I have a PIX 506e and i have setup a remote VPN client on the PIX. I have setup up the group name, password and VPN IP Pool. I already have VPN site to site over IPsec on IKE. When i try to connect using the VPN Client i get a
The pool with a mask of .224 ends at .95 not .96 . I would suggest that you use a netmask of 255.255.255.0, and make sure that the first and last addresses implied by the netmask are not listed in the pool.
ML_Inbound_SMTP eq smtp
special_www eq www
In your first line, you permit out the full 192.168.2/24, but in the two lines above you only allow yout 192.168.2.0 - 192.168.2.31 . Is that really what you want? If you have made a deliberate decision to confine "hosts that are allowed to contact those services" to that address range, then take note that that address range includes the PIX inside interface, which would you wouldn't normally want to include if you are being particular about what goes out where.
If you have allocated a group of hosts starting from HOST_PC and extending to HOST_PC + 63, and that's what you want to allow to access those services, then I would suggest that it is better form to hide the details of the permitted hosts inside an object-group; that way later you they don't have to be contiguous.
That denies traffic to the VPN_pool . However, the sysopt you use later allows the VPN to ignore the access lists.
With the information you gave, we cannot tell whether HO_VPN_NET or VPN_RM encompasses VPN_POOL . If one of the two does, notice the netmask inconsistancy compared to the pool definition.
Don't try nat 0 against the outside interface: if it does anything at all, it surely won't be whatever you intended. Instead just rely upon the fact that nat (inside) 0 is automatically applied "in reverse" for incoming traffic.
no global (outside) 3 policy...
Why is your fixed peer using ESP-DES-SHA but your dynamics are using ESP-DES-MD5 ? PIX 6.3 does not support ESP-DES-SHA by the way (if I recall correctly.) It's better to list several transforms in the set, strongest first; then if somehow there becomes a mismatch in support, they can fall back to another transform.
DES SHA is stronger than DES MD5, so it would be better if it were a lower policy number.
Everything else implies that HO_VPN_NET is outside, but here you have it on the inside.
??? You are allowing accidents of DHCP address allocation to determine whether a particular host is allowed particular kinds of inside or outside access (because of the various .224 you use against inside addresses in places) ?
And if there are fixed hosts at HOST_PC then they overlap with your dhcpd address pool, unless HOST_PC is in a completely different IP range -- but if it is in a completely different range then the situation can't work without an 'ip route' statement.
You are trying to create a management VPN to HO_PIX and there is a corresponding VPN at HO_PIX marked with a 'management interface' command? If not then don't use network-extension-mode . If you -are- trying to create such a management VPN, note that the network-extension-mode VPN being created will permit only traffic that originates at the PIX itself, such as CLI pings -- usually not of substantial utility considering the configuration complexity.
If you want to build a LAN to LAN VPN to the outside interface of HO_PIX then include the outside interface IP of HO_PIX amongst the traffic permitted by outside_cryptomap_20 .
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.