blin2000
asked on
VPN Client not connected error
I setup Cisco PIX 515 in my lab to test IPSec VPN. The PIX is behind a Linksys WRTP54G router and UDP port 500 is open. I can establish the VPN in the LAN, but I get not connected error if I test it from a remote office that is behind another PIX 515E. I am not sure the problem is the Linksys router or PIX in the office. Any suggestions?
The lab PIX configuration can be found here, http://www.howtonetworking.com/cisco/pixvpnsample.htm
Here are VPN client log.
Cisco Systems VPN Client Version 4.6.01.0019
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
1 09:58:38.469 05/26/06 Sev=Info/4 CM/0x63100002
Begin connection process
2 09:58:38.979 05/26/06 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
3 09:58:38.979 05/26/06 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
4 09:58:38.979 05/26/06 Sev=Info/4 CM/0x63100024
Attempt connection with server "chicagotech.net"
5 09:58:40.247 05/26/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.246.
6 09:58:40.557 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to x.x.x.246
7 09:58:40.587 05/26/06 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
8 09:58:40.587 05/26/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
9 09:58:40.947 05/26/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.246
10 09:58:40.947 05/26/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from x.x.x.246
11 09:58:40.947 05/26/06 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
12 09:58:40.947 05/26/06 Sev=Info/5 IKE/0x63000001
Peer supports DPD
13 09:58:40.947 05/26/06 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
14 09:58:40.947 05/26/06 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5
15 09:58:40.947 05/26/06 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
16 09:58:40.977 05/26/06 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
17 09:58:40.977 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONT ACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.246
18 09:58:40.997 05/26/06 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
19 09:58:40.997 05/26/06 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194
20 09:58:40.997 05/26/06 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end IS behind a NAT device
This end IS behind a NAT device
21 09:58:40.997 05/26/06 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
22 09:58:40.997 05/26/06 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
23 09:58:41.566 05/26/06 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
24 09:58:41.566 05/26/06 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client, Capability= (Centralized Protection Policy).
25 09:58:41.566 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.246
26 09:58:46.860 05/26/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
27 09:58:46.860 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to x.x.x.246
28 09:58:51.305 05/26/06 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
29 09:58:52.304 05/26/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
30 09:58:52.304 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to x.x.x.246
31 09:58:55.900 05/26/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.246
32 09:58:55.900 05/26/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (Retransmission) from x.x.x.246
33 09:58:55.900 05/26/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
34 09:58:55.900 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(Retransmission) to x.x.x.246
35 09:58:57.798 05/26/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
36 09:58:57.798 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to x.x.x.246
37 09:59:01.793 05/26/06 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
38 09:59:03.291 05/26/06 Sev=Info/4 IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=442F0A75
39 09:59:03.291 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to x.x.x.246
40 09:59:03.291 05/26/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to x.x.x.246, our seq# = 2226793716
41 09:59:03.341 05/26/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=672CDA295511818F R_Cookie=9ADE594A69BA0090) reason = DEL_REASON_IKE_NEG_FAILED
42 09:59:03.341 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to x.x.x.246
43 09:59:06.787 05/26/06 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=672CDA295511818F R_Cookie=9ADE594A69BA0090) reason = DEL_REASON_IKE_NEG_FAILED
44 09:59:06.787 05/26/06 Sev=Info/4 CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED ". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
45 09:59:06.797 05/26/06 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
46 09:59:06.807 05/26/06 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
47 09:59:06.937 05/26/06 Sev=Info/4 IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully
48 09:59:07.297 05/26/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
49 09:59:07.297 05/26/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
50 09:59:07.297 05/26/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
51 09:59:07.297 05/26/06 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
The lab PIX configuration can be found here, http://www.howtonetworking.com/cisco/pixvpnsample.htm
Here are VPN client log.
Cisco Systems VPN Client Version 4.6.01.0019
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
1 09:58:38.469 05/26/06 Sev=Info/4 CM/0x63100002
Begin connection process
2 09:58:38.979 05/26/06 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
3 09:58:38.979 05/26/06 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
4 09:58:38.979 05/26/06 Sev=Info/4 CM/0x63100024
Attempt connection with server "chicagotech.net"
5 09:58:40.247 05/26/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.246.
6 09:58:40.557 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to x.x.x.246
7 09:58:40.587 05/26/06 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
8 09:58:40.587 05/26/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
9 09:58:40.947 05/26/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.246
10 09:58:40.947 05/26/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from x.x.x.246
11 09:58:40.947 05/26/06 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
12 09:58:40.947 05/26/06 Sev=Info/5 IKE/0x63000001
Peer supports DPD
13 09:58:40.947 05/26/06 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
14 09:58:40.947 05/26/06 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5
15 09:58:40.947 05/26/06 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
16 09:58:40.977 05/26/06 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
17 09:58:40.977 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONT
18 09:58:40.997 05/26/06 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
19 09:58:40.997 05/26/06 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194
20 09:58:40.997 05/26/06 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end IS behind a NAT device
This end IS behind a NAT device
21 09:58:40.997 05/26/06 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
22 09:58:40.997 05/26/06 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
23 09:58:41.566 05/26/06 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
24 09:58:41.566 05/26/06 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client, Capability= (Centralized Protection Policy).
25 09:58:41.566 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.246
26 09:58:46.860 05/26/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
27 09:58:46.860 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to x.x.x.246
28 09:58:51.305 05/26/06 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
29 09:58:52.304 05/26/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
30 09:58:52.304 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to x.x.x.246
31 09:58:55.900 05/26/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.246
32 09:58:55.900 05/26/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (Retransmission) from x.x.x.246
33 09:58:55.900 05/26/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
34 09:58:55.900 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(Retransmission) to x.x.x.246
35 09:58:57.798 05/26/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
36 09:58:57.798 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to x.x.x.246
37 09:59:01.793 05/26/06 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
38 09:59:03.291 05/26/06 Sev=Info/4 IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=442F0A75
39 09:59:03.291 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to x.x.x.246
40 09:59:03.291 05/26/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to x.x.x.246, our seq# = 2226793716
41 09:59:03.341 05/26/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=672CDA295511818F
42 09:59:03.341 05/26/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to x.x.x.246
43 09:59:06.787 05/26/06 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=672CDA295511818F
44 09:59:06.787 05/26/06 Sev=Info/4 CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED
45 09:59:06.797 05/26/06 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
46 09:59:06.807 05/26/06 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
47 09:59:06.937 05/26/06 Sev=Info/4 IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully
48 09:59:07.297 05/26/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
49 09:59:07.297 05/26/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
50 09:59:07.297 05/26/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
51 09:59:07.297 05/26/06 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you only open up UDP 500, then you only have half of the requirement. UDP 4500 is required for the data.
If you have sysopt connect permit-ipsec, then you don't need any access-lists unless you have an outbound acl applied to the inside interface.
Client pool is in different subnet than the internal LAN? Client PC's local LAN subnet is different from remote subnet through the VPN tunnel?
Systems that you want to access have their default gateway pointed to the PIX?
If you want to post your config, I'll take a look at it.
If you have sysopt connect permit-ipsec, then you don't need any access-lists unless you have an outbound acl applied to the inside interface.
Client pool is in different subnet than the internal LAN? Client PC's local LAN subnet is different from remote subnet through the VPN tunnel?
Systems that you want to access have their default gateway pointed to the PIX?
If you want to post your config, I'll take a look at it.
Does the WRTP54G support IPSec? The WRT54G is supposed to, but the only mention of IPSec in the WRTP54G manual or spec sheet, was in the appendix which seems to be somewhat universal. Also, the normal Firewall/Security/enable IPSec option doesn't seem to exist in the manual. lrmoore is far more aware of any implications this may have on the Cisco client than I, but thought I would point it out.
Perhaps try by-passing the router and connecting directly to the modem as a test.
Perhaps try by-passing the router and connecting directly to the modem as a test.
ASKER
here are the configuration.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname CHICAGOTECH
domain-name chicagotech.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.254.2 chicagotech
access-list outside_in permit icmp any any
access-list outside_in permit tcp any host 192.168.10.253 eq 3389
access-list outside_inbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 any
access-list 10 permit 192.168.10.0 255.255.255.0
access-list 192_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any
pager lines 24
logging on
logging trap errors
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip address outside 192.168.10.254 255.255.255.0
ip address inside 172.16.254.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool 172pool 172.16.10.1-172.16.10.9
pdm location chicagotech 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 2 192.168.10.250-192.168.10. 253
global (outside) 1 interface
nat (outside) 0 access-list outside_inbound_nat0_acl outside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.10.253 chicagotech netmask 255.255.255.255 0 0
static (inside,outside) 192.168.10.111 172.16.254.1 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 600 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup 192 address-pool 172pool
vpngroup 192 dns-server 4.2.2.1
vpngroup 192 split-tunnel 192_splitTunnelAcl
vpngroup 192 idle-time 1800
vpngroup 192 password ********
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname CHICAGOTECH
domain-name chicagotech.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.254.2 chicagotech
access-list outside_in permit icmp any any
access-list outside_in permit tcp any host 192.168.10.253 eq 3389
access-list outside_inbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 any
access-list 10 permit 192.168.10.0 255.255.255.0
access-list 192_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any
pager lines 24
logging on
logging trap errors
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip address outside 192.168.10.254 255.255.255.0
ip address inside 172.16.254.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool 172pool 172.16.10.1-172.16.10.9
pdm location chicagotech 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 2 192.168.10.250-192.168.10.
global (outside) 1 interface
nat (outside) 0 access-list outside_inbound_nat0_acl outside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.10.253 chicagotech netmask 255.255.255.255 0 0
static (inside,outside) 192.168.10.111 172.16.254.1 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 600 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup 192 address-pool 172pool
vpngroup 192 dns-server 4.2.2.1
vpngroup 192 split-tunnel 192_splitTunnelAcl
vpngroup 192 idle-time 1800
vpngroup 192 password ********
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
These lines represent part of the problem:
\\-- VPN client address pool is in same subnet as the inside LAN - not recommended
ip address inside 172.16.254.1 255.255.0.0
ip local pool 172pool 172.16.10.1-172.16.10.9
\\-- Acls should reference inside LAN to IP Pool subnet, and should not have "any" in them - they don't
access-list outside_inbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 any
access-list 192_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any
Recommended:
\\-- IP pool in totally different subnet
ip local pool 172pool 172.17.10.1-172.17.10.9
no access-list outside_inbound_nat0_acl
no access-list 192_splitTunnelAcl
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 172.17.10.0 255.255.255.240
access-list SplitTunnel permit ip 172.16.0.0 255.255.0.0 172.17.10.0 255.255.255.240
no nat (outside) 0 access-list outside_inbound_nat0_acl outside
nat (outside) 0 access-list inside_outbound_nat0_acl outside
vpngroup 192 split-tunnel SplitTunnel
BTW:
>vpngroup 192 dns-server 4.2.2.1
If you're not going to give the VPN client an internal DNS IP address, then don't give them anything
no vpngroup 192 dns-server 4.2.2.1
\\-- VPN client address pool is in same subnet as the inside LAN - not recommended
ip address inside 172.16.254.1 255.255.0.0
ip local pool 172pool 172.16.10.1-172.16.10.9
\\-- Acls should reference inside LAN to IP Pool subnet, and should not have "any" in them - they don't
access-list outside_inbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 any
access-list 192_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any
Recommended:
\\-- IP pool in totally different subnet
ip local pool 172pool 172.17.10.1-172.17.10.9
no access-list outside_inbound_nat0_acl
no access-list 192_splitTunnelAcl
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 172.17.10.0 255.255.255.240
access-list SplitTunnel permit ip 172.16.0.0 255.255.0.0 172.17.10.0 255.255.255.240
no nat (outside) 0 access-list outside_inbound_nat0_acl outside
nat (outside) 0 access-list inside_outbound_nat0_acl outside
vpngroup 192 split-tunnel SplitTunnel
BTW:
>vpngroup 192 dns-server 4.2.2.1
If you're not going to give the VPN client an internal DNS IP address, then don't give them anything
no vpngroup 192 dns-server 4.2.2.1
ASKER
It works. Thank you very much.
ASKER
I already have isakmp nat-traversal 20. After opened UDP 500, it works. Thank you.
However, the VPN client can't ping the remote computers while remote computers can ping the VPN client. I think I need some access-list command, but what are they?