Re: Contivity Client from behind PIX
- From: "Martin Bilgrav" <bilgravCUTTHISOUT@xxxxxxxx>
- Date: Fri, 25 Nov 2005 22:12:34 +0100
have you tried the fixup for ipsec to allow the nortel client to traverse ?
"Jamie Mcc" <jamiemcc@xxxxxxxxx> wrote in message
news:1132948438.612424.175990@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> I apologize if this message appears 2x.
>
> Hello,
>
> Here is my desired configuration:
>
> Customer 1 = PPTP (my office) -> PIX -> Internet -> PIX (This works!)
> Customer 2 = Contivity VPN Client (my office) -> PIX -> Internet ->
> Contivity 600 (Does not work)
>
> I own the PIX, a customer owns the Contivity.
>
> I have the PIX working, I needed to be able to connect to a customer's
> PIX VPN via PPTP which is working fine (customer 1). But customer 2
> has a Contivity 600, I can connect to them via my 'linksys' box so I
> know it works, when I replace the linksys with the PIX the connection
> does not work, the Contivity Client responds with "Login Failure do to:
> Remote host not responding" and the PIX log gets the message "302015:
> Built outbound UDP connection 56 for outside:<My customers VPN IP>/500
> to inside <My PC's IP>/500 (<My Outside IP>/8)".
>
> I think the request is going out via the contivity client, but not
> getting back to the client properly.
>
> Any help?
>
> My CFG.
>
> Result of firewall command: "show running-config"
>
> : Saved
> :
> PIX Version 6.3(5)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password 8Ry2YjIyt7RRXU24 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname myPix
> domain-name myDomain.local
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol pptp 1723
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> name 192.168.167.0 WirelessSubnet
> name 192.168.169.0 WiredSubnet
> access-list inside_access_in permit ip any any
> access-list inside_access_in permit icmp any any traceroute
> access-list inside_outbound_nat0_acl permit ip WiredSubnet
> 255.255.255.0 <OUTSIDENET> 255.255.252.0
> access-list inside_outbound_nat0_acl permit ip any 192.168.169.160
> 255.255.255.224
> access-list outside_cryptomap_20 permit ip WiredSubnet 255.255.255.0
> <OUTSIDENET> 255.255.252.0
> pager lines 24
> logging on
> logging timestamp
> logging console debugging
> logging trap debugging
> mtu outside 1500
> mtu inside 1500
> ip address outside <OUTSIDE IP> 255.255.252.0
> ip address inside 192.168.169.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool VPNPool 192.168.169.160-192.168.169.180
> pdm location WirelessSubnet 255.255.255.240 inside
> pdm location 192.168.169.160 255.255.255.224 outside
> pdm location 192.168.169.14 255.255.255.255 inside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> access-group inside_access_in in interface inside
> route outside 0.0.0.0 0.0.0.0 <OUTSIDE GW>
> timeout xlate 0:10:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> timeout uauth 0:00:00 absolute uauth 0:10:00 inactivity
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server RADIUS (inside) host 192.168.169.14 myKey timeout 5
> aaa-server LOCAL protocol local
> http server enable
> http WiredSubnet 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-pptp
> auth-prompt prompt My Prompt
> auth-prompt accept My Accept
> auth-prompt reject My Reject
> isakmp nat-traversal 20
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> vpdn group PPTP-VPDN-GROUP accept dialin pptp
> vpdn group PPTP-VPDN-GROUP ppp authentication pap
> vpdn group PPTP-VPDN-GROUP ppp authentication chap
> vpdn group PPTP-VPDN-GROUP ppp authentication mschap
> vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
> vpdn group PPTP-VPDN-GROUP client configuration address local VPNPool
> vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.169.14
> 192.168.169.15
> vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
> vpdn group PPTP-VPDN-GROUP pptp echo 60
> vpdn username 604Jamie password *********
> vpdn enable outside
> vpdn enable inside
> dhcpd auto_config outside
> dhcprelay server 192.168.169.14 inside
> dhcprelay server 192.168.169.15 inside
> terminal width 80
>
.
- References:
- Contivity Client from behind PIX
- From: Jamie Mcc
- Contivity Client from behind PIX
- Prev by Date: Re: Loss of outside dns after static command
- Next by Date: Re: How activate TCP encapsulation on PIX 515 for Cisco VPN Clients?
- Previous by thread: Contivity Client from behind PIX
- Next by thread: Loss of outside dns after static command
- Index(es):
Relevant Pages
|
|
