Hi all,
I have a 2600 router setup as a ezvpn server and a pix501 set up as a client. The client end can ping my public interface and I can ping their's but they can't receive the configuration from us. Here are the configs of our devices:
These are ip ranges are just examples...
My network: 192.168.0.0/24 My DMZ: 192.168.1.0/24
2600 Router as Serverhostname Router2600 ! boot-start-marker boot-end-marker ! card type t3 1 logging buffered 51200 debugging logging console critical enable secret ! aaa new-model ! ! aaa authentication login localuser local aaa authorization network groupvpn local ! aaa session-id common ! resource policy ! no network-clock-participate slot 1 no network-clock-participate wic 0 ip subnet-zero ! ! no ip dhcp use vrf connected ! ! ip cef ip flow-cache timeout active 1 ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive no ip ips deny-action ips-interface ! ! username admin password 7 username ezvpn-user secret 5 TESTING123 ! ! controller T3 1/0 cablelength 10 ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp keepalive 90 12 crypto isakmp xauth timeout 60
! crypto isakmp client configuration group groupvpn key TESTING dns 192.168.0.2 192.168.0.1 wins 192.168.0.1 192.168.0.2 domain testing.com pool vpn-pool acl 104 save-password ! ! crypto ipsec transform-set VPNTRANSF esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set VPNTRANSF reverse-route ! ! crypto map dynmap client authentication list localuser crypto map dynmap isakmp authorization list groupvpn crypto map dynmap client configuration address respond crypto map dynmap 10 ipsec-isakmp dynamic dynmap ! ! ! ! interface FastEthernet0/0 description ! no mop enabled ! interface FastEthernet0/1 description PUBLIC INTERFACE ip address 10.32.152.1 255.255.255.0 ip route-cache flow speed 100 full-duplex crypto map dynmap ! interface Serial1/0 ! ip local pool vpn-pool 192.168.0.150 192.168.0.160 ip classless ip route 0.0.0.0 0.0.0.0 Serial1/0 ! ip flow-export source FastEthernet0/1 ip flow-export version 5 ip flow-export destination 192.168.0.57 9996 ! ip http server ip http secure-server ip nat inside source list insideout interface Serial1/0 overload ! ! logging trap debugging access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip x.x.x.x 0.0.0.3 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip 192.168.0.0 0.0.3.255 any access-list 101 permit icmp any host 65.194.75.2 echo-reply access-list 101 permit icmp any host 65.194.75.2 time-exceeded access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log access-list 102 permit tcp any host x.x.x.x eq ftp access-list 102 permit tcp any host x.x.x.x eq ftp-data access-list 103 deny tcp any host x.x.x.x eq ftp access-list 103 deny tcp any host x.x.x.x eq ftp-data access-list 103 permit tcp any any access-list 104 remark VPN Traffic access-list 104 permit ip any 192.168.1.0 0.0.0.255 access-list 104 permit tcp any 192.168.1.0 0.0.0.255 snmp-server ifindex persist ! ! control-plane ! ! ! end
pix501 as Client
I told them to add just that block into their PIX. ACL 104 (I think) should direct the traffic to 192.168.1.0/24 which is my DMZ.
Thanks.