Configuring VPN Client Remote Access

[olson5000]

Using Dynamic Crypto Maps
As far as this access list goes I am a little confused. The source and destination ip addresses, what are they doing, where are they going, and what interface are they bound to? Is there a need of an ip local pool of some sort? This is the config that I am currently trying to get up and running. If I am missing anything or it is FUBAR, please let me know and try to point me in the right direction. Thanks.


isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp pokicy 10 group2
isakmp policy 10 hash sha
isakmp policy 10 lifetime 86400
isakmp identity pixfirewall
hostname pixfirewall
domain-name pixfirewall.com
isakmp key 1234567890 address pcl148.trans-system.com
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
crypto ipsec transform-set myset1 esp-3des esp-sha-hmac
crypto dynamic-map dyn1 10 ipsec-isakmp
crypto dynamic-map dyn1 10 match address 101
crypto dynamic-map dyn1 10 set transform-set myset1
crypto dynamic-map dyn1 10 set pfs group1
crypto map mymap 200 ipsec-isakmp dynamic dyn1

 

[yizhar]

HI.

In the access-list bound to crypto, the source should be your internal network, and the destination should be the range of addresses used by VPN clients.
The same or similar access-list should also be bound to a "nat 0" statement in most cases.

The VPN traffic is considerred coming from the outside interface (as it really is..), so you must "sysopt connection permit-ipsec" or add specific access-list entries to permit VPN traffic.

Try using pixcript from here:

http://teachers.sivan.co.il/yizhar#pixcript

to generate a sample configuration, then compare it to yours and manually fix as needed.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[olson5000]

Your pixscript worked great!! Thanks! The vpn is up and running!!!