I have a client with a PIX 501, version 6.3(4). For some reason that I've not been able to figure out, the VPN client that I've created for them will connect , but traffic will not pass through the PIX. The client is set to use group and user authentication, but it immediately connects without prompting for user authentication, which is also strange. Any advice is greatly appreciated. The config is posted below. The VPN client in question is the one listed as "magellan" and the internal IP that I ideally would like to connect to is
192.168.100.79, but I can't get to any IP; not even the internal IP of the PX. All help is greatly appreciated.PIX Version 6.3(4) interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxx encrypted hostname pix domain-name cisco.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inside-outside permit tcp any interface outside eq pcanywhere-data access-list inside-outside permit udp any interface outside eq pcanywhere-status access-list inside-outside permit tcp any interface outside eq https access-list inside-outside permit tcp any host 192.168.100.42 eq 5800 access-list inside-outside permit tcp any host 192.168.100.42 eq 5900 access-list inside-outside permit tcp any host 192.168.100.59 eq 5801 access-list inside-outside permit tcp any host 192.168.100.59 eq 5901 access-list inside-outside permit tcp any host 192.168.100.61 eq 5802 access-list inside-outside permit tcp any host 192.168.100.61 eq 5902 access-list inside-outside permit tcp any host 192.168.100.62 eq 5803 access-list inside-outside permit tcp any host 192.168.100.62 eq 5903 access-list inside-outside permit tcp any host 192.168.100.63 eq 5804 access-list inside-outside permit tcp any host 192.168.100.63 eq 5904 access-list inside-outside permit tcp any host 192.168.100.161 eq 5805 access-list inside-outside permit tcp any host 192.168.100.161 eq 5905 access-list inside-outside permit tcp any host 192.168.100.64 eq 5806 access-list inside-outside permit tcp any host 192.168.100.64 eq 5906 access-list inside-outside permit tcp any host 192.168.100.65 eq 5807 access-list inside-outside permit tcp any host 192.168.100.65 eq 5907 access-list inside-outside permit tcp any interface outside eq 4125 access-list inside-outside permit tcp any interface outside eq 3389 access-list mri permit ip host 192.168.100.76 host 172.16.4.8 access-list mri permit ip host 192.168.100.76 host 172.16.4.10 access-list mri permit ip host 192.168.100.79 host 172.16.4.8 access-list mri permit ip host 192.168.100.79 host 172.16.4.10 access-list mri permit ip host 192.168.100.80 host 172.16.4.8 access-list mri permit ip host 192.168.100.80 host 172.16.4.10 access-list 100 permit ip host 192.168.100.76 host 172.16.4.10 access-list 100 permit ip host 192.168.100.76 host 172.16.4.8 access-list 100 permit ip host 192.168.100.79 host 172.16.4.10 access-list 100 permit ip host 192.168.100.79 host 172.16.4.8 access-list 100 permit ip host 192.168.100.80 host 172.16.4.10 access-list 100 permit ip host 192.168.100.80 host 172.16.4.8 access-list GEMED permit ip host xx.xx.xx.xx xx.xx.xx.xx 255.255.0.0 access-list GEMED permit ip host xx.xx.xx.xx xx.xx.xx.xx 255.255.0.0 access-list (inside,outside) permit tcp any host 192.168.100.79 eq
5731 access-list (inside,outside) permit udp any host 192.168.100.79 eq 5732 pager lines 120 logging on logging console alerts logging monitor debugging mtu outside 1500 mtu inside 1500 ip address outside 209.161.xx.xx 255.255.255.252 ip address inside 192.168.100.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnclients 192.168.200.1-192.168.200.10 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list mri nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface 3389 192.168.100.11 3389 netmask 255.255.2 55.255 0 0 static (inside,outside) tcp interface https 192.168.100.11 https netmask 255.255 .255.255 0 0 static (inside,outside) udp interface pcanywhere-status 192.168.100.31 pcanywher e-status netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pcanywhere-data 192.168.100.31 pcanywhere- data netmask 255.255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5800 192.168.100.42 5800 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5900 192.168.100.42 5900 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5801 192.168.100.59 5801 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5901 192.168.100.59 5901 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5802 192.168.100.61 5802 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5902 192.168.100.61 5902 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5803 192.168.100.62 5803 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5903 192.168.100.62 5903 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5804 192.168.100.63 5804 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5904 192.168.100.63 5904 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5805 192.168.100.161 5805 netmask 255 .255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5905 192.168.100.161 5905 netmask 255 .255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5806 192.168.100.64 5806 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5906 192.168.100.64 5906 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5807 192.168.100.65 5807 netmask 255. 255.255.255 0 0 static (inside,outside) tcp 209.xx.xx.xx 5907 192.168.100.65 5907 netmask 255. 255.255.255 0 0 static (inside,outside) tcp interface 5731 192.168.100.79 5731 netmask 255.255.2 55.255 0 0 static (inside,outside) udp interface 5732 192.168.100.79 5732 netmask 255.255.2 55.255 0 0 static (inside,outside) 10.77.xx.xx 192.168.100.76 netmask 255.255.255.255 0 0 static (inside,outside) 10.77.xx.xx 192.168.100.77 netmask 255.255.255.255 0 0 static (inside,outside) 142.179.xx.xx 192.168.100.79 netmask 255.255.255.255 0 0 access-group inside-outside in interface outside route outside 0.0.0.0 0.0.0.0 209.xx.xx.xx 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 209.xx.xx.xx 255.255.255.0 outside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps no floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set AAADES esp-3des esp-md5-hmac crypto dynamic-map dyn20 20 set transform-set AAADES crypto map shmem 10 ipsec-isakmp crypto map shmem 10 match address GEMED crypto map shmem 10 set peer xx.xx.xx.xx crypto map shmem 10 set transform-set AAADES crypto map shmem 10 set security-association lifetime seconds 3600 kilobytes 460 8000 crypto map shmem 15 ipsec-isakmp crypto map shmem 15 match address mri crypto map shmem 15 set peer xx.xx.xx.xx crypto map shmem 15 set transform-set AAADES crypto map shmem 20 ipsec-isakmp dynamic dyn20 crypto map shmem interface outside isakmp enable outside isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255 isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255 isakmp identity address isakmp keepalive 10 3 isakmp client configuration address-pool local vpnclients outside isakmp policy 9 authentication pre-share isakmp policy 9 encryption 3des isakmp policy 9 hash md5 isakmp policy 9 group 2 isakmp policy 9 lifetime 86400 vpngroup ortho-tech address-pool vpnclients vpngroup ortho-tech dns-server 209.xx.xx.xx 209.xx.xx.xx vpngroup ortho-tech idle-time 1800 vpngroup ortho-tech password ******** vpngroup magellan-group address-pool vpnclients vpngroup magellan-group dns-server 209.xx.xx.xx 209.xx.xx.xx vpngroup magellan-group idle-time 1800 vpngroup magellan-group password ******** ssh xx.xx.xx.xx 255.255.255.255 outside ssh xx.xx.xx.xx 255.255.255.255 inside ssh timeout 60 console timeout 0 username support password xxxxxxxxxxxxxxxxxx encrypted privilege 2 username magellan password xxxxxxxxxxxxxxxxx encrypted privilege 2 terminal width 80 Cryptochecksum:6b3e1c6136fff01a48f2d8ccfea4ac8f : end