• cabling news
  Newsletter Industry News Our Site News
• help
  Home Cabling Guide Cabling FAQ Free Helpdesk Forums Learn Cabling
• resources
  Color Codes Pin Layouts Links E-books Bookstore Online Tools Downloads
• this site
  Home Page Contact us Advertise Here Link to us
• this page
  Bookmark It! Print
• +

Cisco Systems IPSEC to PIX 515

Bookmark this page:   Yahoo!   Google   Windows Live   del.icio.us   digg   Netscape

Subject Author Date IPSEC to PIX 515 davidspollack 04-14-06  Re: IPSEC to PIX 515 Walter Roberson 04-14-06  Re: IPSEC to PIX 515 davidspollack 04-14-06  Re: IPSEC to PIX 515 Walter Roberson 04-15-06  Re: IPSEC to PIX 515 S. Gione 04-15-06  Re: IPSEC to PIX 515 davidspollack 04-17-06  Re: IPSEC to PIX 515 davidspollack 04-17-06  Re: IPSEC to PIX 515 davidspollack 04-17-06

Posted by on April 14, 2006, 9:46 am Please log in for more thread options Hi - i'm running a 515 with the 6.3.3 code. I am trying to get the cisco IPSEC client connected to the pix . I've followed the instructions on cisco's site, and had this working, but after a recent change it just wont finish the ISAKMP negotiation. I also have PPTP enabled to the pix, which is working fine (so I know theres no RAIDUS/Auth problem) Client side logs show: 18 09:43:23.015 04/14/06 Sev=Info/4        IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x 19 09:43:23.015 04/14/06 Sev=Info/4        IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x 20 09:43:23.015 04/14/06 Sev=Info/4        IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=A2FA4A64ADDC7FD0 R_Cookie=DF2DA2372657AB00) reason = DEL_REASON_WE_FAILED_AUTH 21 09:43:23.015 04/14/06 Sev=Info/4        IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to x.x.x.x 22 09:43:23.750 04/14/06 Sev=Info/4        IKE/0x6300004B Discarding IKE SA negotiation (I_Cookie=A2FA4A64ADDC7FD0 R_Cookie=DF2DA2372657AB00) reason = DEL_REASON_WE_FAILED_AUTH 23 09:43:23.750 04/14/06 Sev=Info/4        CM/0x63100014 Unable to establish Phase 1 SA with server "x.x.x.x" because of "DEL_REASON_WE_FAILED_AUTH" 24 09:43:23.750 04/14/06 Sev=Info/4        IKE/0x63000001 IKE received signal to terminate VPN connection 25 09:43:23.750 04/14/06 Sev=Info/4        IPSEC/0x63700014 Deleted all keys ============================ sanitized Pix config is below: interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 savvist security0 fixup protocol dns maximum-length 512 fixup protocol domain 53 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside permit icmp any any echo-reply access-list outside permit icmp any any unreachable access-list outside permit icmp any any source-quench access-list outside permit icmp any any time-exceeded access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.10.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.11.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.12.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.13.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.20.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.21.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.22.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.23.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.253.58.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.0.0.0 255.255.0.0 pager lines 24 logging on logging timestamp logging trap informational logging facility 23 logging device-id hostname logging host inside 10.0.0.42 no logging message 305012 icmp deny any outside mtu outside 1500 mtu inside 1500 mtu savvist 1500 ip audit info action alarm ip audit attack action alarm ip local pool vpn 10.0.15.100-10.0.15.254 pdm history enable arp timeout 14400 global (outside) 1 interface global (savvist) 2 interface nat (inside) 0 access-list nonat nat (inside) 2 10.0.0.2 255.255.255.255 0 0 nat (inside) 1 10.0.0.0 255.255.0.0 0 0 access-group outside in interface outside access-group savvist in interface savvist timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ (inside) host 10.0.0.42 LehMePo23HHHee timeout 10 aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 10.0.0.10 k10D3* timeout 10 aaa-server LOCAL protocol local aaa authentication telnet console TACACS+ aaa authentication ssh console TACACS+ aaa accounting include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+ floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set kiodex esp-3des esp-md5-hmac crypto dynamic-map dynmap 5 set transform-set kiodex crypto map outside 1 ipsec-isakmp crypto map outside 1 match address savvis crypto map outside 1 set peer 216.74.163.199 crypto map outside 1 set transform-set kiodex crypto map outside 2 ipsec-isakmp crypto map outside 2 match address houston crypto map outside 2 set peer 209.163.128.71 crypto map outside 2 set transform-set kiodex crypto map outside 3 ipsec-isakmp crypto map outside 3 match address att crypto map outside 3 set peer 63.240.29.99 crypto map outside 3 set transform-set kiodex crypto map outside 4 ipsec-isakmp crypto map outside 4 match address pune crypto map outside 4 set peer 59.160.68.2 crypto map outside 4 set transform-set kiodex crypto map outside 5 ipsec-isakmp dynamic dynmap crypto map outside client authentication RADIUS crypto map outside interface outside isakmp enable outside isakmp key ******** address 216.74.163.199 netmask 255.255.255.255 isakmp key ******** address 209.163.128.71 netmask 255.255.255.255 isakmp key ******** address 63.240.29.99 netmask 255.255.255.255 isakmp key ******** address 59.160.68.2 netmask 255.255.255.255 no-xauth isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 vpngroup 628vpn address-pool vpn vpngroup 628vpn dns-server 10.0.0.10 10.0.0.204 vpngroup 628vpn wins-server 10.0.0.10 10.0.0.204 vpngroup 628vpn default-domain vpn.kiodex.com vpngroup 628vpn split-tunnel nonat vpngroup 628vpn idle-time 1800 vpngroup 628vpn password ******** vpdn group 628pptp accept dialin pptp vpdn group 628pptp ppp authentication mschap vpdn group 628pptp ppp encryption mppe auto vpdn group 628pptp client configuration address local vpn vpdn group 628pptp client configuration dns 10.0.0.10 10.0.0.204 vpdn group 628pptp client configuration wins 10.0.0.10 10.0.0.204 vpdn group 628pptp client authentication aaa RADIUS vpdn group 628pptp pptp echo 60 vpdn enable outside ================= any help appreciated. thanks

Posted by Walter Roberson on April 14, 2006, 10:40 am Please log in for more thread options >i'm running a 515 with the 6.3.3 code. I am trying to get the cisco >IPSEC client connected to the pix . I've followed the instructions on >cisco's site, and had this working, but after a recent change it just >wont finish the ISAKMP negotiation. >nameif ethernet0 outside security0 >nameif ethernet1 inside security100 >nameif ethernet2 savvist security0 You usually do not want two interfaces to have the same security level: in PIX 6, interfaces with the same security level cannot talk to each other. >access-list outside permit icmp any any echo-reply >access-list outside permit icmp any any unreachable >access-list outside permit icmp any any source-quench >access-list outside permit icmp any any time-exceeded Personally I do not recommend accepting source-quench ICMP, as those ICMP can be forged and used as a Denial of Service attack against you. >access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.10.0 255.255.255.0 >access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.11.0 255.255.255.0 >access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.12.0 255.255.255.0 >access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.13.0 255.255.255.0 Those can be replaced by access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.10.0 255.255.254.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.12.0 255.255.254.0 >access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.20.0 255.255.255.0 >access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.21.0 255.255.255.0 >access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.22.0 255.255.255.0 >access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.23.0 255.255.255.0 Those can be replaced by access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.20.0 255.255.253.0 >global (outside) 1 interface >global (savvist) 2 interface >nat (inside) 0 access-list nonat >nat (inside) 2 10.0.0.2 255.255.255.255 0 0 >nat (inside) 1 10.0.0.0 255.255.0.0 0 0 10.0.0.2 is the only host allowed to communicate out the savvist interface? >access-group outside in interface outside >access-group savvist in interface savvist No access-list savvist was present in the configuration you showed. >crypto map outside 1 match address savvis No access-list savvist was present in the configuration you showed. Also, you must not use the same access list for a 'match address' and an 'access-group': the PIX needs to internally manipulate access-group access-lists and that has the effect of changing the crypto security associations if you are also using it as 'match address', and that messes up your VPN. >crypto map outside 2 match address houston >crypto map outside 3 match address att >crypto map outside 4 match address pune No access-list houston or att or pune were present in the configuration you showed.

Posted by on April 14, 2006, 11:39 am Please log in for more thread options thanks for the quick reply. I'll take your recommendations into consideration. as for the "savvis" interface - we are in teh midst of switching from one provider (business calss cable, no bgp available) over to a T1 - thats why the 2 ints have the same security level, and why only one host (for testing) was set up to go that way. >>Also, you must not use the same access list for a 'match address' and an 'access-group': I'm looking to solve the cisco IPSec client problem right now, they connect to the Outside interface via a dynamic crypto map. - note these are different: access-group savvist in interface savvist (note the t) crypto map outside 1 match address savvis the full conf is below. thanks! ============================================== PIX Version 6.3(3) interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 savvist security0 fixup protocol dns maximum-length 512 fixup protocol domain 53 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside permit icmp any any echo-reply access-list outside permit icmp any any unreachable access-list outside permit icmp any any source-quench access-list outside permit icmp any any time-exceeded access-list savvis permit ip 10.0.0.0 255.255.0.0 192.168.10.0 255.255.255.0 access-list savvis permit ip 10.0.0.0 255.255.0.0 192.168.11.0 255.255.255.0 access-list savvis permit ip 10.0.0.0 255.255.0.0 192.168.12.0 255.255.255.0 access-list savvis permit ip 10.0.0.0 255.255.0.0 192.168.13.0 255.255.255.0 access-list inside permit ip any any access-list houston permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.10.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.11.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.12.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.13.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.20.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.21.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.22.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.23.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.253.58.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.0.0.0 255.255.0.0 access-list att permit ip 10.0.0.0 255.255.0.0 192.168.20.0 255.255.255.0 access-list att permit ip 10.0.0.0 255.255.0.0 192.168.21.0 255.255.255.0 access-list att permit ip 10.0.0.0 255.255.0.0 192.168.22.0 255.255.255.0 access-list att permit ip 10.0.0.0 255.255.0.0 192.168.23.0 255.255.255.0 access-list pune permit ip 10.0.10.0 255.255.255.0 10.253.58.0 255.255.255.0 access-list pune permit ip 10.0.0.0 255.255.255.0 10.253.58.0 255.255.255.0 access-list savvist permit icmp any any echo-reply access-list savvist permit icmp any any unreachable access-list savvist permit icmp any any source-quench access-list savvist permit icmp any any time-exceeded pager lines 24 logging on logging timestamp logging trap informational logging facility 23 logging device-id hostname logging host inside 10.0.0.42 no logging message 305012 icmp deny any outside mtu outside 1500 mtu inside 1500 mtu savvist 1500 ip address outside w.x.y.z 255.255.255.248 ip address inside 10.0.15.1 255.255.255.0 ip address savvist a.b.c.d 255.255.255.240 ip audit info action alarm ip audit attack action alarm ip local pool vpn 10.0.15.100-10.0.15.254 pdm history enable arp timeout 14400 global (outside) 1 interface global (savvist) 2 interface nat (inside) 0 access-list nonat nat (inside) 2 10.0.0.2 255.255.255.255 0 0 nat (inside) 1 10.0.0.0 255.255.0.0 0 0 access-group outside in interface outside access-group savvist in interface savvist route outside 0.0.0.0 0.0.0.0 w.x.y.z 1 route inside 10.0.0.0 255.255.255.0 10.0.15.2 1 route inside 10.0.1.0 255.255.255.0 10.0.15.2 1 route inside 10.0.10.0 255.255.255.0 10.0.15.2 1 route inside 10.0.12.0 255.255.255.0 10.0.15.2 1 route inside 10.0.14.0 255.255.255.0 10.0.15.2 1 route savvist a.b.c.d 255.255.255.255 e.f.g.h 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ (inside) host 10.0.0.42 LehMePo23HHHee timeout 10 aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 10.0.0.10 k10D3* timeout 10 aaa-server LOCAL protocol local aaa authentication telnet console TACACS+ aaa authentication ssh console TACACS+ aaa accounting include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+ floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set kiodex esp-3des esp-md5-hmac crypto dynamic-map dynmap 5 set transform-set kiodex crypto map outside 1 ipsec-isakmp crypto map outside 1 match address savvis crypto map outside 1 set peer 216.74.163.199 crypto map outside 1 set transform-set kiodex crypto map outside 2 ipsec-isakmp crypto map outside 2 match address houston crypto map outside 2 set peer 209.163.128.71 crypto map outside 2 set transform-set kiodex crypto map outside 3 ipsec-isakmp crypto map outside 3 match address att crypto map outside 3 set peer 63.240.29.99 crypto map outside 3 set transform-set kiodex crypto map outside 4 ipsec-isakmp crypto map outside 4 match address pune crypto map outside 4 set peer 59.160.68.2 crypto map outside 4 set transform-set kiodex crypto map outside 5 ipsec-isakmp dynamic dynmap crypto map outside client authentication RADIUS crypto map outside interface outside isakmp enable outside isakmp key ******** address 216.74.163.199 netmask 255.255.255.255 isakmp key ******** address 209.163.128.71 netmask 255.255.255.255 isakmp key ******** address 63.240.29.99 netmask 255.255.255.255 isakmp key ******** address 59.160.68.2 netmask 255.255.255.255 no-xauth isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 vpngroup 628vpn address-pool vpn vpngroup 628vpn dns-server 10.0.0.10 10.0.0.204 vpngroup 628vpn wins-server 10.0.0.10 10.0.0.204 vpngroup 628vpn default-domain vpn.kiodex.com vpngroup 628vpn split-tunnel nonat vpngroup 628vpn idle-time 1800 vpngroup 628vpn password ******** telnet 10.0.0.0 255.255.0.0 inside telnet timeout 10 ssh 10.0.0.0 255.255.0.0 inside ssh timeout 10 console timeout 0 vpdn group 628pptp accept dialin pptp vpdn group 628pptp ppp authentication mschap vpdn group 628pptp ppp encryption mppe auto vpdn group 628pptp client configuration address local vpn vpdn group 628pptp client configuration dns 10.0.0.10 10.0.0.204 vpdn group 628pptp client configuration wins 10.0.0.10 10.0.0.204 vpdn group 628pptp client authentication aaa RADIUS vpdn group 628pptp pptp echo 60 vpdn enable outside terminal width 80

Posted by Walter Roberson on April 15, 2006, 2:32 am Please log in for more thread options >PIX Version 6.3(3) >ip address inside 10.0.15.1 255.255.255.0 >ip local pool vpn 10.0.15.100-10.0.15.254 >crypto ipsec transform-set kiodex esp-3des esp-md5-hmac >crypto dynamic-map dynmap 5 set transform-set kiodex >crypto map outside 5 ipsec-isakmp dynamic dynmap >crypto map outside client authentication RADIUS >crypto map outside interface outside >vpngroup 628vpn address-pool vpn >vpdn group 628pptp client configuration address local vpn In both of those cases, you are going to be dynamically allocating an IP address to the remote client that is taken from the pool named 'vpn', which is a subset of 10.0.15/24 . That subnet is, though, the same IP range used by your inside interface. That will fail more often than it works. You should set your vpn pool to be an IP subnet that is "outside" relative to your inside interface, and ensure that the routing to that IP subnet would be via the outside interface (the one that has the crypto map attached.) Otherwise, the packets will appear "local" to the inside hosts, and won't be picked up by the PIX at all unless it just happens to proxy arp for those IPs (not certain); and if it is picked up by the PIX then the PIX will see that the route for the IP is back through the inside interface (because the pool is a subset of that range), and will promptly drop the packet. Sometimes the PIX will automatically insert a host route for the IP that would be good enough, but it is safer to not count on that.

Posted by S. Gione on April 15, 2006, 8:28 pm Please log in for more thread options I didn't examine your settings in detail, but I "bit" myself recently similarly: ... check to see that your "vpngroup 628vpn password ********" contains the correct password value. I did some major mods on our config recently and "pasted" my vpn values back in from a text backup file. The PIX, naturally, could not tell what was hidden behind the "********". All was fine after I put the correct value in via CLI. > Hi - > > i'm running a 515 with the 6.3.3 code. I am trying to get the cisco > IPSEC client connected to the pix . I've followed the instructions on > cisco's site, and had this working, but after a recent change it just > wont finish the ISAKMP negotiation. > > I also have PPTP enabled to the pix, which is working fine (so I know > theres no RAIDUS/Auth problem) > > Client side logs show: > > 18 09:43:23.015 04/14/06 Sev=Info/4 IKE/0x63000014 RECEIVING <<< > ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x > > 19 09:43:23.015 04/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> > ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x > > 20 09:43:23.015 04/14/06 Sev=Info/4 IKE/0x63000017 Marking IKE SA > for deletion (I_Cookie=A2FA4A64ADDC7FD0 R_Cookie=DF2DA2372657AB00) > reason = DEL_REASON_WE_FAILED_AUTH > > 21 09:43:23.015 04/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> > ISAKMP OAK INFO *(HASH, DEL) to x.x.x.x > > 22 09:43:23.750 04/14/06 Sev=Info/4 IKE/0x6300004B Discarding IKE > SA negotiation (I_Cookie=A2FA4A64ADDC7FD0 R_Cookie=DF2DA2372657AB00) > reason = DEL_REASON_WE_FAILED_AUTH > > 23 09:43:23.750 04/14/06 Sev=Info/4 CM/0x63100014 Unable to > establish Phase 1 SA with server "x.x.x.x" because of > "DEL_REASON_WE_FAILED_AUTH" > > 24 09:43:23.750 04/14/06 Sev=Info/4 IKE/0x63000001 IKE received > signal to terminate VPN connection > > 25 09:43:23.750 04/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all > keys > ============================ > sanitized Pix config is below: > > interface ethernet0 100full > interface ethernet1 100full > interface ethernet2 100full > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 savvist security0 > > fixup protocol dns maximum-length 512 > fixup protocol domain 53 > fixup protocol ftp 21 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol http 80 > fixup protocol ils 389 > fixup protocol pptp 1723 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol sip 5060 > fixup protocol sip udp 5060 > fixup protocol skinny 2000 > no fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol tftp 69 > names > access-list outside permit icmp any any echo-reply > access-list outside permit icmp any any unreachable > access-list outside permit icmp any any source-quench > access-list outside permit icmp any any time-exceeded > > access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.10.0 > 255.255.255.0 > access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.11.0 > 255.255.255.0 > access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.12.0 > 255.255.255.0 > access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.13.0 > 255.255.255.0 > access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.20.0 > 255.255.255.0 > access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.21.0 > 255.255.255.0 > access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.22.0 > 255.255.255.0 > access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.23.0 > 255.255.255.0 > access-list nonat permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.255.0 > > access-list nonat permit ip 10.0.0.0 255.255.0.0 10.253.58.0 > 255.255.255.0 > access-list nonat permit ip 10.0.0.0 255.255.0.0 10.0.0.0 255.255.0.0 > > pager lines 24 > logging on > logging timestamp > logging trap informational > logging facility 23 > logging device-id hostname > logging host inside 10.0.0.42 > no logging message 305012 > icmp deny any outside > mtu outside 1500 > mtu inside 1500 > mtu savvist 1500 > > ip audit info action alarm > ip audit attack action alarm > > ip local pool vpn 10.0.15.100-10.0.15.254 > pdm history enable > arp timeout 14400 > global (outside) 1 interface > global (savvist) 2 interface > nat (inside) 0 access-list nonat > nat (inside) 2 10.0.0.2 255.255.255.255 0 0 > nat (inside) 1 10.0.0.0 255.255.0.0 0 0 > access-group outside in interface outside > access-group savvist in interface savvist > > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 > 1:00:00 > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server TACACS+ (inside) host 10.0.0.42 LehMePo23HHHee timeout 10 > aaa-server RADIUS protocol radius > aaa-server RADIUS (inside) host 10.0.0.10 k10D3* timeout 10 > aaa-server LOCAL protocol local > aaa authentication telnet console TACACS+ > aaa authentication ssh console TACACS+ > aaa accounting include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 > TACACS+ > > floodguard enable > sysopt connection permit-ipsec > sysopt connection permit-pptp > > crypto ipsec transform-set kiodex esp-3des esp-md5-hmac > crypto dynamic-map dynmap 5 set transform-set kiodex > crypto map outside 1 ipsec-isakmp > crypto map outside 1 match address savvis > crypto map outside 1 set peer 216.74.163.199 > crypto map outside 1 set transform-set kiodex > crypto map outside 2 ipsec-isakmp > crypto map outside 2 match address houston > crypto map outside 2 set peer 209.163.128.71 > crypto map outside 2 set transform-set kiodex > crypto map outside 3 ipsec-isakmp > crypto map outside 3 match address att > crypto map outside 3 set peer 63.240.29.99 > crypto map outside 3 set transform-set kiodex > crypto map outside 4 ipsec-isakmp > crypto map outside 4 match address pune > crypto map outside 4 set peer 59.160.68.2 > crypto map outside 4 set transform-set kiodex > crypto map outside 5 ipsec-isakmp dynamic dynmap > crypto map outside client authentication RADIUS > crypto map outside interface outside > isakmp enable outside > isakmp key ******** address 216.74.163.199 netmask 255.255.255.255 > isakmp key ******** address 209.163.128.71 netmask 255.255.255.255 > isakmp key ******** address 63.240.29.99 netmask 255.255.255.255 > isakmp key ******** address 59.160.68.2 netmask 255.255.255.255 > no-xauth > isakmp identity address > isakmp nat-traversal 20 > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption 3des > isakmp policy 10 hash md5 > isakmp policy 10 group 2 > isakmp policy 10 lifetime 28800 > vpngroup 628vpn address-pool vpn > vpngroup 628vpn dns-server 10.0.0.10 10.0.0.204 > vpngroup 628vpn wins-server 10.0.0.10 10.0.0.204 > vpngroup 628vpn default-domain vpn.kiodex.com > vpngroup 628vpn split-tunnel nonat > vpngroup 628vpn idle-time 1800 > vpngroup 628vpn password ******** > > vpdn group 628pptp accept dialin pptp > vpdn group 628pptp ppp authentication mschap > vpdn group 628pptp ppp encryption mppe auto > vpdn group 628pptp client configuration address local vpn > vpdn group 628pptp client configuration dns 10.0.0.10 10.0.0.204 > vpdn group 628pptp client configuration wins 10.0.0.10 10.0.0.204 > vpdn group 628pptp client authentication aaa RADIUS > vpdn group 628pptp pptp echo 60 > vpdn enable outside > ================= > any help appreciated. thanks >

Similar Threads	Posted
Failing Phase2 Auth - IPSec - All IPSec SA proposals found unacceptable	November 26, 2008, 7:37 pm
IPsec within L2TP over IPsec - PIX.	July 23, 2006, 6:14 pm
4506 acting as LNS with L2TP over IPsec and IPsec over L2TP.	February 15, 2007, 5:47 pm
4506 acting as LNS with L2TP over IPsec and IPsec over L2TP.	February 20, 2007, 4:00 am
IPSec	October 4, 2005, 3:10 pm
IPSec VPN through NAT	January 24, 2006, 4:19 pm
QoS and IPSEC	February 10, 2006, 4:24 am
RSH over IPSEC VPN	March 14, 2006, 9:25 am
IPSEC to PIX 515	April 14, 2006, 9:46 am
PIX 506 IPSEC	June 18, 2005, 7:01 am
VPN with IPSec	July 23, 2007, 2:48 am
PAT & IPSEC	August 15, 2007, 3:47 pm
IPSEC and IKE	October 10, 2007, 8:52 am
VPN- IPsec and IKE	October 14, 2007, 10:51 am
ipsec vpn to pix 500	August 2, 2008, 5:36 pm

Contact Us | Privacy Policy