Hi All,
I have a PIX 515 with version 6.3(3). I have a site to site VPN up and running fine. I am adding client VPN access to this now. All clients will use the Cisco VPN Client 4.6. I followed some instructions I found online and have made the connection to the PIX from a client.
Relevant config:
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0
192.23.52.240 255.255.255.252 access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.168.0 255.255.255.0 access-list split permit ip 192.168.0.0 255.255.255.0 192.168.168.0 255.255.255.0nat (inside) 0 access-list outside_cryptomap_20
sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set ESP-DES-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 212.39.xxx.xxx crypto map outside_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 30 ipsec-isakmp dynamic dynmap crypto map outside_map client configuration address initiate crypto map outside_map client configuration address respond crypto map outside_map interface outside
isakmp enable outside isakmp key ******** address 212.39.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp client configuration address-pool local vpnpool outside isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup Users address-pool vpnpool vpngroup Users dns-server 192.168.0.22 vpngroup Users wins-server 192.168.0.22 vpngroup Users default-domain highstreetnetworks.com vpngroup Users split-tunnel split vpngroup Users idle-time 1800 vpngroup Users password ********
The problem is that when I ping from the client to inisde (192.168.0.75) I get no response. I have done a tcpdump on the inside host and see the echo-request arriving and the echo-response leaving. When I do a debug icmp trace on the PIX I I see the request and reply, but I can't see where the reply is going. I an sure it is not going out the correct tunnel. It may be going out the site to site tunnel but I can't figure out how to see which tunnel that reply is going out on.
Is there any debugging techniques that I can use to verify this?
Thanks
Glenn