GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: PIX VPN Problem [7:111150] posted 06/23/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


I saw somewhere that Cisco actually recommends that the VPN range be a
different IP subnet from the locally attached LAN.

Also check the crypto ACLs that define what flows come into the dynamic
map that must be encrypted else they are dropped...

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Maxwell Noel
Sent: 22 June 2006 23:06 PM
To: cisco@xxxxxxxxxxxxxx
Subject: RE: PIX VPN Problem [7:111150]

Hi,

I think the problem is with the split tunneling IP range you have
applied. Try to remove the split tunneling range and connect again, or
have a separate range that doesn't clash with you IP local pool. I think
you have done this using the ASDM isn't it?

Max

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx]
Sent: Thursday, June 22, 2006 11:32 PM
To: cisco@xxxxxxxxxxxxxx
Subject: RE: PIX VPN Problem [7:111150]

access-list acl_out extended permit ip any any access-list acl_out
extended permit icmp any any access-list inside_nat0_outbound extended
permit ip 10.0.3.0 255.255.255.0 10.0.1.0 255.255.255.0 access-list
inside_nat0_outbound extended permit ip any any access-list
inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.1.0
255.255.255.0 access-list modvpn_splitTunnelAcl standard permit 10.0.1.0
255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip any 10.0.1.0
255.255.255.0 access-list asdasd_splitTunnelAcl standard permit 10.0.3.0
255.255.255.0

access-list outside_cryptomap_dyn_40 extended permit ip any 10.0.1.0
255.255.255.0 access-list outside_cryptomap_dyn_20_1 extended permit ip
10.0.3.0 255.255.255.0 10.0.1.0 255.255.255.0 access-list
outside_cryptomap_dyn_20_1 extended permit ip 10.0.1.0 255.255.255.0
10.0.1.0 255.255.255.0 ip local pool MOD 10.0.1.1-10.0.1.254 mask
255.255.255.0


global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0
0.0.0.0

access-group acl_out in interface outside route outside 0.0.0.0 0.0.0.0
172.16.1.1 1

group-policy modvpn internal
group-policy modvpn attributes
 dns-server value 69.48.130.10
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value modvpn_splitTunnelAcl


snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto
dynamic-map outside_dyn_map 20 match address
outside_cryptomap_dyn_20_1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto
map outside_map interface outside isakmp enable outside isakmp policy 10
authentication pre-share isakmp policy 10 encryption 3des isakmp policy
10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400
tunnel-group modvpn type ipsec-ra tunnel-group modvpn general-attributes
address-pool MOD  default-group-policy modvpn tunnel-group modvpn
ipsec-attributes  pre-shared-key * no vpn-addr-assign aaa no
vpn-addr-assign dhcp Peter Borghard wrote:
> 
> I'm trying to setup a Pix 515 ver7.0(4) with NAT and VPN. 
> Nothing crazy, public IP on the outside interface, private network on 
> inside interface.  Separate IP pool for VPN.  When I try to connect to

> the VPN I get this from log.  Please advise!:
> 
> IP = 172.16.16.248, Received encrypted packet with no matching SA, 
> dropping
> 
> Group = modvpn, Username = detech, IP = 172.16.16.248, Session 
> disconnected. Session Type: IPSec, Duration: 0h:00m:00s, Bytes
> xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
> 
> Group = modvpn, Username = detech, IP = 172.16.16.248, Removing peer 
> from correlator table failed, no match!
> 
> Group = modvpn, Username = detech, IP = 172.16.16.248, QM FSM error 
> (P2 struct &0x1fda468, mess id 0xd018d25c)!
> 
> Group = modvpn, Username = detech, IP = 172.16.16.248, Rejecting IPSec

> tunnel: no matching crypto map entry for remote proxy 
> 10.0.1.1/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on 
> interface outside
> 
> Group = modvpn, Username = detech, IP = 172.16.16.248, PHASE 1 
> COMPLETED
> 
> Group = modvpn, Username = detech, IP = 172.16.16.248, Assigned 
> private IP address 10.0.1.1 to remote user
> 
> Group = modvpn, Username = detech, IP = 172.16.16.248, Client
> Type: WinNT  Client Application Version: 4.6.01.0019
> 
> Group = modvpn, Username = detech, IP = 172.16.16.248, Received 
> unknown transaction mode attribute: 28683
> 
> Group = modvpn, Username = detech, IP = 172.16.16.248, Received 
> unsupported transaction mode attribute: 5
> 
> AAA transaction status ACCEPT : user = detech
> 
> AAA retrieved default group policy (modvpn) for user = detech
> 
> AAA user authentication Successful : local database : user = detech
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been scanned
by Symantec Mail Security for the presence of any viruses.
**********************************************************************




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=111176&t=111150
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html