour and nothing relates to this. Perhaps an expert could give me a hand.

Or if anyone has a working remote-access VPN config for PIX 7.2(3) or higher it would be greatly useful.

Thanks!!

Get your answer NOW

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:

           
           
             access-list NO_NAT extended permit ip host 172.16.1.101 10.100.1.0 255.255.255.0
 
access-list split-tunnel remark FOR VPN SPLIT TUNNELS 
access-list split-tunnel standard permit 172.16.1.101 255.255.255.255 
 
nat (inside,outside) 0 access-list NO_NAT
 
ip local pool vpnpool 10.100.1.2-10.100.1.254 mask 255.255.255.0
 
group-policy remote_staff internal
group-policy remote_staff attributes
 dns-server value 172.16.1.101
 vpn-idle-timeout 10
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto dynamic-map outside_dyn_map 5 set transform-set ESP-3DES-MD5 
crypto dynamic-map outside_dyn_map 5 set security-association lifetime seconds 3600 
crypto map outside_map 5 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface Outside
crypto isakmp enable Outside
 
crypto isakmp policy 5  
	authentication pre-share  
	encryption 3des  
	hash md5  
	group 2  
	lifetime 3600
 
tunnel-group remote_staff type ipsec-ra
tunnel-group remote_staff general-attributes  
	address-pool vpnpool  
	authentication-server-group LOCAL 
	default-group-policy remote_staff 
tunnel-group remote_staff ipsec-attributes  
	pre-shared-key *        !sanitized

           
         

	Title
1	How can I allow outgoing VPN access …
2	VPN Routing
3	ASA5510 & Cisco 2821 : Ping …