(no subject)

["Spearman, William CONT (FISC YOKO)" <William_W_Spearman () yoko fisc navy mil>]

Wizards,

Sorry about the last post. Here it is (I hope) in plain text: (Thanks again Paul!)

I have a laptop running the subject VPN Client
I have a PIX 515E running in stateful failover mode with a VAC 
I attempted to replace the VAC with a VAC+, and not having a brain in my head on a late Saturday night, I just pulled 
open the PIX and switched the cards. The remote access users then began to call. I've been working on this problem for 
a week and am at my wits end. I do keep good notes, and so reconfigured the VPN with exactly the same command set I had 
used originally with no success. 

Here is a copy of the (sanitized) relevant portions of the PIX configuration: 
ip address outside 12.34.56.78 255.255.255.X 
ip address inside 34.45.56.67 255.255.255.X 

#Note: The IP networks for access-list "split" and access-list "nonat_inside" are the same 

access-list split permit ip 192.168.XX.0 255.255.255.0 192.168.X1.0 255.255.255.0 
access-list nonat_inside permit ip 192.168.XX.0 255.255.255.0 192.168.X1.0 255.255.255.0 

Note: Local pool "vpnpool1" includes addresses from the same subnet as configured in the access-lists above 
ip local pool vpnpool1 192.168.X1.X-192.168.X1.X 

nat (inside) 0 access-list nonat_inside 

route outside 0.0.0.0 0.0.0.0 12.34.56.79 1 

Many routing statements ....... 
route inside 192.168.X1.X 255.255.X.X 34.45.56.68 1 
More Routing Statements ......... 

sysopt connection permit-ipsec 

crypto ipsec transform-set standard esp-3des esp-md5-hmac 
crypto dynamic-map clientvpn 10 set transform-set standard 
crypto map map1 10 ipsec-isakmp dynamic clientvpn 
crypto map map1 client authentication LOCAL 
crypto map map1 interface outside 
isakmp enable outside 
isakmp identity address 
isakmp nat-traversal 20 
isakmp policy 10 authentication pre-share 
isakmp policy 10 encryption 3des 
isakmp policy 10 hash md5 
isakmp policy 10 group 2 
isakmp policy 10 lifetime 5000 
vpngroup GroupName address-pool vpnpool1 
vpngroup GroupName dns-server domain-controller 
vpngroup GroupName wins-server domain-controller 
vpngroup GroupName default-domain domain.name 
vpngroup GroupName split-tunnel split 
vpngroup GroupName idle-time 1800 
vpngroup GroupName password ******** 

username someuser password somepassword encrypted privilege 2 

I get good ISAKMP packet trades, good DPD packets, actually a good connection to the VPN from the remote (as seen in 
the debug crypto ipsec and isakmp output on the PIX). All indications from the client log are that everything is 
copasetic. Then I look at the syslog output and see: 

%PIX-6-302013: Built inbound TCP connection 3062304 for outside:192.168.X1.X/2728 (192.168.X1.X/2728) to 
inside:192.168.X2.X/22 (192.168.X2.X/22)

Jul  8 08:08:57 172.16.1.1 Jul 08 2005 08:08:57 boukap : %PIX-3-106011: Deny inbound (No xlate) tcp src 
outside:192.168.X2.X/22 dst outside:192.168.X1.X/2728

The first packet is the SYN, the second says "no xlate tcp src outside dst outside"??? The first ip is the internal 
address and the second is the VPN Client address. I looks like the VPN is initialized, but the packets from the client 
are being sent OUTSIDE the pipe! AAAHHHHH! What am I missing here? Thoughts, suggestions, more info required? 

Arigato Gozaimasu
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards