So I have another question running with certificate VPN, but for now I figured I would just set it up using the client and a group until that one gets figured out. Here is the problem.
The router is actually running 2 VPNs, one L2TP for Windows clients and this one I just set up for Cisco (the client has a number of XP home machines, so no Windows client to use.)
I set up the VPN, it connects, but I can't ping anything on the network there. Access to the LAN is enabled on the Cisco client, but nothing.
The L2TP connection, however, works fine. I ran some tests to try to figure out what the difference was.
The remote subnet is 10.0.0.0/24 and the subnet that is local is 10.2.1.0/24, for reference.
On L2TP it is set to route requests to the public IP (PIP) using a gateway of the default network gateway and the local interface. This pings.
On Cisco VPN it is the same setup, but this doesn't ping. Obviously a problem.
On L2TP the route for 10.0.0.0 on 255.0.0.0 goes to PIP. This pings.
On Cisco VPN the same route goes to local Cisco VPN adapter IP. This, obviously, doesn't ping.
Anyone have an idea why?
Here is the current running config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXX encrypted
hostname pixfirewall
domain-name XXXXXXXX.com
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_cryptomap_dyn_20 permit ip 10.0.0.0 255.255.255.0 interface outside
access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.176 255.255.255.248
access-list vpn_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.0.176 255.255.255.248
access-list outside_access_in permit tcp any host (PIP) eq smtp
access-list outside_access_in permit tcp any host (PIP) eq https
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside (PIP) 255.255.255.252
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn01 10.0.0.177-10.0.0.183
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.0.0.176 255.255.255.248 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp (PIP) smtp 10.0.0.20 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp (PIP) https 10.0.0.20 https netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 (PIP2) 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 132.163.4.101 source outside prefer
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server enable traps
floodguard enable
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn address-pool vpn01
vpngroup vpn split-tunnel outside_cryptomap_dyn_20
vpngroup vpn idle-time 1800
vpngroup vpn password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 25
ssh timeout 5
console timeout 0
vpdn group L2TP-VPDN-GROUP accept dialin l2tp
vpdn group L2TP-VPDN-GROUP ppp authentication chap
vpdn group L2TP-VPDN-GROUP ppp authentication mschap
vpdn group L2TP-VPDN-GROUP client configuration address local vpn01
vpdn group L2TP-VPDN-GROUP client authentication local
vpdn group L2TP-VPDN-GROUP l2tp tunnel hello 60
vpdn username XXXXXXX password *********
vpdn enable outside
username admin password XXXXXXXXXXXXXXXXX encrypted privilege 15
terminal width 80
Cryptochecksum:XXXXXXXXXXX
XXXXXXXXXX
XXXXXXXXXX
X
: end
