Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NS25 and Cisco VPN Client on the LAN

Status
Not open for further replies.
Chambers

Chambers

IS-IT--Management
Jan 19, 2001
257
US
Hi guys, I did a search to see if I could find the answer but I didn't see anything. Basically I have the VPN Client installed on my PC and am trying to connect to a 3rd party vendor. I am behind a NS25 device and have added the following policy for testing puposes;

Trust to Untrust
----------------
Source/Destination/Service/Action
MYPCip/ANY/ANY/NoNAT

I run the VPN client and get this error;
157 15:22:34.281 10/06/05 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 205.141.216.36

158 15:22:39.281 10/06/05 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=ADFF7B22FD09076B R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

and it doesn't connect.

Can anyone help me out with this? Our support contract is up and the device is out of warranty so they told me i'm pretty much left on my own :( Thanks for all the help!
 
Sort by date Sort by votes
I also found out that I need to open up ports UDP 500, 4500, and 10000

When they say "open" ports, what do they mean? Does it mean adding a new Service and setting it as UDP, then setting the source from 0-6538 (or whatever it is by default) and destination 500, 4500, 10000 respectively?

I never configured a NetScreen and this is all very confusing to me. Looking forward to some help, thank you.
 
Upvote 0 Downvote
Hi guys, I think I'm getting closer to a solution. Basically, let me give a description of my setup;

I have a machine (10.10.0.88) that I needed to use the Cisco VPN Client to go outsode our firewall. I have added a Service called CiscoVPNPorts and set it for the three UDP's above, source being the same as the destination port.

Then I created a rule from trust to untrust to allow that machine and that Service through.

Here's where I think it's not working correctly.

I have the following IP's for me 64.x.x113 through 64.x.x.122

I have mapped the IP 64.x.x.121 to point to 10.10.0.8 and only allow those ports through.

However, when I run tracert to my destination VPN on 10.10.0.88 it looks like it's going out of 64.x.x.113

How can I set it up so that PC always goes out with the IP 64.x.x.121?

Below is my configuration file, maybe someone can help me out. We are going live with this in 1 week and would really appreciate the help. Thanks all!!

set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "DefL2TPAuthServer" id 1
set auth-server "DefL2TPAuthServer" account-type l2tp
set auth default auth server "Local"
set clock "timezone" -5
set admin format dos
set admin name "xxxxxxxx"
set admin password xxxxxxxxxxxxxxxxxxxxxx
set admin user "APS" password "xxxxxxxxxxxxxxxxx" privilege "all"
set admin manager-ip 10.10.0.0 255.255.254.0
set admin auth timeout 10
set admin auth server "Local"
set service "Secondary FTP" group "other" tcp src 2121-2121 dst 2121-2121
set service "Secondary FTP" + udp src 2121-2121 dst 2121-2121
set service "FTP - BulletProof" group "other" udp src 5500-5500 dst 5500-5500
set service "FTP - BulletProof" + tcp src 5500-5500 dst 5500-5500
set service "Custom FTP 2121" group "other" tcp src 2121-2121 dst 2121-2121
set service "Custom FTP 2121" + udp src 2121-2121 dst 2121-2121
set service "VNC" group "other" tcp src 0-65535 dst 5900-5900
set service "VNC" + tcp src 0-65535 dst 15900-15900
set service "TELNET" timeout never
set service "Bridge" protocol tcp src-port 14000-14000 dst-port 14000-14000 group "other"
set service "Servicing Download" protocol tcp src-port 0-65535 dst-port 8000-8000 group "other"
set service "SSL Port-444" protocol tcp src-port 0-65000 dst-port 444-444 group "other"
set service "HTTP - 8088" protocol tcp src-port 8088-8088 dst-port 8088-8088 group "other"
set service "HTTP - 81" protocol tcp src-port 81-81 dst-port 81-81 group "other"
set service "Irene_5/3_Bank" protocol tcp src-port 0-65535 dst-port 1996-1996 group "other"
set service "FTP ALL" protocol tcp src-port 21-21 dst-port 21-21 group "other"
set service "Reuters-Out" protocol tcp src-port 0-65535 dst-port 13999-14001 group "other"
set service "Reuters-IN" protocol tcp src-port 14000-14000 dst-port 0-65535 group "other"
set service "Integra Survey" protocol tcp src-port 0-65535 dst-port 8440-8440 group "other"
set service "CTYDearbornHTTP" protocol tcp src-port 0-65535 dst-port 82-82 group "other"
set service "Will County" protocol tcp src-port 0-65535 dst-port 2081-2081 group "other"
set service "MERS-VPN" protocol udp src-port 500-500 dst-port 500-500 group "other"
set service "MERS-VPN2" protocol udp src-port 4500-4500 dst-port 4500-4500 group "other"
set service "MERS-VPN3" protocol udp src-port 10000-10000 dst-port 10000-10000 group "other"
set service "TCPPort10000" protocol tcp src-port 0-65535 dst-port 10000-10000 group "other"
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "MGT" block
set zone "MGT" tcp-rst
set zone Untrust screen udp-flood
set zone Untrust screen winnuke
set zone Untrust screen port-scan
set zone Untrust screen ip-sweep
set zone Untrust screen tear-drop
set zone Untrust screen syn-flood
set zone Untrust screen ip-spoofing
set zone Untrust screen ping-death
set zone Untrust screen ip-filter-src
set zone Untrust screen land
set zone V1-Untrust screen udp-flood
set zone V1-Untrust screen winnuke
set zone V1-Untrust screen port-scan
set zone V1-Untrust screen ip-sweep
set zone V1-Untrust screen tear-drop
set zone V1-Untrust screen syn-flood
set zone V1-Untrust screen ip-spoofing
set zone V1-Untrust screen ping-death
set zone V1-Untrust screen ip-filter-src
set zone V1-Untrust screen land
set zone Untrust screen ip-sweep threshold 30000
set zone V1-Untrust screen ip-sweep threshold 30000
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 10.10.0.3/23
set interface ethernet1 nat
set interface ethernet2 ip 192.168.100.1/24
set interface ethernet2 route
set interface ethernet3 ip 64.x.x.120/28
set interface ethernet3 route
set interface ethernet3 gateway 64.x.x.113
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 ip manageable
set interface ethernet1 ip manageable
set interface ethernet2 ip manageable
set interface ethernet3 ip manageable
unset interface ethernet1 manage global-pro
set interface ethernet2 manage ssl
set interface ethernet3 manage ping
set interface ethernet3 manage telnet
set interface ethernet3 manage ssl
set interface ethernet3 manage web
set interface v1-dmz manage ssl
set interface "ethernet3" mip 64.x.x.116 host 10.10.0.11 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.x.x.119 host 10.10.0.41 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.x.x.118 host 10.10.0.14 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.x.x.115 host 10.10.0.9 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.x.x.125 host 10.10.0.6 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.x.x.126 host 10.10.0.16 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.x.x.114 host 10.10.0.27 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.x.x.123 host 10.10.0.42 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.x.x.122 host 10.10.0.44 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.x.x.124 host 192.168.100.11 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 64.x.x.121 host 10.10.0.88 netmask 255.255.255.255 vr "trust-vr"
set domain mydomain.com
set hostname mygateway-GW
set address "Trust" "Birmeric" 10.10.1.139 255.255.255.255 "Erics Desktop Machine"
set address "Trust" "Brittanie INTEGRA" 10.10.1.156 255.255.255.255 "10/3-10/8"
set address "Trust" "Bruce Lees Machine" 10.10.1.133 255.255.255.255 "Enter the Domain"
set address "Trust" "Destinycomm1" 10.10.0.88 255.255.255.255 "Destiny Communication Server 1"
set address "Trust" "Erics Powerbook LAN" 10.10.1.198 255.255.255.255 "Erics Powerbook LAN"
set address "Trust" "Erics Powerbook WLAN" 10.10.0.206 255.255.255.255 "Erics Powerbook WLAN"
set address "Trust" "Exchange_Server" 10.10.0.11 255.255.255.255 "Mail Server"
set address "Trust" "ISA_Server" 10.10.0.14 255.255.255.255 "ISA Server Requests"
set address "Trust" "ISA_Server_2" 10.10.0.15 255.255.255.255
set address "Trust" "MF1" 10.10.0.21 255.255.255.255
set address "Trust" "MF2" 10.10.0.22 255.255.255.255
set address "Trust" "MF3" 10.10.0.20 255.255.255.255
set address "Trust" "MF4" 10.10.0.23 255.255.255.255
set address "Trust" "MF5" 10.10.0.46 255.255.255.255
set address "Trust" "Phils Desktop" 10.10.0.134 255.255.255.255 "Phils Desktop Machine"
set address "Trust" "Shore1 STA for GCS" 10.10.0.10 255.255.255.255
set address "Trust" "Shore2" 10.10.0.8 255.255.255.255
set address "Trust" "Internal_LAN" 10.10.0.0 255.255.254.0 "HQ LAN"
set address "Trust" "SQUID1" 10.10.0.89 255.255.255.255 "100Mb NIC"
set address "Trust" "SQUID2" 10.10.0.90 255.255.255.255 "1Gb NIC"
set address "Trust" "Thoms Desktop" 10.10.0.169 255.255.255.255 "Thoms Desktop"
set address "Trust" "Thoms Laptop WLAN" 10.10.0.248 255.255.255.255 "Thoms Laptop WLAN"
set address "Trust" "Walt PC" 10.10.1.71 255.255.255.255 "This be Walt's YO!"
set address "Trust" "Waltdev" 10.10.0.49 255.255.255.255
set address "Untrust" "Appraisal1" 68.22.7.249 255.255.255.255 "First Appraisal IP"
set address "Untrust" "Appraisal2" 68.22.7.250 255.255.255.255 "Second Appraisal IP"
set address "Untrust" "Appraisal3" 68.22.7.251 255.255.255.255 "Third Appraisal IP"
set address "Untrust" "Appraisal4" 68.22.7.252 255.255.255.255 "Fourth Appraisal IP"
set address "Untrust" "Appraisal5" 68.22.7.253 255.255.255.255 "Fifth Appraisal IP"
set address "Untrust" "Appraisal6" 68.22.7.254 255.255.255.255 "Sixth Appraisal IP"
set address "Untrust" "Appraisal7" 68.248.33.191 255.255.255.255 "Appraisal Gateway"
set address "Untrust" "Appraisal8" 64.68.82.169 255.255.255.255
set address "Untrust" "HotBar" 65.121.237.200 255.255.255.255 "HotBar Spyware"
set address "Untrust" "McDonald1" 209.49.254.224 255.255.255.240 "1st VPN Endpoint/NAT address"
set address "Untrust" "McDonald2" 68.255.234.128 255.255.255.192 " 2nd VPN EndPoint/NAT address"
set address "DMZ" "Secure Gateway Server" 192.168.100.11 255.255.255.255 "Secure Gateway Server"
set firewall log-self
set snmp name "MyGateway-GW"
set group address "Trust" "Domain Controllers"
set group address "Trust" "Domain Controllers" add "Shore1 STA for GCS"
set group address "Trust" "Domain Controllers" add "Shore2"
set group address "Trust" "ISA_Server_NICS" comment " "
set group address "Trust" "ISA_Server_NICS" add "ISA_Server"
set group address "Trust" "ISA_Server_NICS" add "ISA_Server_2"
set group address "Trust" "IT Department" comment " "
set group address "Trust" "IT Department" add "Birmeric"
set group address "Trust" "IT Department" add "Brittanie INTEGRA"
set group address "Trust" "IT Department" add "Bruce Lees Machine"
set group address "Trust" "IT Department" add "Erics Powerbook LAN"
set group address "Trust" "IT Department" add "Erics Powerbook WLAN"
set group address "Trust" "IT Department" add "Phils Desktop"
set group address "Trust" "IT Department" add "SQUID1"
set group address "Trust" "IT Department" add "Thoms Desktop"
set group address "Trust" "IT Department" add "Thoms Laptop WLAN"
set group address "Trust" "IT Department" add "Walt PC"
set group address "Trust" "IT Department" add "Waltdev"
set group address "Trust" "Metaframe Servers" comment "Metaframe Server Group"
set group address "Trust" "Metaframe Servers" add "MF1"
set group address "Trust" "Metaframe Servers" add "MF2"
set group address "Trust" "Metaframe Servers" add "MF3"
set group address "Trust" "Metaframe Servers" add "MF4"
set group address "Trust" "Metaframe Servers" add "MF5"
set group address "Trust" "Metaframe Servers" add "Shore1 STA for GCS"
set group address "Untrust" "Appraisal IP Group" comment "Appraisal IP Group"
set group address "Untrust" "Appraisal IP Group" add "Appraisal1"
set group address "Untrust" "Appraisal IP Group" add "Appraisal2"
set group address "Untrust" "Appraisal IP Group" add "Appraisal3"
set group address "Untrust" "Appraisal IP Group" add "Appraisal4"
set group address "Untrust" "Appraisal IP Group" add "Appraisal5"
set group address "Untrust" "Appraisal IP Group" add "Appraisal6"
set group address "Untrust" "Appraisal IP Group" add "Appraisal7"
set group address "Untrust" "Appraisal IP Group" add "Appraisal8"
set group service "Intranet_WEB" comment " "
set group service "Intranet_WEB" add "HTTP"
set group service "Intranet_WEB" add "HTTPS"
set group service "Intranet_WEB" add "PING"
set group service "Intranet_WEB" add "Bridge"
set group service "Intranet_WEB" add "Servicing Download"
set group service "Intranet_WEB" add "MAIL"
set group service "Inbound_Mail" comment " "
set group service "Inbound_Mail" add "HTTP"
set group service "Inbound_Mail" add "MAIL"
set group service "Inbound_Mail" add "PING"
set group service "Inbound_Mail" add "POP3"
set group service "Inbound_Mail" add "HTTPS"
set group service "VPN to McD" comment " "
set group service "VPN to McD" add "TELNET"
set group service "VPN to McD" add "PING"
set group service "VPN to McD" add "MAIL"
set group service "VPN to McD" add "Servicing Download"
set group service "PCAny" comment " "
set group service "PCAny" add "PING"
set group service "PCAny" add "PC-Anywhere"
set group service "WEB2" comment "Webserver 2"
set group service "WEB2" add "HTTP"
set group service "WEB2" add "HTTPS"
set group service "WEB2" add "SSL Port-444"
set group service "WEB2" add "HTTP - 8088"
set group service "WEB2" add "HTTP - 81"
set group service "WEB2" add "FTP"
set group service "WEB2" add "FTP-Get"
set group service "WEB2" add "FTP-Put"
set group service "Appraisers" comment " "
set group service "Appraisers" add "POP3"
set group service "Appraisers" add "HTTP"
set group service "Appraisers" add "MAIL"
set group service "Appraisers" add "HTTPS"
set group service "Appraisers" add "DNS"
set group service "Internet" comment "All Internet Traffic"
set group service "Internet" add "BGP"
set group service "Internet" add "DHCP-Relay"
set group service "Internet" add "DNS"
set group service "Internet" add "FINGER"
set group service "Internet" add "FTP"
set group service "Internet" add "FTP-Get"
set group service "Internet" add "FTP-Put"
set group service "Internet" add "GOPHER"
set group service "Internet" add "H.323"
set group service "Internet" add "HTTP"
set group service "Internet" add "HTTPS"
set group service "Internet" add "IRC"
set group service "Internet" add "NetMeeting"
set group service "Internet" add "PING"
set group service "Internet" add "Real Media"
set group service "Internet" add "FTP - BulletProof"
set group service "Internet" add "Secondary FTP"
set group service "Internet" add "Irene_5/3_Bank"
set group service "Internet" add "Reuters-Out"
set group service "Internet" add "Servicing Download"
set group service "Internet" add "Integra Survey"
set group service "Internet" add "CTYDearbornHTTP"
set group service "Internet" add "Will County"
set group service "Internet" add "VNC"
set group service "Internet" add "MERS-VPN"
set group service "Internet" add "PPTP"
set group service "Internet" add "MERS-VPN2"
set group service "Internet" add "MERS-VPN3"
set group service "Everything But Internet 1" comment " "
set group service "Everything But Internet 1" add "BGP"
set group service "Everything But Internet 1" add "DHCP-Relay"
set group service "Everything But Internet 1" add "DNS"
set group service "Everything But Internet 1" add "FINGER"
set group service "Everything But Internet 1" add "GOPHER"
set group service "Everything But Internet 1" add "ICMP-INFO"
set group service "Everything But Internet 1" add "ICMP-TIMESTAMP"
set group service "Everything But Internet 1" add "IKE"
set group service "Everything But Internet 1" add "IMAP"
set group service "Everything But Internet 1" add "Internet Locator Service"
set group service "Everything But Internet 1" add "L2TP"
set group service "Everything But Internet 1" add "MAIL"
set group service "Everything But Internet 1" add "NetMeeting"
set group service "Everything But Internet 1" add "LDAP"
set group service "Everything But Internet 1" add "NFS"
set group service "Everything But Internet 1" add "NNTP"
set group service "Everything But Internet 1" add "NS Global"
set group service "Everything But Internet 1" add "NS Global PRO"
set group service "Everything But Internet 1" add "NTP"
set group service "Everything But Internet 1" add "OSPF"
set group service "Everything But Internet 1" add "PC-Anywhere"
set group service "Everything But Internet 1" add "PING"
set group service "Everything But Internet 1" add "POP3"
set group service "Everything But Internet 1" add "PPTP"
set group service "Everything But Internet 1" add "RIP"
set group service "Everything But Internet 1" add "RLOGIN"
set group service "Everything But Internet 1" add "SNMP"
set group service "Everything But Internet 1" add "SSH"
set group service "Everything But Internet 1" add "SYSLOG"
set group service "Everything But Internet 1" add "AOL"
set group service "Everything But Internet 2" comment " "
set group service "Everything But Internet 2" add "TALK"
set group service "Everything But Internet 2" add "TCP-ANY"
set group service "Everything But Internet 2" add "TELNET"
set group service "Everything But Internet 2" add "TFTP"
set group service "Everything But Internet 2" add "TRACEROUTE"
set group service "Everything But Internet 2" add "UDP-ANY"
set group service "Everything But Internet 2" add "UUCP"
set group service "Everything But Internet 2" add "VDO Live"
set group service "Everything But Internet 2" add "WAIS"
set group service "Everything But Internet 2" add "WINFRAME"
set group service "Everything But Internet 2" add "X-WINDOWS"
set group service "Everything But Internet 2" add "Bridge"
set group service "Everything But Internet 2" add "Servicing Download"
set group service "Everything But Internet 2" add "FTP ALL"
set group service "Inbound_Mail_CT" comment " "
set group service "Inbound_Mail_CT" add "HTTP"
set group service "Inbound_Mail_CT" add "HTTPS"
set group service "Inbound_Mail_CT" add "PING"
set group service "Inbound_Mail_CT" add "MAIL"
set group service "Inbound_Mail_CT" add "POP3"
set group service "WEB3" comment "Webserver 3 - Misc Web Services"
set group service "WEB3" add "HTTP"
set group service "WEB3" add "HTTPS"
set group service "WEB3" add "PING"
set group service "WEB3" add "FTP ALL"
set group service "CSG Server" comment "Metaframe Secure Server"
set group service "CSG Server" add "HTTP"
set group service "CSG Server" add "HTTPS"
set group service "CSG Server" add "PING"
set group service "CSG Server" add "WINFRAME"
set group service "CSG Server" add "DNS"
set group service "CSG Server" add "ICMP-INFO"
set group service "CSG Server" add "ICMP-TIMESTAMP"
set group service "AIM Access"
set group service "AIM Access" add "DNS"
set group service "AIM Access" add "PING"
set group service "MERS"
set group service "MERS" add "MERS-VPN"
set group service "MERS" add "MERS-VPN2"
set group service "MERS" add "MERS-VPN3"
set ike p1-proposal "McDonald2" Preshare Group2 esp 3DES SHA-1 second 3600
set ike p1-proposal "McDonald1" Preshare Group2 esp 3DES SHA-1 second 3600
set ike p2-proposal "Mcdonald2" no-pfs ESP 3DES SHA-1 second 700
set ike p2-proposal "McDonald1" no-pfs ESP 3DES SHA-1 second 700
set ike gateway "McDonald2" ip 68.255.234.130 Main outgoing-interface "ethernet3" preshare "w731QmAB" proposal "McDonald2"
set ike gateway "McDonald1" ip 209.49.254.226 Main outgoing-interface "ethernet3" preshare "w731QmAB" proposal "McDonald1"
unset ike policy-checking
set ike respond-bad-spi 1
set vpn "McDonald2.1" id 20499 gateway "McDonald2" no-replay tunnel idletime 0 proposal "Mcdonald2"
set vpn "McDonald2.1" monitor
set vpn "McDonald1" id 20500 gateway "McDonald1" no-replay tunnel idletime 0 proposal "McDonald1"
set vpn "McDonald1" monitor
set ike id-mode subnet
set xauth lifetime 480
set xauth default auth server Local
set vpn-group id 2 vpn "McDonald2.1" weight 9
set vpn-group id 1 vpn "McDonald1" weight 10
set l2tp default dns1 10.10.0.10
set l2tp default dns2 10.10.0.10
set l2tp default ppp-auth chap
set policy id 18 name "McDonald1" from "Trust" to "Untrust" "Any" "McDonald1" "VPN to McD" nat dip-id 2 Tunnel vpn-group 1 traffic gbw 256 priority 0 mbw 256
set policy id 16 name "McD_VPN2" from "Trust" to "Untrust" "Any" "McDonald2" "VPN to McD" nat dip-id 2 Tunnel vpn-group 2 traffic gbw 256 priority 0 mbw 256
set policy id 66 from "Trust" to "Untrust" "Destinycomm1" "MIP(64.108.190.121)" "ANY" nat dip-id 2 Permit log
set policy id 64 name "DC DNS Requests" from "Trust" to "Untrust" "Domain Controllers" "Any" "DNS" Permit
set policy id 19 name "McDonald1" from "Untrust" to "Trust" "McDonald1" "Any" "VPN to McD" Tunnel vpn-group 1 traffic gbw 256 priority 0 mbw 256
set policy id 17 name "McD_VPN2" from "Untrust" to "Trust" "McDonald2" "Any" "VPN to McD" Tunnel vpn-group 2 traffic gbw 256 priority 0 mbw 256
set policy id 6 name "Mail" from "Untrust" to "Trust" "Any" "MIP(64.108.190.116)" "Inbound_Mail" Permit log
set policy id 27 name "HTTP Requests" from "Trust" to "Untrust" "ISA_Server_NICS" "Any" "Internet" Permit log
set policy id 62 name "Mail Server" from "Trust" to "Untrust" "Exchange_Server" "Any" "Inbound_Mail" Permit
set policy id 49 name "IT Department Outbound" from "Trust" to "Untrust" "IT Department" "Any" "ANY" nat dip-id 2 Permit log
set policy id 33 from "Trust" to "Untrust" "Shore_LAN" "Any" "Internet" Permit log
set policy id 31 name "Citrix Test" from "Untrust" to "Trust" "Any" "MIP(64.x.x.118)" "Internet" nat dip-id 2 Permit log
set policy id 26 name "WEB 2" from "Untrust" to "Trust" "Any" "MIP(64.x.x.125)" "WEB2" nat dip-id 2 Permit log count
set policy id 44 name "WEB3" from "Untrust" to "Trust" "Any" "MIP(64.x.x.126)" "ANY" Permit log count traffic gbw 0 priority 0
set policy id 46 name "UWM" from "Untrust" to "Trust" "Any" "MIP(64.x.x.115)" "Internet" nat dip-id 2 Permit log count
set policy id 47 name "Company Website" from "Untrust" to "Trust" "Any" "MIP(64.x.x.119)" "Intranet_WEB" nat dip-id 2 Permit log count
set policy id 48 name "Web" from "Untrust" to "Trust" "Any" "MIP(64.x.x.114)" "Internet" nat dip-id 2 Permit log count
set policy id 37 name "Tax" from "Untrust" to "Trust" "Any" "MIP(64.x.x.123)" "WEB2" Permit
set policy id 42 name "eSource" from "Untrust" to "Trust" "Any" "MIP(64.x.x.122)" "Internet" Permit
set policy id 53 name "Test" from "Trust" to "DMZ" "Metaframe Servers" "Secure Gateway Server" "ANY" nat dip-id 2 fix-port Permit log
set policy id 52 name "CSG DMZ Srv to Metaframe Srvs" from "DMZ" to "Trust" "Secure Gateway Server" "Metaframe Servers" "ANY" nat dip-id 2 Permit
set policy id 58 from "DMZ" to "Untrust" "Any" "Any" "ANY" nat dip-id 2 Permit
set policy id 59 from "Untrust" to "DMZ" "Any" "MIP(64.x.x.124)" "CSG Server" Permit log
set policy id 65 from "Untrust" to "Trust" "Any" "MIP(64.x.x.121)" "ANY" Permit log
set policy id 65 disable
set global-pro policy-manager primary outgoing-interface ethernet3
set global-pro policy-manager secondary outgoing-interface ethernet3
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 10.10.0.10
set dns host dns2 10.10.0.8
set dns host schedule 12:00
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 10.10.10.62/32 interface ethernet1 gateway 10.10.0.1
exit
 
Upvote 0 Downvote
Got it working finally guys. Turns out, get this, the username the company gave me to connect with was wrong..grrr, anyway, below are the changes I had to make in case anyone else needs to do this;

set service "MERSVPN" group "other" 51 src 0-65535 dst 0-65535
set service "MERSVPN" + 50 src 0-65535 dst 0-65535
set service "MERSVPN" + udp src 0-65535 dst 4500-4500
set service "MERSVPN" + udp src 0-65535 dst 500-500
set service "MERSVPN" + udp src 0-65535 dst 10000-10000
set service "MERSVPN" + udp src 0-65535 dst 62515-62515
set service "MERSVPN" + tcp src 0-65535 dst 10000-10000

set policy id 66 from "Trust" to "Untrust" "SourceServer" "Any" "MERSVPN" nat dip-id 2 fix-port Permit log

set policy id 65 from "Untrust" to "Trust" "Any" "MIP(64.x.x.121)" "MERSVPN" Permit log

And it's connecting fine, hope someone else can benefit from this

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
826
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
267
WhosYourDiffie
WhosYourDiffie
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
622
MottoK
MottoK
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
737
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top