1. Home
  2. Cisco Systems
  3. VPN Site to Client Setup

VPN Site to Client Setup

Hi, I have been doing a workover to have the solution for remote users. So that they can connect my ofc any time through Cisco VPN Client.

Following is the diagram and config i have done.

OFC Server---------------------------PIX 506E (6.3)

-----------------------Home (Cisco VPn Client)

192.168.1.10 192.168.1.1 203.122.33.52 DHCP

I had done following Config to PIX:

ip local pool Remote 192.168.1.240-192.168.1.250

crypto map inside_map interface inside isakmp enable outside isakmp keepalive 30 5 isakmp policy 9 authentication pre-share isakmp policy 9 encryption des isakmp policy 9 hash md5 isakmp policy 9 group 2 isakmp policy 9 lifetime 86400

vpngroup Remote address-pool Remote vpngroup Remote dns-server 192.168.1.5 203.122.63.152 vpngroup Remote default-domain XYZ.com vpngroup Remote idle-time 1800 vpngroup Remote max-time 100 vpngroup Remote password ********

From my VPN Clinet it connects to PIX but ion PDM it shows status idle

and then after 1 minute it got disconnected from PIX .

Please help if i am doing anythingh wrong or provide me any case study..

CK

Reply to
NETADMIN
Loading thread data ...

Your getting disconnected in 100 seconds because your config is saying the max connect ime is 100 seconds.

Remove "vpngroup Remote max-time 100"

Cant tell if anything else is wrong, you didn't provide enough of your config.

Reply to
Brian V

Thanks

I removed but still same problem

Does i have to use any kind of accesslist for incoming traffic .

CK

Brian V wrote:

Reply to
NETADMIN

I guess you completely missed the part about "Cant tell if anything else is wrong, you didn't provide enough of your config."

Reply to
Brian V

Sorry for the delay Following is my Config:

PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password yUxyJpV4L5sHyqnf encrypted passwd re9vzSLG8v/gMac6 encrypted hostname ALGOPIX domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.1.133 Sanjeev name 192.168.1.225 Chetan object-group network NetworkTeam network-object CK 255.255.255.255 network-object SK 255.255.255.255 access-list acl_out permit icmp any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside X.X.X.230 255.255.255.224 ip address inside 192.168.1.1 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit info action alarm ip audit attack action alarm ip local pool Remote 192.168.1.240-192.168.1.250 pdm location Chetan 255.255.255.255 inside pdm location Sanjeev 255.255.255.255 inside pdm group NetworkTeam inside pdm history enable arp timeout 14400 global (outside) 1 X.X.X.232 global (outside) 2 X.X.X.233 nat (inside) 2 SK 255.255.255.255 0 0 nat (inside) 2 CK 255.255.255.255 0 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group acl_out in interface outside route outside 0.0.0.0 0.0.0.0 203.122.33.225 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http CK 255.255.255.255 inside snmp-server host inside CK snmp-server location SR snmp-server contact CK snmp-server community XYZ no snmp-server enable traps tftp-server inside CK/PIX/ floodguard enable crypto map inside_map interface inside isakmp enable outside isakmp keepalive 30 5 isakmp policy 9 authentication pre-share isakmp policy 9 encryption des isakmp policy 9 hash md5 isakmp policy 9 group 2 isakmp policy 9 lifetime 86400 vpngroup Remote address-pool Remote vpngroup Remote dns-server 192.168.1.5 203.122.63.152 vpngroup Remote default-domain XYZ.com vpngroup Remote idle-time 1800 vpngroup Remote max-time 100 vpngroup Remote password ******** telnet Chetan 255.255.255.255 inside telnet timeout 30 ssh timeout 5 console timeout 5 terminal width 80 Cryptochecksum:5806553479729e5649e419fe45738990 : end

Reply ASAP...

CK

Brian V wrote:

Reply to
NETADMIN

You do not appear to have defined that map, inside_map, and it is rather unusual that it would be applied to the inside interface instead of the outside interface. For example you haven't configured isakmp on the inside interface

For your remote pool, use an IP address range that is NOT part of your inside interface, and use a nat (inside) 0 access-list to exempt that range from address translation.

Reply to
Walter Roberson

Thanks Let me try that then i willget back to you ASAP..

Walter Robers> >

Reply to
NETADMIN

Hi

access-list acl_out permit icmp any any access-group acl_out in interface outside

ip local pool Remote 10.1.1.10-10.1.1.20

crypto map inside_map interface inside isakmp enable outside isakmp enable inside isakmp policy 9 authentication pre-share isakmp policy 9 encryption des isakmp policy 9 hash md5 isakmp policy 9 group 2 isakmp policy 9 lifetime 86400 vpngroup Remote address-pool Remote vpngroup Remote dns-server 192.168.1.5 203.122.63.152 vpngroup Remote idle-time 1800 vpngroup Remote password ********

I changed the local pool ip address scheme and Enabled Isakmp for inside and outside Interface Please brief me with example for Access-list and NAT

Ck

Walter Robers> >

Reply to
CK

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.