• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 821
  • Last Modified:

Remote Access VPN Setup on Pix 506

I'm trying to set up remote access vpn to my office. The Pix 506 is configured, and authenticates to an IAS/RADIUS Server. It  connects, but I see no receive packets. Any suggestions?
pix.txt
0
flexxtx
Asked:
flexxtx
1 Solution
 
tgtranCommented:
Missing "access-group" for nonat
0
 
flexxtxAuthor Commented:
Do I apply that as "access-group nonat in interface inside" or outside?
0
 
batry_boyCommented:
You don't need to apply the "nonat" ACL to an interface.  It is used for NAT exemption and does not get applied to an interface.  You have it implemented correctly already.

I believe the problem is that you have the following static route in your configuration that you need to remove:

route inside 10.5.25.0 255.255.255.0 10.34.1.1 1

It's pointing the traffic going back to the VPN client pool to the inside router at 10.34.1.1.  Remove this by issuing the following command:

no route inside 10.5.25.0 255.255.255.0 10.34.1.1 1

See if that helps...
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
Voltz-dkCommented:
I believe NAT exemption is applied to an interface, in this case inside - which is correct.  But I disagree that your NAT exemption is implemented correctly, unless you just want to use ICMP.

You should replace this:

access-list nonat permit ip 10.0.0.0 255.255.255.0 10.5.25.0 255.255.255.0
access-list nonat permit tcp 10.5.25.0 255.255.255.0 10.0.0.0 255.255.255.0 eq telnet
access-list nonat permit tcp 10.5.25.0 255.255.255.0 10.0.0.0 255.255.255.0 eq ftp
access-list nonat permit tcp 10.5.25.0 255.255.255.0 10.0.0.0 255.255.255.0 eq www
access-list nonat permit icmp 10.0.0.0 255.0.0.0 10.5.25.0 255.255.255.0

With either (depending on how specific you need it):

access-list nonat permit ip 10.0.0.0 255.0.0.0 10.5.25.0 255.255.255.0

Or

access-list nonat permit ip 10.10.0.0 255.255.0.0 255.255.255.0
access-list nonat permit ip 10.21.8.0 255.255.248.0 10.5.25.0 255.255.255.0
access-list nonat permit ip 10.34.0.0 255.255.248.0 10.5.25.0 255.255.255.0
---
You then say you have an IAS/RADIUS server, but you have only configured a TACACS+ server (which I don't think IAS supports), and you haven't configured the VPN to use either..
Assuming it's a "typo", change phxauth to use radius and then

crypto map phxmap client authentication phxauth
0
 
flexxtxAuthor Commented:
Thanks for the input everyone. This is what I have now, and I'm now unable to connect. Please help...

ip address outside 67.133.191.129 255.255.255.240
ip address inside 10.34.1.254 255.255.255.0
ip local pool ahmvpn1 10.5.25.1-10.5.25.254
pdm history enable
arp timeout 14400
global (outside) 1 67.133.191.135
nat (inside) 0 access-list nonat
nat (inside) 1 10.34.0.0 255.255.248.0 0 0
nat (inside) 1 10.10.0.0 255.255.0.0 0 0
static (inside,outside) 67.133.191.130 10.10.204.35 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 67.133.191.145 1
route inside 10.10.0.0 255.255.0.0 10.34.1.1 1
route inside 10.21.8.0 255.255.248.0 10.34.1.1 1
route inside 10.34.0.0 255.255.248.0 10.34.1.1 1
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server radius protocol radius
aaa-server radius max-failed-attempts 3
aaa-server radius deadtime 10
aaa-server ahmauth protocol radius
aaa-server ahmauth max-failed-attempts 3
aaa-server ahmauth deadtime 10
aaa-server ahmauth (inside) host 10.10.250.47 corvette timeout 5
aaa authentication ssh console LOCAL
sysopt connection permit-ipsec
service resetinbound
service resetoutside
crypto ipsec transform-set ahmset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set ahmset
crypto map ahmmap 10 ipsec-isakmp dynamic dynmap
crypto map ahmmap client configuration address initiate
crypto map ahmmap client authentication ahmauth
crypto map ahmmap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup ahmvpn address-pool ahmvpn1
vpngroup ahmvpn dns-server 10.10.250.16
vpngroup ahmvpn wins-server 10.10.250.16
vpngroup ahmvpn default-domain ahmsi.local
vpngroup ahmvpn split-tunnel nonat
vpngroup ahmvpn idle-time 3600
vpngroup ahmvpn password ********
******************************************
Error Message:
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable.
crypto_isakmp_process_block:src:75.35.31.71, dest:67.133.191.129 spt:1955 dpt:500
ISAKMP: error, msg not encrypted
crypto_isakmp_process_block:src:75.35.31.71, dest:67.133.191.129 spt:1955 dpt:500
0
 
Voltz-dkCommented:
It seems you client won't do DES, while that's the only proposal you have.  If you don't need DES for something else, then try to change that one to 3DES:

replace:
isakmp policy 10 encryption des
with:
isakmp policy 10 encryption 3des

If you do need the DES, then create another IKE policy with a different priority.
---
I hope you actually do have an access-list nonat to match:
nat (inside) 0 access-list nonat
??

A la my previous post :)
0
 
flexxtxAuthor Commented:
OK.Completely overhauled config and can now connect & get IP address from vpn pool. I don't get prompted when connecting, and I still can't ping any devices on network. Any ideas?

  PIX Version 6.3(5)115
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8tP/7rB0pB/GQqQA encrypted
passwd L5xsIS0CYJG3kB7O encrypted
hostname A-PIX-A
domain-name amxxxx.com
clock timezone EST -5
clock summer-time EST recurring 2 Sun Mar 2:00 last Sun Nov 2:00
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network Irving2_Users
  network-object 10.34.0.0 255.255.248.0
  network-object 10.10.249.0 255.255.255.0
  network-object 10.10.248.0 255.255.255.0
  network-object 10.10.245.0 255.255.255.0
  network-object 10.10.246.0 255.255.255.0
  network-object 10.10.250.0 255.255.255.0
object-group service Internet_Access tcp-udp
  port-object eq 1
  port-object eq discard
  port-object eq 20
  port-object eq 21
  port-object eq 22
  port-object eq 23
  port-object eq 37
  port-object eq 43
  port-object eq domain
  port-object eq 62
  port-object eq 67
  port-object eq 73
  port-object eq www
  port-object eq 81
  access-list acl_out permit udp host 67.133.191.145 host 67.133.191.130 eq syslog
access-list acl_out permit icmp any 67.133.191.128 255.255.255.240 echo-reply
access-list acl_out permit icmp any 67.133.191.128 255.255.255.240 unreachable
access-list acl_out permit icmp any 67.133.191.128 255.255.255.240 time-exceeded
access-list acl_out deny ip any any
access-list acl_in deny ip any 192.168.0.0 255.255.0.0
access-list acl_in remark - Deny outbound access to "poll.gotomypc.com"
access-list acl_in deny ip any host 66.151.158.177
access-list acl_in remark - Permit full outbound access for CSS proxy
access-list acl_in permit tcp host 10.34.3.31 any
access-list acl_in permit udp host 10.34.3.31 any
access-list acl_in permit tcp 10.10.0.0 255.255.0.0 host 67.133.191.145 eq telnet
access-list acl_in permit tcp object-group Irving2_Users any object-group Internet_Access
access-list acl_in permit udp object-group Irving2_Users any object-group Internet_Access
access-list acl_in remark - Allow outbound to GinnieNet
access-list acl_in permit tcp any host 160.254.60.14 eq 1200
access-list acl_in remark - Allow outbound snmp access to internet router
access-list acl_in permit udp host 10.10.204.22 host 67.133.191.145 eq snmp
access-list acl_in permit icmp host 10.10.204.22 any echo
access-list acl_in permit icmp object-group Irving2_Users any echo
access-list acl_in deny ip any any
access-list ahmvpn permit ip 10.0.0.0 255.0.0.0 10.5.25.0 255.255.255.0
ip address outside 67.133.191.129 255.255.255.240
ip address inside 10.34.1.254 255.255.255.0
ip local pool vpnpool 10.5.25.1-10.5.25.254
pdm history enable
arp timeout 14400
global (outside) 1 67.133.191.135
nat (inside) 0 access-list ahmvpn
nat (inside) 1 10.34.0.0 255.255.248.0 0 0
nat (inside) 1 10.10.0.0 255.255.0.0 0 0
static (inside,outside) 67.133.191.130 10.10.204.35 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 67.133.191.145 1
route inside 10.10.0.0 255.255.0.0 10.34.1.1 1
route inside 10.21.8.0 255.255.248.0 10.34.1.1 1
route inside 10.34.0.0 255.255.248.0 10.34.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server ahmvpn protocol radius
aaa-server ahmvpn max-failed-attempts 3
aaa-server ahmvpn deadtime 10
aaa-server ahmvpn (inside) host 10.10.250.27 Humxxxx timeout 10
aaa authentication ssh console LOCAL
sysopt connection permit-ipsec
service resetinbound
service resetoutside
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 20 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto map dyn-map client authentication ahmvpn
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup ahmvpn address-pool vpnpool
vpngroup ahmvpn dns-server 10.10.203.112
vpngroup ahmvpn wins-server 10.10.203.112
vpngroup ahmvpn default-domain americanhm.com
vpngroup ahmvpn idle-time 1800
vpngroup ahmvpn password ********
telnet timeout 5
0
 
flexxtxAuthor Commented:
I'm connecting and pulling an IP from my VPN pool, but unale to ping/navigate anything. My gateway is showing as 10.0.0.1 255.0.0.0.Is it due to this statement?

access-list ahmvpn permit ip 10.0.0.0 255.0.0.0 10.5.25.0 255.255.255.0
0
 
Voltz-dkCommented:
You might wanna "divide & conquer" - simplify things.

Start by getting a basic VPN working, then local user auth and finally add the RADIUS.

Your authentication is already "disabled" becuz map name is incorrect.
I personally like to have seperate access-lists for different stuff, even if they end up identical.

access-l ahmvpn permit ip any 10.5.25.0 255.255.255.0
no access-list ahmvpn permit ip 10.0.0.0 255.0.0.0 10.5.25.0 255.255.255.0
access-l nonat permit ip any 10.5.25.0 255.255.255.0
access-l split permit ip 10.0.0.0 255.0.0.0 any
no nat (inside) 0 access-list ahmvpn
nat (inside) 0 access-l nonat
vpngroup ahmvpn split-tunnel split

Now allow ping of inside interface over VPN:
management-access inside

And see if you can ping the PIX inside interface when connected.
---
If that works, then move on:
no crypto map dyn-map client authentication ahmvpn
crypto map mymap client authen LOCAL
username USER password PASS

And then see if you get xauth..
---
Now delete that user, and change LOCAL above to "ahmvpn" (which is a nasty name since we already used that..) You may just want to build on the RADIUS name :)
0
 
flexxtxAuthor Commented:
Will give it a shot. Thank you...
0
 
flexxtxAuthor Commented:
Here's what I have now. I can't ping my network (when logged in with local auth). With radius applied, I'm getting xauth failed...



 names
object-group network Irving2_Users
  network-object 10.34.0.0 255.255.248.0
  network-object 10.10.249.0 255.255.255.0
  network-object 10.10.248.0 255.255.255.0
  network-object 10.10.245.0 255.255.255.0
  network-object 10.10.246.0 255.255.255.0
  network-object 10.10.250.0 255.255.255.0
  network-object 10.5.25.0 255.255.255.0
access-list acl_out permit udp host 67.133.191.145 host 67.133.191.130 eq syslog
access-list acl_out permit icmp any 67.133.191.128 255.255.255.240 echo-reply
access-list acl_out permit icmp any 67.133.191.128 255.255.255.240 unreachable
access-list acl_out permit icmp any 67.133.191.128 255.255.255.240 time-exceeded
access-list acl_out permit ip 10.10.0.0 255.255.0.0 10.5.25.0 255.255.255.0
access-list acl_out permit ip 10.34.0.0 255.255.0.0 10.5.25.0 255.255.255.0
access-list acl_out deny ip any any
access-list acl_in deny ip any 192.168.0.0 255.255.0.0
access-list acl_in remark - Deny outbound access to "poll.gotomypc.com"
access-list acl_in deny ip any host 66.151.158.177
access-list acl_in remark - Permit full outbound access for CSS proxy
access-list acl_in permit tcp host 10.34.3.31 any
access-list acl_in permit udp host 10.34.3.31 any
access-list acl_in permit tcp 10.10.0.0 255.255.0.0 host 67.133.191.145 eq telnet
access-list acl_in permit tcp object-group Irving2_Users any object-group Internet_Access
access-list acl_in permit udp object-group Irving2_Users any object-group Internet_Access
access-list acl_in remark - Allow outbound to GinnieNet
access-list acl_in permit tcp any host 160.254.60.14 eq 1200
access-list acl_in remark - Allow outbound snmp access to internet router
access-list acl_in permit udp host 10.10.204.22 host 67.133.191.145 eq snmp
access-list acl_in permit icmp host 10.10.204.22 any echo
access-list acl_in permit icmp object-group Irving2_Users any echo
access-list acl_in deny ip any any
access-list vpnclients permit ip any 10.5.25.0 255.255.255.0
access-list nonat permit ip any 10.5.25.0 255.255.255.0
access-list split permit ip 10.0.0.0 255.0.0.0 any
ip address outside 67.133.191.129 255.255.255.240
ip address inside 10.34.1.254 255.255.255.0
ip local pool vpnpool 10.5.25.1-10.5.25.254
pdm history enable
arp timeout 14400
global (outside) 1 67.133.191.135
nat (inside) 0 access-list nonat
nat (inside) 1 10.34.0.0 255.255.248.0 0 0
nat (inside) 1 10.10.0.0 255.255.0.0 0 0
static (inside,outside) 67.133.191.130 10.10.204.35 netmask 255.255.255.255 0 0
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 67.133.191.145 1
route inside 10.10.0.0 255.255.0.0 10.34.1.1 1
route inside 10.21.8.0 255.255.248.0 10.34.1.1 1
route inside 10.34.0.0 255.255.248.0 10.34.1.1 1
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server vpnauth protocol radius
aaa-server vpnauth max-failed-attempts 3
aaa-server vpnauth deadtime 10
aaa-server vpnauth (inside) host 10.10.250.27 Hxxxx timeout 10
aaa authentication ssh console LOCAL
crypto ipsec transform-set ahmset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 20 set transform-set ahmset
crypto map ahmmap 20 ipsec-isakmp dynamic dynmap
crypto map ahmmap client authentication vpnauth
crypto map ahmmap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup ahmvpn address-pool vpnpool
vpngroup ahmvpn dns-server 10.10.203.112
vpngroup ahmvpn wins-server 10.10.203.112
vpngroup ahmvpn default-domain xxxxx.com
vpngroup ahmvpn split-tunnel split
vpngroup ahmvpn idle-time 1800
vpngroup ahmvpn password ********
management-access inside
0
 
Voltz-dkCommented:
You shouldn't move onto RADIUS auth, until it works with local - sounds like you RADIUS server needs work.

try adding:
crypto dynamic-map dynmap 20 match vpnclients
sysopt connection permit-ipsec
(and please go back to local auth, until that works)
---
Here's the relevant parts of a working setup (with local auth):
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.0
access-list VPNCLIENT_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
ip local pool VPNPOOL 192.168.2.1-192.168.2.254
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNCLIENT address-pool VPNPOOL
vpngroup VPNCLIENT split-tunnel VPNCLIENT_splitTunnelAcl
vpngroup VPNCLIENT idle-time 1800
vpngroup VPNCLIENT password ********
management-access inside
username * password *
---
When the tunnel runs, you should be able to ping 10.34.1.254 (inside of PIX)
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now