Establishing VPN using Cisco Pix-515E
I am a complete Newbie when it comes to using the PIX.
Cisco PIX-515E-R-BUN, Software Version 7.0(4)
Cisco ASDM 5.0(4)
Cisco VPN Client Version 4.8.02.0010, Windows
I need help in establishing a VPN connection. I have followed the VPN Wizard, configured a Tunnel Group called SSLStaff type ipsec-ra. It has it's own Group Policy also called SSStaff which is internal and the protocol is inherited. I have created a local user called SSLStaff01.
When I connect I get the challenge for username and password. On entering these I rapidly get disconnected. On the PIX I get the following entries on the log below. Can anynone help me work out what I am doing wrong or have failed to do?
--------------------------
5|Apr 04 2007 04:20:54|713904: IP = 86.34.122.100, Received encrypted packet with no matching SA, dropping
4|Apr 04 2007 04:20:54|113019: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Session disconnected. Session Type: IPSec, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3|Apr 04 2007 04:20:54|713902: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Removing peer from correlator table failed, no match!
3|Apr 04 2007 04:20:54|713902: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, QM FSM error (P2 struct &0x1d31010, mess id 0x74d10662)!
3|Apr 04 2007 04:20:54|713061: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.0.33.140/255.255.255.25
3|Apr 04 2007 04:20:54|713119: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, PHASE 1 COMPLETED
6|Apr 04 2007 04:20:54|713228: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Assigned private IP address 10.0.33.140 to remote user
6|Apr 04 2007 04:20:54|713184: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Client Type: WinNT Client Application Version: 4.8.02.0010
5|Apr 04 2007 04:20:54|713131: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Received unknown transaction mode attribute: 28683
5|Apr 04 2007 04:20:54|713130: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Received unsupported transaction mode attribute: 5
6|Apr 04 2007 04:20:50|713172: Group = SSLStaff01, IP = 86.34.122.100, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
6|Apr 04 2007 04:20:50|302015: Built inbound UDP connection 92318 for outside:86.34.122.100/6328
6|Apr 04 2007 04:20:50|302015: Built inbound UDP connection 92317 for outside:86.34.122.100/6327
Cisco PIX-515E-R-BUN, Software Version 7.0(4)
Cisco ASDM 5.0(4)
Cisco VPN Client Version 4.8.02.0010, Windows
I need help in establishing a VPN connection. I have followed the VPN Wizard, configured a Tunnel Group called SSLStaff type ipsec-ra. It has it's own Group Policy also called SSStaff which is internal and the protocol is inherited. I have created a local user called SSLStaff01.
When I connect I get the challenge for username and password. On entering these I rapidly get disconnected. On the PIX I get the following entries on the log below. Can anynone help me work out what I am doing wrong or have failed to do?
--------------------------
5|Apr 04 2007 04:20:54|713904: IP = 86.34.122.100, Received encrypted packet with no matching SA, dropping
4|Apr 04 2007 04:20:54|113019: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Session disconnected. Session Type: IPSec, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3|Apr 04 2007 04:20:54|713902: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Removing peer from correlator table failed, no match!
3|Apr 04 2007 04:20:54|713902: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, QM FSM error (P2 struct &0x1d31010, mess id 0x74d10662)!
3|Apr 04 2007 04:20:54|713061: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.0.33.140/255.255.255.25
3|Apr 04 2007 04:20:54|713119: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, PHASE 1 COMPLETED
6|Apr 04 2007 04:20:54|713228: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Assigned private IP address 10.0.33.140 to remote user
6|Apr 04 2007 04:20:54|713184: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Client Type: WinNT Client Application Version: 4.8.02.0010
5|Apr 04 2007 04:20:54|713131: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Received unknown transaction mode attribute: 28683
5|Apr 04 2007 04:20:54|713130: Group = SSLStaff01, Username = SSLRemote01, IP = 86.34.122.100, Received unsupported transaction mode attribute: 5
6|Apr 04 2007 04:20:50|713172: Group = SSLStaff01, IP = 86.34.122.100, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
6|Apr 04 2007 04:20:50|302015: Built inbound UDP connection 92318 for outside:86.34.122.100/6328
6|Apr 04 2007 04:20:50|302015: Built inbound UDP connection 92317 for outside:86.34.122.100/6327
Sorenson
Please post a sanitized config of the pix.
ASKER
How do I do this?
telnet to the pix
get into enable mode
enable (enter)
type show run and capture the output to a text file.
remove passwords, and change ip addresses as you see necc.
get into enable mode
enable (enter)
type show run and capture the output to a text file.
remove passwords, and change ip addresses as you see necc.
Or if you are using the pdm, I believe you can download the config to a text file. not sure exactly, but if you have an option under file to show running-config in new window, etc you can copy and paste that as well.
ASKER
Thanks for such speedy responses.
asdm image flash:/asdm-504.bin
asdm location 10.3.27.0 255.255.255.0 inside
asdm location 217.10.128.128 255.255.255.128 outside
asdm location OurServer01 255.255.255.255 inside
asdm location OurServer02 255.255.255.255 inside
asdm location OurServerGW01 255.255.255.255 inside
asdm location OurDC 255.255.255.255 inside
asdm location OurServer03 255.255.255.255 inside
asdm location 244.152.10.27 255.255.255.255 outside
asdm location 244.152.10.26 255.255.255.255 outside
asdm location 244.152.10.28 255.255.255.255 outside
asdm location 244.152.10.29 255.255.255.255 outside
asdm location 244.152.10.37 255.255.255.255 outside
asdm location 244.152.10.38 255.255.255.255 outside
asdm location CMSMac 255.255.255.255 inside
asdm location OurServerApp01 255.255.255.255 inside
asdm location VMDC 255.255.255.255 inside
asdm location OurServer04 255.255.255.255 inside
asdm location mysql01 255.255.255.255 inside
asdm location 10.3.27.9 255.255.255.255 inside
asdm history enable
: Saved
:
PIX Version 7.0(4)
!
hostname pix
domain-name mydomain.com
enable password Vg3sdcbY24Vs546Y1p encrypted
names
name 10.3.27.27 OurServer01
name 10.3.27.28 OurServer02
name 10.3.27.29 OurServerGW01
name 10.3.27.37 OurDC
name 10.3.27.38 OurServer03
name 10.3.27.39 CMSMac
name 217.10.128.170 HostCo
name 10.3.27.91 OurServerApp01
name 10.3.27.26 VMDC
name 10.3.27.74 OurServer04
name 10.3.27.40 mysql01
!
interface Ethernet0
nameif outside
security-level 0
ip address 244.152.10.40 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.3.27.1 255.255.255.0
!
passwd Vg3XxN79JHYVsY1p encrypted
boot system flash:/image.bin
ftp mode passive
access-list acl_outside extended permit icmp any any
access-list acl_outside extended permit tcp any host 244.152.10.29 eq 3389
access-list acl_outside extended permit tcp any host 244.152.10.26 eq 3389
access-list acl_outside extended permit tcp any host 244.152.10.28 eq 3306
access-list acl_outside extended permit tcp any host 244.152.10.37 eq 3389
access-list acl_outside extended permit tcp any host 244.152.10.38 eq 3389
access-list acl_outside extended permit tcp any host 244.152.10.24 eq 1801
access-list acl_outside extended permit udp any host 244.152.10.24 eq 1801
access-list acl_outside extended permit udp any host 244.152.10.24 eq 3527
access-list acl_outside extended permit tcp any host 244.152.10.24 eq 3389
access-list acl_outside extended permit tcp any host 244.152.10.27 eq www
access-list acl_outside extended permit tcp any host 244.152.10.27 eq https
access-list acl_umis extended permit ip 10.3.27.0 255.255.255.0 151.133.134.0 255.255.255.0
access-list acl_umis extended permit ip 10.3.27.0 255.255.255.0 151.133.156.0 255.255.252.0
access-list acl_umis extended permit ip 10.3.27.0 255.255.255.0 151.133.160.0 255.255.240.0
access-list acl_umis extended permit ip host OurServerApp01 10.3.27.128 255.255.255.224
access-list outside_cryptomap_dyn_20 extended permit ip host OurServerApp01 10.3.27.128 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNPool01 10.3.27.140-10.3.27.149 mask 255.255.255.255
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image flash:/asdm-504.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list acl_umis
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 244.152.10.29 OurServer03 netmask 255.255.255.255
static (inside,outside) 244.152.10.26 OurServerApp01 netmask 255.255.255.255
static (inside,outside) 244.152.10.38 OurServer04 netmask 255.255.255.255
static (inside,outside) 244.152.10.37 OurDC netmask 255.255.255.255
static (inside,outside) 244.152.10.24 10.3.27.9 netmask 255.255.255.255
static (inside,outside) 244.152.10.28 mysql01 netmask 255.255.255.255
static (inside,outside) 244.152.10.27 10.3.27.11 netmask 255.255.255.255
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 244.152.10.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy SSLStaff internal
username admin password /p.HD5sqxnbve12225272rvug encrypted privilege 15
username HostCosupport password O0Cqxv2030407587swenbvxhIE
username SSLRemote01 password 48C5/lUsuq315281xvqwe426vu
username SSLRemote01 attributes
vpn-group-policy SSLStaff
http server enable
http 217.10.128.128 255.255.255.128 outside
http 192.168.1.0 255.255.255.0 inside
http 10.3.27.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map socsoft 10 match address acl_umis
crypto map socsoft 10 set pfs
crypto map socsoft 10 set peer 151.213.220.249
crypto map socsoft 10 set transform-set esp-3des-md5
crypto map socsoft 10 set security-association lifetime seconds 3600
crypto map socsoft 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map socsoft interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal 20
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20
tunnel-group 151.213.220.249 type ipsec-l2l
tunnel-group 151.213.220.249 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 20
tunnel-group SSLStaff01 type ipsec-ra
tunnel-group SSLStaff01 general-attributes
address-pool VPNPool01
default-group-policy SSLStaff01
tunnel-group SSLStaff01 ipsec-attributes
pre-shared-key *
telnet 217.10.128.128 255.255.255.128 outside
telnet OurDC 255.255.255.255 inside
telnet OurServerApp01 255.255.255.255 inside
telnet 10.3.27.191 255.255.255.255 inside
telnet timeout 5
ssh 217.10.128.128 255.255.255.128 outside
ssh OurDC 255.255.255.255 inside
ssh timeout 60
ssh version 1
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
tftp-server inside OurDC /pix
ssl encryption des-sha1 rc4-md5
Cryptochecksum:ba8df0alamf
: end
asdm image flash:/asdm-504.bin
asdm location 10.3.27.0 255.255.255.0 inside
asdm location 217.10.128.128 255.255.255.128 outside
asdm location OurServer01 255.255.255.255 inside
asdm location OurServer02 255.255.255.255 inside
asdm location OurServerGW01 255.255.255.255 inside
asdm location OurDC 255.255.255.255 inside
asdm location OurServer03 255.255.255.255 inside
asdm location 244.152.10.27 255.255.255.255 outside
asdm location 244.152.10.26 255.255.255.255 outside
asdm location 244.152.10.28 255.255.255.255 outside
asdm location 244.152.10.29 255.255.255.255 outside
asdm location 244.152.10.37 255.255.255.255 outside
asdm location 244.152.10.38 255.255.255.255 outside
asdm location CMSMac 255.255.255.255 inside
asdm location OurServerApp01 255.255.255.255 inside
asdm location VMDC 255.255.255.255 inside
asdm location OurServer04 255.255.255.255 inside
asdm location mysql01 255.255.255.255 inside
asdm location 10.3.27.9 255.255.255.255 inside
asdm history enable
: Saved
:
PIX Version 7.0(4)
!
hostname pix
domain-name mydomain.com
enable password Vg3sdcbY24Vs546Y1p encrypted
names
name 10.3.27.27 OurServer01
name 10.3.27.28 OurServer02
name 10.3.27.29 OurServerGW01
name 10.3.27.37 OurDC
name 10.3.27.38 OurServer03
name 10.3.27.39 CMSMac
name 217.10.128.170 HostCo
name 10.3.27.91 OurServerApp01
name 10.3.27.26 VMDC
name 10.3.27.74 OurServer04
name 10.3.27.40 mysql01
!
interface Ethernet0
nameif outside
security-level 0
ip address 244.152.10.40 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.3.27.1 255.255.255.0
!
passwd Vg3XxN79JHYVsY1p encrypted
boot system flash:/image.bin
ftp mode passive
access-list acl_outside extended permit icmp any any
access-list acl_outside extended permit tcp any host 244.152.10.29 eq 3389
access-list acl_outside extended permit tcp any host 244.152.10.26 eq 3389
access-list acl_outside extended permit tcp any host 244.152.10.28 eq 3306
access-list acl_outside extended permit tcp any host 244.152.10.37 eq 3389
access-list acl_outside extended permit tcp any host 244.152.10.38 eq 3389
access-list acl_outside extended permit tcp any host 244.152.10.24 eq 1801
access-list acl_outside extended permit udp any host 244.152.10.24 eq 1801
access-list acl_outside extended permit udp any host 244.152.10.24 eq 3527
access-list acl_outside extended permit tcp any host 244.152.10.24 eq 3389
access-list acl_outside extended permit tcp any host 244.152.10.27 eq www
access-list acl_outside extended permit tcp any host 244.152.10.27 eq https
access-list acl_umis extended permit ip 10.3.27.0 255.255.255.0 151.133.134.0 255.255.255.0
access-list acl_umis extended permit ip 10.3.27.0 255.255.255.0 151.133.156.0 255.255.252.0
access-list acl_umis extended permit ip 10.3.27.0 255.255.255.0 151.133.160.0 255.255.240.0
access-list acl_umis extended permit ip host OurServerApp01 10.3.27.128 255.255.255.224
access-list outside_cryptomap_dyn_20 extended permit ip host OurServerApp01 10.3.27.128 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNPool01 10.3.27.140-10.3.27.149 mask 255.255.255.255
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image flash:/asdm-504.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list acl_umis
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 244.152.10.29 OurServer03 netmask 255.255.255.255
static (inside,outside) 244.152.10.26 OurServerApp01 netmask 255.255.255.255
static (inside,outside) 244.152.10.38 OurServer04 netmask 255.255.255.255
static (inside,outside) 244.152.10.37 OurDC netmask 255.255.255.255
static (inside,outside) 244.152.10.24 10.3.27.9 netmask 255.255.255.255
static (inside,outside) 244.152.10.28 mysql01 netmask 255.255.255.255
static (inside,outside) 244.152.10.27 10.3.27.11 netmask 255.255.255.255
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 244.152.10.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy SSLStaff internal
username admin password /p.HD5sqxnbve12225272rvug encrypted privilege 15
username HostCosupport password O0Cqxv2030407587swenbvxhIE
username SSLRemote01 password 48C5/lUsuq315281xvqwe426vu
username SSLRemote01 attributes
vpn-group-policy SSLStaff
http server enable
http 217.10.128.128 255.255.255.128 outside
http 192.168.1.0 255.255.255.0 inside
http 10.3.27.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map socsoft 10 match address acl_umis
crypto map socsoft 10 set pfs
crypto map socsoft 10 set peer 151.213.220.249
crypto map socsoft 10 set transform-set esp-3des-md5
crypto map socsoft 10 set security-association lifetime seconds 3600
crypto map socsoft 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map socsoft interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal 20
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20
tunnel-group 151.213.220.249 type ipsec-l2l
tunnel-group 151.213.220.249 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 20
tunnel-group SSLStaff01 type ipsec-ra
tunnel-group SSLStaff01 general-attributes
address-pool VPNPool01
default-group-policy SSLStaff01
tunnel-group SSLStaff01 ipsec-attributes
pre-shared-key *
telnet 217.10.128.128 255.255.255.128 outside
telnet OurDC 255.255.255.255 inside
telnet OurServerApp01 255.255.255.255 inside
telnet 10.3.27.191 255.255.255.255 inside
telnet timeout 5
ssh 217.10.128.128 255.255.255.128 outside
ssh OurDC 255.255.255.255 inside
ssh timeout 60
ssh version 1
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
tftp-server inside OurDC /pix
ssl encryption des-sha1 rc4-md5
Cryptochecksum:ba8df0alamf
: end
You are trying to configure a client vpn into this pix correct? I see you already have a point to point vpn configured on this pix.
ASKER
Yes the was configured by my predecessor I am now trying to add a remote connection for a number of staff.
ASKER
Have you had any further thoughts where I might be going wrong?
ASKER
Hmm puzzled by the sudden silence have I done something to offend?
Sorry. I am out of contact for a few days. I will be back on monday. Sorry for the lack of replies.
ASKER
Brilliant, I hope you didn't think I was pushing too much. I will wait patiently.
To create the vpn access for the client I would suggest using the vpn wizard within the ASDM. Before you do that, I would cleanup a few things. The wizard will do this if started from the beginning, however you are part way through the configuration... It would be easiest to clean it up from the command line.
The ip local pool should be a group of addresses that are not currently utilized on the inside network.
!
no ip local pool VPNPool01 10.3.27.140-10.3.27.149 mask 255.255.255.255
ip local pool VPNPool01 192.168.27.1-192.168.27.25
!
Next the Nat (0) access-list will need to be appended to allow the vpn traffic
!
access-list acl_umis permit ip 10.3.27.0 255.255.255.0 192.168.27.0 255.255.255.0
!
Then create the split tunnel list (if you want the vpn users to be able to access the internet when connected)
!
access-list SSLStaff-Split permit ip 10.3.27.0 255.255.255.0 192.168.27.0 255.255.255.0
!
Next you need to cleanup the attributes for your vpn group.
!
group-policy SSLStaff attributes
dns-server value x.x.x.x (your internal DNS servers)
default-domain value xxxxxx.xxx (your internal DNS name (AD?) )
wins-server value x.x.x.x (internal Wins Server if used)
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLStaff-Split
!
Lets see if that does it for you.
The ip local pool should be a group of addresses that are not currently utilized on the inside network.
!
no ip local pool VPNPool01 10.3.27.140-10.3.27.149 mask 255.255.255.255
ip local pool VPNPool01 192.168.27.1-192.168.27.25
!
Next the Nat (0) access-list will need to be appended to allow the vpn traffic
!
access-list acl_umis permit ip 10.3.27.0 255.255.255.0 192.168.27.0 255.255.255.0
!
Then create the split tunnel list (if you want the vpn users to be able to access the internet when connected)
!
access-list SSLStaff-Split permit ip 10.3.27.0 255.255.255.0 192.168.27.0 255.255.255.0
!
Next you need to cleanup the attributes for your vpn group.
!
group-policy SSLStaff attributes
dns-server value x.x.x.x (your internal DNS servers)
default-domain value xxxxxx.xxx (your internal DNS name (AD?) )
wins-server value x.x.x.x (internal Wins Server if used)
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLStaff-Split
!
Lets see if that does it for you.
ASKER
Brilliant many thanks. I will try this. There is one thing nagging at me, there isn't an obvious way of backing up the config and saving it elsewhere, could you advise how I do this before I try the changes just in case ...?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks the the helpful reply will get back to you the soonest.
ASKER
Getting very behind on this. However got kiwi cat tools and set them up excellent tool. Many Thanks. I won't forget to get back to this.
ASKER
I have still to complete this but haven't forgotten. To be hones I have been fighting shy of trying it until I know I have a window where it won't disrupt services if I get it wrong. I have planned this for middle weekend of this month will be back to you after this. Thanks for your patience.
ok
ASKER
I'm sorry I missed this I am unsure how it happened as I have kept up with all my other tickets. I am very happy that the points were allocated to Sorensen.
Apologies Sornesen and thanks for your help.
Apologies Sornesen and thanks for your help.