1. Home
  2. Cisco Systems
  3. VPN Connection Problems between Cisco PIX 506E and Cisco VPN Concentrator 3005

VPN Connection Problems between Cisco PIX 506E and Cisco VPN Concentrator 3005

Hello all,

I got a problem with a vpn connection from a cisco pix 506E to a cisco

3005 concentrator. The problem is that the lan on the pix is also used to another remote side. so I tried to activate NAT on the pix to translate the ip adresses of the network. after that I entered the information at the concentrator which are nessassray for the lan-to-lan connection. But I did not get a connection. I tried to ping the outside address of the pix but I did not get a reply.

I post the output of the logfile for that connection below:

29437 02/15/2005 14:25:21.890 SEV=4 IKE/41 RPT=43758 213.183.66.179 IKE Initiator: New Phase 1, Intf 2, IKE Peer 213.183.66.179 local Proxy Address 192.168.0.0, remote Proxy Address 213.183.66.179, SA (L2L: to PIX)

29507 02/15/2005 14:26:02.300 SEV=4 IKEDBG/65 RPT=36896 213.183.66.179 Group [213.183.66.179] IKE MM Initiator FSM error history (struct &0x3b7510c) , : MM_DONE, EV_ERROR MM_WAIT_MSG6, EV_TIMEOUT MM_WAIT_MSG6, NullEvent MM_SND_MSG5, EV_SND_MSG

and here is the config of the pix:

PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname Cisco-Firewall-VPN domain-name pk-intern.de clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list ipsec permit ip host 2xx.1xx.6x.1xx 192.168.8.224

255.255.255.224 access-list ipsec permit ip 192.168.41.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list ipsec permit ip 192.168.41.0 255.255.255.0 192.168.8.224

255.255.255 ..224 access-list nonat permit ip any host 192.168.14.1 access-list nonat permit ip any 192.168.14.0 255.255.255.192 access-list nonat permit ip host 2xx.1xx.6x.1xx 192.168.8.xxx 255.255.255.224 access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.8.xxx 255.255.255. 224 access-list outside_cryptomap_dyn_20 permit ip any host 192.168.14.1 access-list outside_cryptomap_dyn_20 permit ip any 192.168.14.0 255.255.255.192 access-list outside_cryptomap_30 permit ip 192.168.4.0 255.255.255.0 192.168.8.xxx 255.255.255.224 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 2xx.1xx.6x.1xx 255.255.255.248 ip address inside 192.168.4.xx 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool EDV 192.168.14.1-192.168.14.32 mask 255.255.255.0 pdm location 192.168.4.xx 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 2xx.1xx.6x.1xx nat (inside) 0 access-list nonat static (inside,outside) 192.168.41.0 192.168.4.0 netmask 255.255.255.0 0 0 route outside 0.0.0.0 0.0.0.0 2xx.1xx.6x.1xx 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set set-3des esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set set-3des crypto map vpn 10 ipsec-isakmp crypto map vpn 10 match address ipsec crypto map vpn 10 set peer 2xx.1xx.1xx.9x crypto map vpn 10 set transform-set set-3des crypto map vpn 30 ipsec-isakmp crypto map vpn 30 match address outside_cryptomap_30 crypto map vpn 30 set peer 2xx.1xx.1xx.9x crypto map vpn 30 set transform-set set-3des crypto map vpn 65535 ipsec-isakmp dynamic outside_dyn_map crypto map vpn client authentication LOCAL crypto map vpn interface outside isakmp enable outside isakmp key ******** address 2xx.1xx.1xx.9x netmask 255.255.255.255 no-xauth no-c onfig-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 3600 vpngroup EDV address-pool EDV vpngroup EDV dns-server 192.168.4.xxx 192.168.2.xxx vpngroup EDV wins-server 192.168.4.xxx 192.168.2.xxx vpngroup EDV default-domain pk-intern.de vpngroup EDV idle-time 1800 vpngroup EDV password ******** telnet 192.168.4.x 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd dns 192.168.4.xxx dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain pk-intern.de username user password mrbAHCmBQ56It1RP encrypted privilege 15 vpnclient server 2xx.1xx.6x.1xx vpnclient mode client-mode vpnclient vpngroup user password ******** vpnclient username user password ******** terminal width 80 Cryptochecksum:f18163247c8b2ebfc2cf0a40e3e71ff8 : end
Reply to
Kai
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.