Problem with Cisco Pix 515e setting up VPN Remote access using Local Authentication

I had setup our Pix 515e for VPN remote Access using local authenication thru the command line. It worked, well. I went to the Html interface and choose to enable "split tunnel." Now it doesn't work. vpn client seem to make an initial connection only to have it dropped?
Here is a show run:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password UcusuGDMEvSb9pxq encrypted
passwd UcusuGDMEvSb9pxq encrypted
hostname HQ
domain-name Server.com
clock timezone est 14
clock summer-time est recurring
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol ftp 6000
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.XX.xx.43 SERVER7_I
name 192.XX.XX.4 SERVER9_I
name 192.XX.XX.13 CONTRACT SERVER_I
name 192.XX.XX.46 BREEZE_I
name 192.XX.XX.253 PPTA2_I
name 192.XX.XX.12 IPCARD_I
name 192.XX.XX.9 DIFFERENT SERVER_I
name 192.XX.XX.8 DIFFERENT SERVER_PORTAL_I
name 192.XX.XX.3 SERVER10_I
name 192.XX.XX.21 DIFFERENT SERVER_ESI_I
name 192.XX.XX.7 SERVER8_I
name 67.92.105.242 SERVER8_E
name 80.1XX.247.162 SERVER9_E
name 80.1XX.247.163 SERVER7_E
name 80.1XX.247.170 CONTRACT SERVER_E
name 80.1XX.247.XX PPTA2_E
name 80.1XX.247.169 BREEZE_E
name 80.1XX.247.164 DIFFERENT SERVER_E
name 80.1XX.247.165 DIFFERENT SERVER_PORTAL_E
name 80.1XX.247.166 IPCARD_E
name 80.1XX.247.167 SERVER10_E
name 80.1XX.247.171 DIFFERENT SERVER_ESI_E
name 80.1XX.247.172 Servershare_E
name 192.XX.XX.38 Servershare_I
name 192.XX.XX.2 GFISMTP_I
name 80.1XX.247.1XX GFISMTP_E
name 192.XX.XX.40 DIFFERENT SERVERAdminftp_I
name 80.1XX.247.176 DIFFERENT SERVERAdminftp_E
name 80.1XX.247.178 Portal_E
name 192.XX.XX.39 Portal_I
name 192.XX.XX.248 Bugz_I
name 80.1XX.247.177 Bugz_E
name 192.XX.XX.241 COMPANY SERVER_Exchange_I
name 80.1XX.247.180 COMPANY SERVER_Exchange_E
name 192.XX.XX.31 Palconnect_I
name 80.1XX.247.179 Palconnect_E
name 192.XX.XX.198 Netmon_I
name 80.1XX.247.184 Netmon_E
name 192.XX.XX.237 abstinence_I
name 80.1XX.247.183 abstinence_E
name 80.1XX.247.185 devassoc_E
name 192.XX.XX.232 devassoc_I
name 192.XX.XX.197 RBM_I
name 80.1XX.247.186 RBM_E
name 192.XX.XX.32 Mentor_I
name 80.1XX.247.181 Mentor_E
name 192.XX.XX.250 HSRCServer_I
name 80.1XX.247.187 HSRCServer_E
access-list out_in permit tcp any host GFISMTP_E eq smtp
access-list out_in permit tcp any host GFISMTP_E eq www
access-list out_in permit tcp any host SERVER7_E eq pop3
access-list out_in permit tcp any host SERVER7_E eq 995
access-list out_in permit tcp any host SERVER7_E eq 135
access-list out_in permit tcp any host SERVER7_E eq imap4
access-list out_in permit tcp any host SERVER7_E eq www
access-list out_in permit tcp any host SERVER7_E eq 993
access-list out_in permit tcp any host SERVER7_E eq 465
access-list out_in permit tcp any host SERVER7_E eq https
access-list out_in permit tcp any host SERVER9_E eq www
access-list out_in permit tcp any host SERVER9_E eq https
access-list out_in permit tcp any host SERVER9_E eq ftp
access-list out_in permit tcp any host CONTRACT SERVER_E eq www
access-list out_in permit tcp any host CONTRACT SERVER_E eq ftp
access-list out_in permit tcp any host CONTRACT SERVER_E eq https
access-list out_in permit tcp any host CONTRACT SERVER_E eq 1935
access-list out_in permit tcp any host Palconnect_E eq 1935
access-list out_in permit tcp any host Palconnect_E eq https
access-list out_in permit tcp any host Palconnect_E eq www
access-list out_in permit tcp any host BREEZE_E eq www
access-list out_in permit tcp any host BREEZE_E eq https
access-list out_in permit tcp any host DIFFERENT SERVER_E eq www
access-list out_in permit tcp any host DIFFERENT SERVER_E eq ftp
access-list out_in permit tcp any host DIFFERENT SERVER_E eq smtp
access-list out_in permit tcp any host DIFFERENT SERVER_E eq 9010
access-list out_in permit tcp any host DIFFERENT SERVER_E eq 9080
access-list out_in permit tcp any host DIFFERENT SERVER_E eq 1433
access-list out_in permit tcp any host DIFFERENT SERVER_E eq 8010
access-list out_in permit tcp any host PPTA2_E eq www
access-list out_in permit tcp any host IPCARD_E eq www
access-list out_in permit tcp any host DIFFERENT SERVER_PORTAL_E eq www
access-list out_in permit tcp any host DIFFERENT SERVER_PORTAL_E eq ftp
access-list out_in permit tcp any host DIFFERENT SERVER_PORTAL_E eq 8010
access-list out_in permit tcp any host SERVER10_E eq pptp
access-list out_in permit gre any host SERVER10_E
access-list out_in permit tcp any host DIFFERENT SERVER_ESI_E eq ftp
access-list out_in permit tcp any host DIFFERENT SERVER_PORTAL_E eq smtp
access-list out_in permit tcp any host BREEZE_E eq 1935
access-list out_in permit tcp any host Servershare_E eq https
access-list out_in permit tcp any host SERVER9_E eq 9091
access-list out_in permit tcp any host SERVER9_E eq 5223
access-list out_in permit tcp any host SERVER7_E eq 6001
access-list out_in permit tcp any host SERVER7_E eq 6002
access-list out_in permit tcp any host SERVER7_E eq 6004
access-list out_in permit tcp any host GFISMTP_E eq https
access-list out_in permit tcp any host DIFFERENT SERVERAdminftp_E eq ftp
access-list out_in permit tcp any host SERVER7_E eq smtp
access-list out_in permit tcp any host Portal_E eq https
access-list out_in permit tcp any host Bugz_E eq www
access-list out_in permit tcp any host COMPANY SERVER_Exchange_E eq smtp
access-list out_in permit tcp any host COMPANY SERVER_Exchange_E eq 995
access-list out_in permit tcp any host COMPANY SERVER_Exchange_E eq 135
access-list out_in permit tcp any host COMPANY SERVER_Exchange_E eq imap4
access-list out_in permit tcp any host COMPANY SERVER_Exchange_E eq www
access-list out_in permit tcp any host COMPANY SERVER_Exchange_E eq 993
access-list out_in permit tcp any host COMPANY SERVER_Exchange_E eq https
access-list out_in permit tcp any host COMPANY SERVER_Exchange_E eq 465
access-list out_in permit tcp any host Netmon_E eq 5901
access-list out_in permit tcp any host abstinence_E eq www
access-list out_in permit tcp any host abstinence_E eq ftp
access-list out_in permit tcp any host devassoc_E eq www
access-list out_in permit tcp any host RBM_E eq www
access-list out_in permit icmp any any
access-list out_in permit tcp any host CONTRACT SERVER_E eq 1433
access-list out_in permit tcp any host Mentor_E eq https
access-list out_in permit tcp any host Mentor_E eq www
access-list out_in permit tcp any host BREEZE_E eq ftp
access-list out_in permit tcp any host HSRCServer_E eq www
access-list out_in permit tcp any host HSRCServer_E eq ftp
access-list out_in permit tcp any host HSRCServer_E eq smtp
access-list out_in permit tcp any host HSRCServer_E eq 9010
access-list out_in permit tcp any host HSRCServer_E eq 9080
access-list out_in permit tcp any host HSRCServer_E eq 1433
access-list out_in permit tcp any host HSRCServer_E eq 8010
access-list out_in permit tcp any host GFISMTP_E eq pop3
access-list inside_outbound_nat0_acl permit ip 192.XX.XX.0 255.255.255.0 interface outside
access-list inside_outbound_nat0_acl permit ip 192.XX.XX.0 255.255.255.0 192.XX.XX.192 255.255.255.192
access-list outside_cryptomap_20 permit ip 192.XX.XX.0 255.255.255.0 interface outside
pager lines 24
no logging message 106011
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 80.1XX.247.175 255.255.255.224
ip address inside 192.XX.XX.254 255.255.255.0
ip address intf2 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNIPPool 192.XX.XX.221-192.XX.XX.230
pdm location 192.XX.XX.19 255.255.255.255 inside
pdm location SERVER9_I 255.255.255.255 inside
pdm location DIFFERENT SERVER_PORTAL_I 255.255.255.255 inside
pdm location DIFFERENT SERVER_I 255.255.255.255 inside
pdm location IPCARD_I 255.255.255.255 inside
pdm location CONTRACT SERVER_I 255.255.255.255 inside
pdm location SERVER7_I 255.255.255.255 inside
pdm location BREEZE_I 255.255.255.255 inside
pdm location 192.XX.XX.176 255.255.255.255 inside
pdm location PPTA2_I 255.255.255.255 inside
pdm location SERVER10_I 255.255.255.255 inside
pdm location DIFFERENT SERVER_ESI_I 255.255.255.255 inside
pdm location DIFFERENT SERVERAdminftp_I 255.255.255.255 inside
pdm location SERVER8_I 255.255.255.255 inside
pdm location Servershare_I 255.255.255.255 inside
pdm location 192.XX.76.0 255.255.255.0 inside
pdm location GFISMTP_I 255.255.255.255 inside
pdm location Portal_I 255.255.255.255 inside
pdm location Bugz_I 255.255.255.255 inside
pdm location Palconnect_I 255.255.255.255 inside
pdm location Netmon_I 255.255.255.255 inside
pdm location COMPANY SERVER_Exchange_I 255.255.255.255 inside
pdm location XX.0.43.224 255.255.255.248 outside
pdm location XX.0.43.226 255.255.255.255 inside
pdm location abstinence_I 255.255.255.255 inside
pdm location XX.0.43.226 255.255.255.255 intf2
pdm location RBM_I 255.255.255.255 inside
pdm location devassoc_I 255.255.255.255 inside
pdm location Mentor_I 255.255.255.255 inside
pdm location HSRCServer_I 255.255.255.255 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp SERVER9_E www SERVER9_I www netmask 255.255.255.255 0 0
static (inside,outside) tcp SERVER9_E https SERVER9_I https netmask 255.255.255.255 0 0
static (inside,outside) tcp SERVER9_E ftp SERVER9_I ftp netmask 255.255.255.255 0 0
static (inside,outside) SERVER7_E SERVER7_I netmask 255.255.255.255 0 0
static (inside,outside) CONTRACT SERVER_E CONTRACT SERVER_I netmask 255.255.255.255 0 0
static (inside,outside) PPTA2_E PPTA2_I netmask 255.255.255.255 0 0
static (inside,outside) BREEZE_E BREEZE_I netmask 255.255.255.255 0 0
static (inside,outside) DIFFERENT SERVER_E DIFFERENT SERVER_I netmask 255.255.255.255 0 0
static (inside,outside) IPCARD_E IPCARD_I netmask 255.255.255.255 0 0
static (inside,outside) DIFFERENT SERVER_PORTAL_E DIFFERENT SERVER_PORTAL_I netmask 255.255.255.255 0 0
static (inside,outside) SERVER10_E SERVER10_I netmask 255.255.255.255 0 0
static (inside,outside) DIFFERENT SERVER_ESI_E DIFFERENT SERVER_ESI_I netmask 255.255.255.255 0 0
static (inside,outside) Servershare_E Servershare_I netmask 255.255.255.255 0 0
static (inside,outside) GFISMTP_E GFISMTP_I netmask 255.255.255.255 0 0
static (inside,outside) DIFFERENT SERVERAdminftp_E DIFFERENT SERVERAdminftp_I netmask 255.255.255.255 0 0
static (inside,outside) Portal_E Portal_I netmask 255.255.255.255 0 0
static (inside,outside) Bugz_E Bugz_I netmask 255.255.255.255 0 0
static (inside,outside) COMPANY SERVER_Exchange_E COMPANY SERVER_Exchange_I netmask 255.255.255.255 0 0
static (inside,outside) Palconnect_E Palconnect_I netmask 255.255.255.255 0 0
static (inside,outside) Netmon_E Netmon_I netmask 255.255.255.255 0 0
static (inside,outside) abstinence_E abstinence_I netmask 255.255.255.255 0 0
static (inside,outside) devassoc_E devassoc_I netmask 255.255.255.255 0 0
static (inside,outside) RBM_E RBM_I netmask 255.255.255.255 0 0
static (inside,outside) Mentor_E Mentor_I netmask 255.255.255.255 0 0
static (inside,outside) HSRCServer_E HSRCServer_I netmask 255.255.255.255 0 0
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 80.1XX.247.161 1
route inside 192.XX.76.0 255.255.255.0 192.XX.XX.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http XX.0.43.224 255.255.255.248 outside
http 192.XX.XX.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside SERVER10_I /
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer XX.0.43.226
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address XX.0.43.226 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNGroup address-pool VPNIPPool
vpngroup VPNGroup dns-server 192.XX.XX.37 192.XX.XX.41
vpngroup VPNGroup wins-server 192.XX.XX.41
vpngroup VPNGroup default-domain pal-tech.com
vpngroup VPNGroup split-tunnel outside_cryptomap_dyn_20
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password ********
telnet 192.XX.XX.0 255.255.255.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
username xxxx  password 4PUTHS/76dHK24PO encrypted privilege 15
username xxxx password Zf8p55XQVKGdgkij encrypted privilege 5
username xxxx  password HvOTTC.gqE22sCzc encrypted privilege 15
terminal width 80
Cryptochecksum:1291493fa7ac70e73b28a7df6c8aaf49
: end
PTExpertAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
The ACL that you have referenced for your split tunneling is not correct.

access-list outside_cryptomap_20 permit ip 192.XX.XX.0 255.255.255.0 interface outside

The "interface outside" parameters at the end of the above ACL statement is what is wrong.  How are you wanting to implement split tunneling?  Just so the VPN client sends traffic for the internal networks only through the tunnel and then all other Internet traffic goes straight to the Internet from their remote location?  If this is correct, then try issuing the following commands to fix your issue:

access-list outside_cryptomap_20 permit ip 192.XX.XX.0 255.255.255.0 any
no access-list outside_cryptomap_20 permit ip 192.XX.XX.0 255.255.255.0 interface outside

where "192.XX.XX.0" is your internal LAN subnet address.
0
PTExpertAuthor Commented:
Thanks batry_boy,

I have add those lines and still can't login to vpn. After I put in my password it says it try to make a secure connections and then remains "not connected." When I try to go into the PDM i recieve the following message:
"Access List outside_cryptomap_dyn_20 is applied to interface outside for IPSec traffic selection and VPN client group VPNGroup for split tunneling. PDM does not support multiple uses of a given Access Control List."

Thanks

Waldo

0
batry_boyCommented:
Try this:

no vpngroup VPNGroup split-tunnel outside_cryptomap_dyn_20
vpngroup VPNGroup split-tunnel outside_cryptomap_20

Notice the "dyn" is left out of the ACL you should be using for your split tunneling...
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

PTExpertAuthor Commented:
Hi Sage,

Still can connect. When I logon to the vpn client, I get up to the user logon box. I put the correct user and password. It start to process on the status line I read "securing Communication channel" and then "not connected. I am not sure what to do. I don't know where to look.

Here is a copy of my lastest "show run"

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password UcusuGDMEvSb9pxq encrypted
passwd UcusuGDMEvSb9pxq encrypted
hostname HQ
domain-name SERVER.com
clock timezone est 14
clock summer-time est recurring
fixup protocol dns maximum-length 1500
fixup protocol ftp 21
fixup protocol ftp 6000
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.XX..XX.43 SERVER7_I
name 192.XX..XX.4 SERVER9_I
name 192.XX..XX.13 XARTIS_I
name 192.XX..XX.46 BREEZE_I
name 192.XX..XX.253 PPTA2_I
name 192.XX..XX.12 IPCARD_I
name 192.XX..XX.9 DIFFERENT SERVER_I
name 192.XX..XX.8 DIFFERENT SERVER_PORTAL_I
name 192.XX..XX.3 SERVER10_I
name 192.XX..XX.21 DIFFERENT SERVER_ESI_I
name 192.XX..XX.7 SERVER8_I
name 67.92.105.242 SERVER8_E
name 72.72.247.162 SERVER9_E
name 72.72.247.163 SERVER7_E
name 72.72.247.170 XARTIS_E
name 72.72.247.XX. PPTA2_E
name 72.72.247.169 BREEZE_E
name 72.72.247.164 DIFFERENT SERVER_E
name 72.72.247.165 DIFFERENT SERVER_PORTAL_E
name 72.72.247.166 IPCARD_E
name 72.72.247.167 SERVER10_E
name 72.72.247.171 DIFFERENT SERVER_ESI_E
name 72.72.247.172 SERVERshare_E
name 192.XX..XX.38 SERVERshare_I
name 192.XX..XX.2 GFISMTP_I
name 72.72.247.174 GFISMTP_E
name 192.XX..XX.40 DIFFERENT SERVERAdminftp_I
name 72.72.247.176 DIFFERENT SERVERAdminftp_E
name 72.72.247.178 Portal_E
name 192.XX..XX.39 Portal_I
name 192.XX..XX.248 Bugz_I
name 72.72.247.177 Bugz_E
name 192.XX..XX.241 CONTRACT SERVER_Exchange_I
name 72.72.247.180 CONTRACT SERVER_Exchange_E
name 192.XX..XX.31 SERVCONNECT_I
name 72.72.247.179 SERVCONNECT_E
name 192.XX..XX.198 Netmon_I
name 72.72.247.184 Netmon_E
name 192.XX..XX.237 abstinence_I
name 72.72.247.183 abstinence_E
name 72.72.247.185 devassoc_E
name 192.XX..XX.232 devassoc_I
name 192.XX..XX.197 RBM_I
name 72.72.247.186 RBM_E
name 192.XX..XX.32 Mentor_I
name 72.72.247.181 Mentor_E
name 192.XX..XX.250 HSRCServer_I
name 72.72.247.187 HSRCServer_E
access-list out_in permit tcp any host GFISMTP_E eq smtp
access-list out_in permit tcp any host GFISMTP_E eq www
access-list out_in permit tcp any host SERVER7_E eq pop3
access-list out_in permit tcp any host SERVER7_E eq 995
access-list out_in permit tcp any host SERVER7_E eq 135
access-list out_in permit tcp any host SERVER7_E eq imap4
access-list out_in permit tcp any host SERVER7_E eq www
access-list out_in permit tcp any host SERVER7_E eq 993
access-list out_in permit tcp any host SERVER7_E eq 465
access-list out_in permit tcp any host SERVER7_E eq https
access-list out_in permit tcp any host SERVER9_E eq www
access-list out_in permit tcp any host SERVER9_E eq https
access-list out_in permit tcp any host SERVER9_E eq ftp
access-list out_in permit tcp any host XARTIS_E eq www
access-list out_in permit tcp any host XARTIS_E eq ftp
access-list out_in permit tcp any host XARTIS_E eq https
access-list out_in permit tcp any host XARTIS_E eq 1935
access-list out_in permit tcp any host SERVCONNECT_E eq 1935
access-list out_in permit tcp any host SERVCONNECT_E eq https
access-list out_in permit tcp any host SERVCONNECT_E eq www
access-list out_in permit tcp any host BREEZE_E eq www
access-list out_in permit tcp any host BREEZE_E eq https
access-list out_in permit tcp any host DIFFERENT SERVER_E eq www
access-list out_in permit tcp any host DIFFERENT SERVER_E eq ftp
access-list out_in permit tcp any host DIFFERENT SERVER_E eq smtp
access-list out_in permit tcp any host DIFFERENT SERVER_E eq 9010
access-list out_in permit tcp any host DIFFERENT SERVER_E eq 9080
access-list out_in permit tcp any host DIFFERENT SERVER_E eq 1433
access-list out_in permit tcp any host DIFFERENT SERVER_E eq 8010
access-list out_in permit tcp any host PPTA2_E eq www
access-list out_in permit tcp any host IPCARD_E eq www
access-list out_in permit tcp any host DIFFERENT SERVER_PORTAL_E eq www
access-list out_in permit tcp any host DIFFERENT SERVER_PORTAL_E eq ftp
access-list out_in permit tcp any host DIFFERENT SERVER_PORTAL_E eq 8010
access-list out_in permit tcp any host SERVER10_E eq pptp
access-list out_in permit gre any host SERVER10_E
access-list out_in permit tcp any host DIFFERENT SERVER_ESI_E eq ftp
access-list out_in permit tcp any host DIFFERENT SERVER_PORTAL_E eq smtp
access-list out_in permit tcp any host BREEZE_E eq 1935
access-list out_in permit tcp any host SERVERshare_E eq https
access-list out_in permit tcp any host SERVER9_E eq 9091
access-list out_in permit tcp any host SERVER9_E eq 5223
access-list out_in permit tcp any host SERVER7_E eq 6001
access-list out_in permit tcp any host SERVER7_E eq 6002
access-list out_in permit tcp any host SERVER7_E eq 6004
access-list out_in permit tcp any host GFISMTP_E eq https
access-list out_in permit tcp any host DIFFERENT SERVERAdminftp_E eq ftp
access-list out_in permit tcp any host SERVER7_E eq smtp
access-list out_in permit tcp any host Portal_E eq https
access-list out_in permit tcp any host Bugz_E eq www
access-list out_in permit tcp any host CONTRACT SERVER_Exchange_E eq smtp
access-list out_in permit tcp any host CONTRACT SERVER_Exchange_E eq 995
access-list out_in permit tcp any host CONTRACT SERVER_Exchange_E eq 135
access-list out_in permit tcp any host CONTRACT SERVER_Exchange_E eq imap4
access-list out_in permit tcp any host CONTRACT SERVER_Exchange_E eq www
access-list out_in permit tcp any host CONTRACT SERVER_Exchange_E eq 993
access-list out_in permit tcp any host CONTRACT SERVER_Exchange_E eq https
access-list out_in permit tcp any host CONTRACT SERVER_Exchange_E eq 465
access-list out_in permit tcp any host Netmon_E eq 5901
access-list out_in permit tcp any host abstinence_E eq www
access-list out_in permit tcp any host abstinence_E eq ftp
access-list out_in permit tcp any host devassoc_E eq www
access-list out_in permit tcp any host RBM_E eq www
access-list out_in permit icmp any any
access-list out_in permit tcp any host XARTIS_E eq 1433
access-list out_in permit tcp any host Mentor_E eq https
access-list out_in permit tcp any host Mentor_E eq www
access-list out_in permit tcp any host BREEZE_E eq ftp
access-list out_in permit tcp any host HSRCServer_E eq www
access-list out_in permit tcp any host HSRCServer_E eq ftp
access-list out_in permit tcp any host HSRCServer_E eq smtp
access-list out_in permit tcp any host HSRCServer_E eq 9010
access-list out_in permit tcp any host HSRCServer_E eq 9080
access-list out_in permit tcp any host HSRCServer_E eq 1433
access-list out_in permit tcp any host HSRCServer_E eq 8010
access-list out_in permit tcp any host GFISMTP_E eq pop3
access-list inside_outbound_nat0_acl permit ip 192.XX..XX.0 255.255.255.0 interface outsid
e
access-list inside_outbound_nat0_acl permit ip 192.XX..XX.0 255.255.255.0 192.XX..XX.192 2
55.255.255.192
access-list outside_cryptomap_20 permit ip 192.XX..XX.0 255.255.255.0 any
pager lines 24
no logging message 106011
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 72.72.247.175 255.255.255.224
ip address inside 192.XX..XX.254 255.255.255.0
ip address intf2 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNIPPool 192.XX..XX.221-192.XX..XX.230
pdm location 192.XX..XX.19 255.255.255.255 inside
pdm location SERVER9_I 255.255.255.255 inside
pdm location DIFFERENT SERVER_PORTAL_I 255.255.255.255 inside
pdm location DIFFERENT SERVER_I 255.255.255.255 inside
pdm location IPCARD_I 255.255.255.255 inside
pdm location XARTIS_I 255.255.255.255 inside
pdm location SERVER7_I 255.255.255.255 inside
pdm location BREEZE_I 255.255.255.255 inside
pdm location 192.XX..XX.176 255.255.255.255 inside
pdm location PPTA2_I 255.255.255.255 inside
pdm location SERVER10_I 255.255.255.255 inside
pdm location DIFFERENT SERVER_ESI_I 255.255.255.255 inside
pdm location DIFFERENT SERVERAdminftp_I 255.255.255.255 inside
pdm location SERVER8_I 255.255.255.255 inside
pdm location SERVERshare_I 255.255.255.255 inside
pdm location 192..XX.76.0 255.255.255.0 inside
pdm location GFISMTP_I 255.255.255.255 inside
pdm location Portal_I 255.255.255.255 inside
pdm location Bugz_I 255.255.255.255 inside
pdm location SERVCONNECT_I 255.255.255.255 inside
pdm location Netmon_I 255.255.255.255 inside
pdm location CONTRACT SERVER_Exchange_I 255.255.255.255 inside
pdm location 74.0.43.224 255.255.255.248 outside
pdm location 74.0.43.226 255.255.255.255 inside
pdm location abstinence_I 255.255.255.255 inside
pdm location 74.0.43.226 255.255.255.255 intf2
pdm location RBM_I 255.255.255.255 inside
pdm location devassoc_I 255.255.255.255 inside
pdm location Mentor_I 255.255.255.255 inside
pdm location HSRCServer_I 255.255.255.255 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp SERVER9_E www SERVER9_I www netmask 255.255.255.255 0 0
static (inside,outside) tcp SERVER9_E https SERVER9_I https netmask 255.255.255.255 0 0
static (inside,outside) tcp SERVER9_E ftp SERVER9_I ftp netmask 255.255.255.255 0 0
static (inside,outside) SERVER7_E SERVER7_I netmask 255.255.255.255 0 0
static (inside,outside) XARTIS_E XARTIS_I netmask 255.255.255.255 0 0
static (inside,outside) PPTA2_E PPTA2_I netmask 255.255.255.255 0 0
static (inside,outside) BREEZE_E BREEZE_I netmask 255.255.255.255 0 0
static (inside,outside) DIFFERENT SERVER_E DIFFERENT SERVER_I netmask 255.255.255.255 0 0
static (inside,outside) IPCARD_E IPCARD_I netmask 255.255.255.255 0 0
static (inside,outside) DIFFERENT SERVER_PORTAL_E DIFFERENT SERVER_PORTAL_I netmask 255.255.255.255 0 0
static (inside,outside) SERVER10_E SERVER10_I netmask 255.255.255.255 0 0
static (inside,outside) DIFFERENT SERVER_ESI_E DIFFERENT SERVER_ESI_I netmask 255.255.255.255 0 0
static (inside,outside) SERVERshare_E SERVERshare_I netmask 255.255.255.255 0 0
static (inside,outside) GFISMTP_E GFISMTP_I netmask 255.255.255.255 0 0
static (inside,outside) DIFFERENT SERVERAdminftp_E DIFFERENT SERVERAdminftp_I netmask 255.255.255.255 0 0
static (inside,outside) Portal_E Portal_I netmask 255.255.255.255 0 0
static (inside,outside) Bugz_E Bugz_I netmask 255.255.255.255 0 0
static (inside,outside) CONTRACT SERVER_Exchange_E CONTRACT SERVER_Exchange_I netmask 255.255.255.255 0 0
static (inside,outside) SERVCONNECT_E SERVCONNECT_I netmask 255.255.255.255 0 0
static (inside,outside) Netmon_E Netmon_I netmask 255.255.255.255 0 0
static (inside,outside) abstinence_E abstinence_I netmask 255.255.255.255 0 0
static (inside,outside) devassoc_E devassoc_I netmask 255.255.255.255 0 0
static (inside,outside) RBM_E RBM_I netmask 255.255.255.255 0 0
static (inside,outside) Mentor_E Mentor_I netmask 255.255.255.255 0 0
static (inside,outside) HSRCServer_E HSRCServer_I netmask 255.255.255.255 0 0
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.72.247.161 1
route inside 192..XX.76.0 255.255.255.0 192.XX..XX.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 74.0.43.224 255.255.255.248 outside
http 192.XX..XX.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside SERVER10_I /
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 74.0.43.226
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 74.0.43.226 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNGroup address-pool VPNIPPool
vpngroup VPNGroup dns-server 192.XX..XX.37 192.XX..XX.41
vpngroup VPNGroup wins-server 192.XX..XX.41
vpngroup VPNGroup default-domain pal-tech.com
vpngroup VPNGroup split-tunnel outside_cryptomap_20
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password ********
telnet 192.XX.XX.0 255.255.255.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
username USER1 password 4PUTHS/76dHK24PO encrypted privilege 15
username USER2 password Zf8p55XQVKGdgkij encrypted privilege 5
username USER3 password HvOTTC.gqE22sCzc encrypted privilege 15
terminal width 80
Cryptochecksum:6ef0cee1e2f2edcddcb4b04b51d2369c
: end

Thanks

Waldo
0
batry_boyCommented:
Try this:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
no crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
isakmp nat-traversal
0
PTExpertAuthor Commented:
Sorry for the Delay. I had to go out of town all last week. I will give it a shot this eveing.
Thanks

Waldo
0
PTExpertAuthor Commented:
Hey batry_boy,

Do you know how I can reset the whole vpn portion without causing any problem with the other configuation?

Thanks

Waldo
0
PTExpertAuthor Commented:
Oh Yeah,

I the info did not work. Once you login it does the same thing. It start to process on the status line read "securing Communication channel" and then "not connected.  That why I think reset it would be an easy way to fix the problem.

Thanks

Waldo
0
PTExpertAuthor Commented:
I end up erasing all the vpn lines and using the Gui to fix the problem. It works now, but seem to have a lot of unessary lines.

Thanks
Waldo
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PTExpertAuthor Commented:
I end up erasing all the vpn lines and using the Gui to fix the problem. It works now, but seem to have a lot of unessary lines.
0
PTExpertAuthor Commented:
It is fixed now.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.