Hi all,
I'm trying to build a vpn connection between a PIX 515 and notebooks (roadwarrior) with a vpnclient (forticlient). IPSEC SAs establish correct and vpn-packets from notebook to company-lan can reach their destination via pix. Packets from company-lan to roadwarrior disappear, it never hits an access-list (no-nat-acl, dynmap-acl,...) and it never will be encrypted (no packets on outside IF).
Switching "sysopt connection permit-ipsec" doesn't matter. Route to vpnclients net on internal router points to pix inside interface.
Any ideas?
regards
Manfred
LAN 10.232.0.0/16 -- -- Internet -- (VPN 10.232.249.x/24)
PIX config (shortened)
PIX Version 6.3(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 ... access-list inside-in permit ip any any access-list outside-in permit ... ... access-list vpn_no_nat permit ip 10.232.0.0 255.255.0.0 10.232.249.0
255.255.255.0 access-list vpn_traffic permit ip 10.232.0.0 255.255.0.0 10.232.249.0 255.255.255.0 access-list vpn_traffic permit ip 10.232.249.0 255.255.255.0 10.232.0.0 255.255.0.0 ip address outside 193.x.x.x 255.255.255.192 ip address inside 10.232.253.254 255.255.254.0 global (outside) 2 193.x.x.X netmask 255.255.255.192 ... nat (inside) 0 access-list vpn_no_nat nat (inside) 2 10.232.0.0 255.255.0.0 0 0 ... static (dmz1,outside) ... ... access-group outside-in in interface outside access-group inside-in in interface inside route outside 0.0.0.0 0.0.0.0 193.x.x.x 1 route inside 10.232.0.0 255.255.0.0 10.232.253.1 1 floodguard enable sysopt connection permit-ipsec sysopt ipsec pl-compatible service resetinbound service resetoutside crypto ipsec transform-set lsrset1 esp-aes esp-sha-hmac crypto ipsec transform-set lsrset2 esp-3des esp-sha-hmac crypto dynamic-map dynmap1 10 match address vpn_traffic crypto dynamic-map dynmap1 10 set pfs group2 crypto dynamic-map dynmap1 10 set transform-set lsrset1 lsrset2 crypto map map1 10 ipsec-isakmp dynamic dynmap1 crypto map map1 interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 ...