cepolly
asked on
PIX 515 and VPN
I just installed a 515 and all is well. However, I'm having a difficult time getting thevpn working.
Here is my config:
and below the config are the logs from my vpn client.
thanks in advance for the help.
cepolly
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password 6ztx/UAvbLi8D0Sn encrypted
passwd 6ztx/UAvbLi8D0Sn encrypted
hostname PIX515
domain-name T43434n
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 192.168.1.3 3434
name 192.168.1.1 434343
name 192.168.1.5 43434
name 192.168.1.8 43434
name 192.168.1.12 34343
name 192.168.1.11 34343
name 192.168.1.9 c4344k
object-group service pcANY tcp
description pcANYwhere
port-object range 65301 65301
port-object eq pcanywhere-data
port-object range pcanywhere-data 5632
object-group service TermServ tcp
description RDP
port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list letmein remark inbound traffic
access-list letmein permit tcp any host x.x.x.x eq www
access-list letmein permit tcp any host x.x.x.x eq https
access-list letmein permit tcp any host x.x.x.x eq pop3
access-list letmein permit tcp any host x.x.x.x eq imap4
access-list letmein permit tcp any host x.x.x.x eq pcanywhere-data
access-list letmein permit udp any host x.x.x.x eq 65301
access-list letmein permit tcp any host x.x.x.x eq 65301
access-list letmein permit udp any host x.x.x.x eq 143
access-list letmein permit udp any host x.x.x.x eq 220
access-list letmein permit tcp any host x.x.x.x eq 220
access-list letmein permit tcp any host x.x.x.x eq 585
access-list letmein permit udp any host x.x.x.x eq 585
access-list letmein permit udp any host x.x.x.x eq 993
access-list letmein permit tcp any host x.x.x.x eq 993
access-list letmein permit tcp any host x.x.x.x eq smtp
access-list letmein permit icmp any any
access-list letmein permit udp any host x.x.x.x eq 3389
access-list letmein permit tcp any host x.x.x.x eq 3389
access-list letmein permit tcp any host x.x.x.x eq 8080
access-list letmein permit udp any host x.x.x.x eq 2439
access-list letmein permit tcp any host x.x.x.x eq 2439
access-list letmein permit tcp any host x.x.x.x eq 5001
access-list in_out permit ip any any
access-list dmz_in permit tcp host 10.0.1.9 host 192.168.1.12 eq 3502
access-list dmz_in permit icmp any any
access-list dmz_in permit tcp host 10.0.1.9 host 192.168.1.12 eq smtp
access-list dmz_in deny ip any 192.168.1.0 255.255.255.0
access-list dmz_in permit ip any any
access-list nat0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside x.x.x.x 255.255.255.248
ip address inside 192.168.1.19 255.255.255.0
ip address DMZ 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.2.1-192.168.2.254
pdm location x.x.x.x 255.255.255.255 outside
pdm location x.x.x.x 255.255.255.255 outside
pdm location 10.0.1.9 255.255.255.255 inside
pdm location 192.168.1.7 255.255.255.255 inside
pdm location 192.168.1.12 255.255.255.255 inside
pdm location 10.0.1.9 255.255.255.255 DMZ
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (DMZ) 1 10.0.1.0 255.255.255.0 0 0
static (inside,outside) udp interface 2439 192.168.1.7 2439 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2439 192.168.1.7 2439 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8080 10.0.1.9 8080 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 143 192.168.1.12 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 192.168.1.12 imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.12 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.12 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.9 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.9 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5001 192.168.1.9 5001 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3389 192.168.1.9 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.1.9 3389 netmask 255.255.255.255 0 0
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group letmein in interface outside
access-group dmz_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map outside_map 90 ipsec-isakmp dynamic dynmap
crypto map mymap 5 ipsec-isakmp
! Incomplete <------------------------- notice this.
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup vpn3000 dns-server x.x.x.x
vpngroup vpn3000 wins-server 192.168.1.1
vpngroup vpn3000 default-domain domain
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup TEK-VPN-USERS idle-time 1800
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 DMZ
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.200-192.168.1.25 4 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:2c0a8cdd2a7 3b02d0cd52 a8f1929afb b
: end
1 19:25:58.475 08/29/04 Sev=Info/4 CM/0x63100002
Begin connection process
2 19:25:58.490 08/29/04 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
3 19:25:58.490 08/29/04 Sev=Info/4 CM/0x63100024
Attempt connection with server "216.64.25.187"
4 19:25:59.740 08/29/04 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
5 19:25:59.740 08/29/04 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
6 19:25:59.865 08/29/04 Sev=Warning/2 IKE/0xE3000022
No private IP address was assigned by the peer
7 19:25:59.865 08/29/04 Sev=Warning/2 IKE/0xE3000099
Failed to process ModeCfg Reply (NavigatorTM:175)
8 19:26:03.194 08/29/04 Sev=Info/4 CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED ". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
9 19:26:03.194 08/29/04 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
Here is my config:
and below the config are the logs from my vpn client.
thanks in advance for the help.
cepolly
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password 6ztx/UAvbLi8D0Sn encrypted
passwd 6ztx/UAvbLi8D0Sn encrypted
hostname PIX515
domain-name T43434n
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 192.168.1.3 3434
name 192.168.1.1 434343
name 192.168.1.5 43434
name 192.168.1.8 43434
name 192.168.1.12 34343
name 192.168.1.11 34343
name 192.168.1.9 c4344k
object-group service pcANY tcp
description pcANYwhere
port-object range 65301 65301
port-object eq pcanywhere-data
port-object range pcanywhere-data 5632
object-group service TermServ tcp
description RDP
port-object range 3389 3399
access-list inside_access_in remark outbound
access-list inside_access_in permit tcp any any
access-list letmein remark inbound traffic
access-list letmein permit tcp any host x.x.x.x eq www
access-list letmein permit tcp any host x.x.x.x eq https
access-list letmein permit tcp any host x.x.x.x eq pop3
access-list letmein permit tcp any host x.x.x.x eq imap4
access-list letmein permit tcp any host x.x.x.x eq pcanywhere-data
access-list letmein permit udp any host x.x.x.x eq 65301
access-list letmein permit tcp any host x.x.x.x eq 65301
access-list letmein permit udp any host x.x.x.x eq 143
access-list letmein permit udp any host x.x.x.x eq 220
access-list letmein permit tcp any host x.x.x.x eq 220
access-list letmein permit tcp any host x.x.x.x eq 585
access-list letmein permit udp any host x.x.x.x eq 585
access-list letmein permit udp any host x.x.x.x eq 993
access-list letmein permit tcp any host x.x.x.x eq 993
access-list letmein permit tcp any host x.x.x.x eq smtp
access-list letmein permit icmp any any
access-list letmein permit udp any host x.x.x.x eq 3389
access-list letmein permit tcp any host x.x.x.x eq 3389
access-list letmein permit tcp any host x.x.x.x eq 8080
access-list letmein permit udp any host x.x.x.x eq 2439
access-list letmein permit tcp any host x.x.x.x eq 2439
access-list letmein permit tcp any host x.x.x.x eq 5001
access-list in_out permit ip any any
access-list dmz_in permit tcp host 10.0.1.9 host 192.168.1.12 eq 3502
access-list dmz_in permit icmp any any
access-list dmz_in permit tcp host 10.0.1.9 host 192.168.1.12 eq smtp
access-list dmz_in deny ip any 192.168.1.0 255.255.255.0
access-list dmz_in permit ip any any
access-list nat0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside x.x.x.x 255.255.255.248
ip address inside 192.168.1.19 255.255.255.0
ip address DMZ 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.2.1-192.168.2.254
pdm location x.x.x.x 255.255.255.255 outside
pdm location x.x.x.x 255.255.255.255 outside
pdm location 10.0.1.9 255.255.255.255 inside
pdm location 192.168.1.7 255.255.255.255 inside
pdm location 192.168.1.12 255.255.255.255 inside
pdm location 10.0.1.9 255.255.255.255 DMZ
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (DMZ) 1 10.0.1.0 255.255.255.0 0 0
static (inside,outside) udp interface 2439 192.168.1.7 2439 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2439 192.168.1.7 2439 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8080 10.0.1.9 8080 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 143 192.168.1.12 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 192.168.1.12 imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.12 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.12 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.9 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.9 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5001 192.168.1.9 5001 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3389 192.168.1.9 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.1.9 3389 netmask 255.255.255.255 0 0
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group letmein in interface outside
access-group dmz_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map outside_map 90 ipsec-isakmp dynamic dynmap
crypto map mymap 5 ipsec-isakmp
! Incomplete <-------------------------
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup vpn3000 dns-server x.x.x.x
vpngroup vpn3000 wins-server 192.168.1.1
vpngroup vpn3000 default-domain domain
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup TEK-VPN-USERS idle-time 1800
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 DMZ
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.200-192.168.1.25
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:2c0a8cdd2a7
: end
1 19:25:58.475 08/29/04 Sev=Info/4 CM/0x63100002
Begin connection process
2 19:25:58.490 08/29/04 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
3 19:25:58.490 08/29/04 Sev=Info/4 CM/0x63100024
Attempt connection with server "216.64.25.187"
4 19:25:59.740 08/29/04 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
5 19:25:59.740 08/29/04 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
6 19:25:59.865 08/29/04 Sev=Warning/2 IKE/0xE3000022
No private IP address was assigned by the peer
7 19:25:59.865 08/29/04 Sev=Warning/2 IKE/0xE3000099
Failed to process ModeCfg Reply (NavigatorTM:175)
8 19:26:03.194 08/29/04 Sev=Info/4 CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED
9 19:26:03.194 08/29/04 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
ASKER
As far as the ip pool, it's there. 'ip local pool ippool 192.168.2.1-192.168.2.254' .
But I didn't have it assigned. Idid that now.
Thanks.I see what you are saying about the mymap.
Should i change this to myset instead of mymap?
When I try to remove the mymap using 'no crypto map mymap 5 ipsec-isakmp' i get an 'ERROR: unknown subcommand <ipsec-isakmp>'.
But I didn't have it assigned. Idid that now.
Thanks.I see what you are saying about the mymap.
Should i change this to myset instead of mymap?
When I try to remove the mymap using 'no crypto map mymap 5 ipsec-isakmp' i get an 'ERROR: unknown subcommand <ipsec-isakmp>'.
ASKER
Ok thanks grblades.
I was able to do the remove 'no crypto map mymap 5 ipsec-isakmp' by just doing a 'no crypto map mymap 5' without the reas of the statement.
Also as soon as I added the vpngroup vpn3000 address-pool ippool, it worked.
Thanks.
The only thing now is the ability to use exchange and outlook via the vpn.
how do I setup to resolve the exchange server to allow the sync of mail?
I defined the wins server.
I was able to do the remove 'no crypto map mymap 5 ipsec-isakmp' by just doing a 'no crypto map mymap 5' without the reas of the statement.
Also as soon as I added the vpngroup vpn3000 address-pool ippool, it worked.
Thanks.
The only thing now is the ability to use exchange and outlook via the vpn.
how do I setup to resolve the exchange server to allow the sync of mail?
I defined the wins server.
As long as the WINS server is configured and contains the name of the exchange server and the DNS server being used is that of the AD domain controller it should work.
ASKER
here is my latest log file.
not sure what is holding up the communication from the vpn client into the network
58 16:02:02.782 08/30/04 Sev=Info/4 CM/0x63100002
Begin connection process
59 16:02:02.798 08/30/04 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
60 16:02:02.798 08/30/04 Sev=Info/4 CM/0x63100024
Attempt connection with server "216.64.25.187"
61 16:02:03.064 08/30/04 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
62 16:02:03.064 08/30/04 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
63 16:02:03.626 08/30/04 Sev=Info/4 CM/0x63100019
Mode Config data received
64 16:02:04.157 08/30/04 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=192.168.2.1/255.255.255 .0
DNS=66.255.x.x,0.0.0.0
WINS=192.168.1.1,0.0.0.0
Domain=xxxdomain
Split DNS Names=
65 16:02:04.204 08/30/04 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 192.168.2.1
Interface 192.168.2.1
66 16:02:04.204 08/30/04 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
67 16:02:04.251 08/30/04 Sev=Info/4 CM/0x6310001A
One secure connection established
68 16:02:04.361 08/30/04 Sev=Info/4 CM/0x63100038
Address watch added for 192.168.1.108. Current address(es): 192.168.2.1, 192.168.1.108.
69 16:02:04.361 08/30/04 Sev=Info/4 CM/0x63100038
Address watch added for 192.168.2.1. Current address(es): 192.168.2.1, 192.168.1.108.
not sure what is holding up the communication from the vpn client into the network
58 16:02:02.782 08/30/04 Sev=Info/4 CM/0x63100002
Begin connection process
59 16:02:02.798 08/30/04 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
60 16:02:02.798 08/30/04 Sev=Info/4 CM/0x63100024
Attempt connection with server "216.64.25.187"
61 16:02:03.064 08/30/04 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
62 16:02:03.064 08/30/04 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
63 16:02:03.626 08/30/04 Sev=Info/4 CM/0x63100019
Mode Config data received
64 16:02:04.157 08/30/04 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=192.168.2.1/255.255.255
DNS=66.255.x.x,0.0.0.0
WINS=192.168.1.1,0.0.0.0
Domain=xxxdomain
Split DNS Names=
65 16:02:04.204 08/30/04 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 192.168.2.1
Interface 192.168.2.1
66 16:02:04.204 08/30/04 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
67 16:02:04.251 08/30/04 Sev=Info/4 CM/0x6310001A
One secure connection established
68 16:02:04.361 08/30/04 Sev=Info/4 CM/0x63100038
Address watch added for 192.168.1.108. Current address(es): 192.168.2.1, 192.168.1.108.
69 16:02:04.361 08/30/04 Sev=Info/4 CM/0x63100038
Address watch added for 192.168.2.1. Current address(es): 192.168.2.1, 192.168.1.108.
From your machine without VPN running can you post the output of 'route print' (run it in a dos windows).
Are you using 192.168.1.x or 192.168.2.x on your local network?
Are you using 192.168.1.x or 192.168.2.x on your local network?
ASKER
i have the route with the vpn on as well.
here it is without vpn on:
========================== ========== ========== ========== ========== =========
Interface List
0x1 .......................... . MS TCP Loopback interface
0x2 ...mac address ...... 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX) - Packet Scheduler Miniport
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.108 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.108 192.168.1.108 20
192.168.1.108 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.108 192.168.1.108 20
224.0.0.0 240.0.0.0 192.168.1.108 192.168.1.108 20
255.255.255.255 255.255.255.255 192.168.1.108 192.168.1.108 1
Default Gateway: 192.168.1.1
========================== ========== ========== ========== ========== =========
Persistent Routes:
None
here it is without vpn on:
==========================
Interface List
0x1 ..........................
0x2 ...mac address ...... 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX) - Packet Scheduler Miniport
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.108 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.108 192.168.1.108 20
192.168.1.108 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.108 192.168.1.108 20
224.0.0.0 240.0.0.0 192.168.1.108 192.168.1.108 20
255.255.255.255 255.255.255.255 192.168.1.108 192.168.1.108 1
Default Gateway: 192.168.1.1
==========================
Persistent Routes:
None
ASKER
my home network is 192.168.1.0.
is the vpn getting confused?
is there a way to only use the vpn connection to resolve names?
192.168.1.1 is the wins server on the network i'm connecting to.
192.168.1.1 is my gateway on my local network.
is the vpn getting confused?
is there a way to only use the vpn connection to resolve names?
192.168.1.1 is the wins server on the network i'm connecting to.
192.168.1.1 is my gateway on my local network.
Yes you cannot have the same IP address range either side of the VPN. You will have to either change your home network range or the company one.
ASKER
we got it to work.
i forgot to use the nat line:
nat (inside) 0 access-list nat0
as soon as this was applied it worked.
thanks.
i forgot to use the nat line:
nat (inside) 0 access-list nat0
as soon as this was applied it worked.
thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
'mymap' does not correspond with anything. Remove the 'crypto map mymap' commands and set them up correctly :-
no crypto map mymap 5 ipsec-isakmp
no crypto map mymap interface outside
crypto map outside_map interface outside
You are missing an address pool from the vpngroup and this is mainly what the client log is complaining about. Add the following :-
ip local pool vpnpool 192.168.100.1-192.168.100.
vpngroup vpn3000 address-pool vpnpool