[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

CISCO Router to PIX client problem

Posted on 2006-05-03
3
Medium Priority
?
243 Views
Last Modified: 2009-12-16
I have a remote office that is using a 1700 series router to connect to my vpn.  I can't figure out why it's not working.  I've posted my config., could someone take a look and see what I'm missing?  Thanks.

version 12.4
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
boot-start-marker
boot system flash:c1600-sy56i-mz.120-7.T2.bin
boot-end-marker
!
enable password 7 03055206155C731D
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
ip cef
ip domain name
ip name-server x.x.x.x
!
crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key hilloil address x.x.x.x!
!
crypto ipsec transform-set myset esp-des esp-sha-hmac
!
crypto map clientmap 1 ipsec-isakmp
 set peer x.x.x.x
 set transform-set myset
 match address 115
!
!
!
interface FastEthernet0
 description connected to EthernetLAN_1
 ip address 192.168.35.252 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache policy
 speed auto
!
interface Serial0
 description connected to Internet
 ip address x.x.x.x 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 service-module t1 remote-alarm-enable
 crypto map clientmap
!
router rip
 version 2
 passive-interface Serial0
 network 192.168.35.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 192.168.35.0 255.255.255.0 x.x.x.x
no ip http server
no ip http secure-server
!
ip nat pool aimsrouter-natpool-1 x.x.x.x x.x.x.x netmask 255.255.255.248
ip nat inside source list 1 pool aimsrouter-natpool-1 overload
ip nat inside source static tcp 192.168.35.211 80 x.x.x.x 80 extendable
ip nat inside source static tcp 192.168.35.243 80 x.x.x.x 80 extendable
ip nat inside source static tcp 192.168.35.243 443 x.x.x.x 443 extendable
ip nat inside source static tcp 192.168.35.203 80 x.x.x.x 80 extendable
ip nat inside source static tcp 192.168.35.240 20 x.x.x.x 20 extendable
ip nat inside source static tcp 192.168.35.240 21 x.x.x.x 21 extendable
ip nat inside source static tcp 192.168.35.242 25 x.x.x.x 25 extendable
ip nat inside source static tcp 192.168.35.242 53 x.x.x.x 53 extendable
ip nat inside source static tcp 192.168.35.242 80 x.x.x.x 80 extendable
ip nat inside source static tcp 192.168.35.242 110 x.x.x.x 110 extendable
ip nat inside source static tcp 192.168.35.242 143 x.x.x.x 143 extendable
ip nat inside source static tcp 192.168.35.242 443 x.x.x.x443 extendable
ip nat inside source static tcp 192.168.35.240 1723 x.x.x.x 1723 extendable
ip nat inside source static tcp 192.168.35.242 53 x.x.x.x 53 extendable
!
!
access-list 1 permit 192.168.35.0 0.0.0.255
access-list 101 permit tcp any host x.x.x.x eq www
access-list 101 permit tcp any any established
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 permit gre any host x.x.x.x
access-list 101 permit ahp any host x.x.x.x
access-list 101 permit esp any host x.x.x.x
access-list 101 permit udp any host x.x.x.x eq 1701
access-list 101 permit udp any host x.x.x.x eq isakmp
access-list 101 permit tcp any host x.x.x.x eq 1723
access-list 101 permit tcp any host x.x.x.x eq 3389
access-list 101 permit tcp any host x.x.x.x eq 3389
access-list 101 permit tcp any host x.x.x.x eq 3389
access-list 101 permit tcp any eq ftp any
access-list 101 permit tcp any eq ftp-data any
access-list 101 permit tcp any host x.x.x.x eq telnet
access-list 101 permit udp 192.168.36.0 0.0.3.255 192.168.35.0 0.0.0.255
access-list 101 permit udp 192.168.40.0 0.0.0.255 192.168.35.0 0.0.0.255
access-list 101 permit tcp any host x.x.x.x eq ftp-data
access-list 101 permit tcp any host x.x.x.x eq ftp
access-list 101 deny   tcp any any
access-list 101 permit udp any eq domain x.x.x.x 0.0.0.7
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any
access-list 101 deny   udp any any
access-list 101 permit ip any any
access-list 101 permit tcp any host x.x.x.x eq www
access-list 101 permit tcp any host x.x.x.xeq smtp
access-list 101 permit tcp any host x.x.x.xeq domain
access-list 101 permit tcp any host x.x.x.x eq 143
access-list 101 permit tcp any host x.x.x.x eq www
access-list 101 permit tcp any host x.x.x.x eq pop3
access-list 101 permit tcp any host x.x.x.x eq 443
access-list 101 permit tcp any host x.x.x.x eq 443
access-list 101 permit tcp any host x.x.x.xeq www
access-list 115 permit ip 0.0.0.0 255.255.255.0 host 68.216.168.18
snmp-server engineID local 0000000902000002FD1E3620
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 password 7 110810080443595F
 login
line aux 0
line vty 0 4
 password 7 045A020B1C701E1D
 login
!
end
0
Comment
Question by:johnpatbullock
1 Comment
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 16597713
Can you post result of
show cry is sa

If you get QM_IDLE status, then phase 1 of the VPN tunnel is complete and you should be able to pass traffic.

The other issue is NAT. I assume that you do not want to nat traffic through the tunnel, but you have not made provisions for that in your config.

>access-list 115 permit ip 0.0.0.0 255.255.255.0 host 68.216.168.18
this acl is incorrect. Remeber that you do not use subnet masks in router acls, use inverse masks. ie.
  access-list 115 permit ip 192.168.35.0 0.0.0.255 host 68.216.168.18

But, I think you want to have a complete VPN tunnel to the private network on the other side of the PIX, no?  Then (inside pix lan = 192.168.168.0 for example)
  access-list 115 permit ip 192.168.35.0 0.0.0.255 192.168.168.0 0.0.0.255

AND, you need to deal with nat using a route-map

  access-list 116 deny ip 192.168.35.0 0.0.0.255 192.168.168.0 0.0.0.255
  access-list 116 permit ip 192.168.35.0 0.0.0.255 any
!
  route-map nonat permit 10
  match address 116
!
 no ip nat inside source list 1 pool aimsrouter-natpool-1 overload
 ip nat inside source route-map nonat pool aimsrouter-natpool-1 overload

AND, we'll need to see the PIX side if you're still having problems.

0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question