Hi gents I've been fighting two days with this and it seems the pix is winning this battle. I want to configure a vpn client so that I can join this network from one secondary router, so I had to do static routes and some special things. Now after cleaning a little my config the vpn client seems to connect, but I can't terminal server or ssh , maybe the problem is in the access list, or maybe the isakmp , but I have done lots of changes and none made it work .
so could you please take a look and tell me what do I have to allow to achieve this kind of configuration. thanks thanks thanks to you all
: PIX Version 6.3(4) interface ethernet0 100full interface ethernet1 100full interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security4 enable password ZlGq2vBPmW8hXSpI encrypted passwd ZlGq2vBPmW8hXSpI encrypted hostname pixbcn domain-name vlsd.net fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside_access_in permit icmp any any access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.5.0
255.255.255.0 access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.5.0 255.255.255.0 access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.3.0 255.255.255.0 access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.3.0 255.255.255.0 access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.6.0 255.255.255.0 access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.6.0 255.255.255.0 access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.4.0 255.255.255.0 access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.4.0 255.255.255.0 access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 174.144.2.0 255.255.255.0 access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 174.144.2.0 255.255.255.0 access-list nonat_acl permit icmp 174.144.1.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list nonat_acl permit ip 174.144.1.0 255.255.255.0 host 172.16.1.1 access-list remote_lond_acl permit ip 174.144.1.0 255.255.255.0 174.144.5.0 255.255.255.0 access-list remote_lond_acl permit icmp 174.144.1.0 255.255.255.0 174.144.5.0 255.255.255.0 access-list remote_pose_acl permit ip 174.144.1.0 255.255.255.0 174.144.3.0 255.255.255.0 access-list remote_pose_acl permit icmp 174.144.1.0 255.255.255.0 174.144.3.0 255.255.255.0 access-list remote_posi2_acl permit ip 174.144.1.0 255.255.255.0 174.144.6.0 255.255.255.0 access-list remote_posi2_acl permit icmp 174.144.1.0 255.255.255.0 174.144.6.0 255.255.255.0 access-list remote_gita_acl permit ip 174.144.1.0 255.255.255.0 174.144.4.0 255.255.255.0 access-list remote_gita_acl permit icmp 174.144.1.0 255.255.255.0 174.144.4.0 255.255.255.0 access-list remote_caus_acl permit ip 174.144.1.0 255.255.255.0 174.144.2.0 255.255.255.0 access-list remote_caus_acl permit icmp 174.144.1.0 255.255.255.0 174.144.2.0 255.255.255.0 access-list red_interna permit ip 174.144.1.0 255.255.255.0 any access-list outside_cryptomap_dyn_21 permit ip any 172.16.1.0 255.255.255.0 access-list split_tunnel_ac permit ip 174.144.1.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list split_tunnel_ac permit icmp 174.144.1.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list split_tunnel_ac permit ip any any access-list vlsd_tunnel_ac permit ip 174.144.1.0 255.255.255.0 any access-list vlsd_tunnel_ac permit icmp 174.144.1.0 255.255.255.0 any access-list vpn2dkm permit ip any any pager lines 24 logging timestamp logging trap debugging logging host inside 174.144.1.26 mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 10.200.100.253 255.255.0.0 ip address inside 174.144.1.1 255.255.255.0 ip address intf2 174.144.20.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpndkm_pool 172.16.1.1 ip local pool vlsd_pool 174.144.1.60 pdm location 0.0.0.0 0.0.0.0 outside pdm location 174.144.20.0 255.255.255.0 inside pdm location 10.200.0.0 255.255.0.0 inside pdm location 174.144.1.50 255.255.255.255 inside pdm location 174.144.20.20 255.255.255.255 intf2 pdm location 174.144.5.0 255.255.255.0 outside pdm location 80.38.105.29 255.255.255.255 outside pdm location 174.144.2.0 255.255.255.0 outside pdm location 174.144.3.0 255.255.255.0 outside pdm location 174.144.4.0 255.255.255.0 outside pdm location 174.144.6.0 255.255.255.0 outside pdm location 174.144.2.0 255.255.255.0 intf2 pdm location 174.144.3.0 255.255.255.0 intf2 pdm location 174.144.4.0 255.255.255.0 intf2 pdm location 174.144.5.0 255.255.255.0 intf2 pdm location 174.144.6.0 255.255.255.0 intf2 pdm location 174.144.1.26 255.255.255.255 inside pdm location 172.16.1.0 255.255.255.0 outside pdm location 62.43.200.194 255.255.255.255 outside pdm location 80.224.56.90 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface global (intf2) 1 interface nat (inside) 0 access-list nonat_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (intf2) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 10.200.100.250 1 route outside 62.43.200.194 255.255.255.255 10.200.100.190 1 route outside 80.38.105.29 255.255.255.255 10.200.100.190 1 route outside 80.224.56.90 255.255.255.255 10.200.100.190 1 timeout xlate 3:00:00 timeout conn 2:00:00 half-closed 0:10:00 udp 2:00:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 2:00:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.200.0.0 255.255.0.0 outside http 174.144.1.0 255.255.255.0 inside http 172.16.1.1 255.255.255.255 inside http 174.144.20.0 255.255.255.0 intf2 no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 30 set transform-set myset crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address remote_lond_acl crypto map newmap 10 set peer 10.201.100.253 crypto map newmap 10 set transform-set myset crypto map newmap 11 ipsec-isakmp crypto map newmap 11 match address remote_pose_acl crypto map newmap 11 set peer 10.202.100.253 crypto map newmap 11 set transform-set myset crypto map newmap 12 ipsec-isakmp crypto map newmap 12 match address remote_posi2_acl crypto map newmap 12 set peer 10.205.100.253 crypto map newmap 12 set transform-set myset crypto map newmap 13 ipsec-isakmp crypto map newmap 13 match address remote_gita_acl crypto map newmap 13 set peer 10.203.100.253 crypto map newmap 13 set transform-set myset crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address remote_caus_acl crypto map newmap 20 set peer 80.38.105.29 crypto map newmap 20 set transform-set myset crypto map newmap 21 ipsec-isakmp dynamic dynmap crypto map newmap interface outside isakmp enable outside isakmp key ******** address 80.38.105.29 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.201.100.253 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.203.100.253 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.202.100.253 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.205.100.253 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 vpngroup vpndkm address-pool vpndkm_pool vpngroup vpndkm dns-server 174.144.1.15 vpngroup vpndkm default-domain vlsd.net vpngroup vpndkm split-tunnel vpn2dkm vpngroup vpndkm idle-time 1800 vpngroup vpndkm password ******** vpngroup vlsd address-pool vlsd_pool vpngroup vlsd split-tunnel vlsd_tunnel_ac vpngroup vlsd idle-time 1800 vpngroup vlsd password ******** telnet timeout 5 ssh 10.200.0.0 255.255.0.0 outside ssh 172.16.1.1 255.255.255.255 outside ssh 174.144.1.0 255.255.255.0 inside ssh 174.144.20.0 255.255.255.0 intf2 ssh timeout 30 console timeout 0 dhcpd address 174.144.1.100-174.144.1.250 inside dhcpd dns 174.144.1.15 174.144.1.16 dhcpd lease 1048575 dhcpd ping_timeout 750 dhcpd domain vlsd.net dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:ab2e9ab3f3b0a44b4d0f7a492a5281a4 : end