Hi all,
After more than a week of searching the web, I'm almost giving up hope to find a solution for my problem.
I have 2 pix 501, a vpn connection working between them, a cisco vpn client working. But I can't make a remote desktop connection to any external IP.
When a enable debugging isakmp on the pix I get following output;
crypto_isakmp_process_block:src:xxx.xxx.x.xxx, dest:yyy.yyy.yy.yy spt:2475 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 381
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 64
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 381
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 64
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 381
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 64
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 381
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 64
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 381
ISAKMP (0): deleting SA: src xxx.xxx.x.xxx, dst yyy.yyy.yy.yy
ISADB: reaper checking SA 0xb4e5e4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for xxx.xxx.x.xxx/2475 not found - peers:1
ISADB: reaper checking SA 0xb4ed6c, conn_id = 0
Here's the configuration of my pix;
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list no_nat permit ip 192.168.10.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list no_nat permit ip 192.168.10.0 255.255.254.0 172.20.100.0 255.255.255.0
access-list VPNSCHERP permit ip 192.168.10.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list inside_access_out remark Toegang naar buiten voor LAN
access-list inside_access_out remark DNS
access-list inside_access_out permit tcp any any eq domain
access-list inside_access_out permit udp any any eq domain
access-list inside_access_out remark WWW
access-list inside_access_out permit tcp 192.168.10.0 255.255.254.0 any eq www
access-list inside_access_out remark HTTPS
access-list inside_access_out permit tcp 192.168.10.0 255.255.254.0 any eq https
access-list inside_access_out permit tcp 192.168.10.0 255.255.254.0 any eq 8443
access-list inside_access_out remark SMTP
access-list inside_access_out permit tcp any any eq smtp
access-list inside_access_out remark POP3
access-list inside_access_out permit tcp host 192.168.10.200 any eq pop3
access-list inside_access_out permit tcp host 192.168.10.201 any eq pop3
access-list inside_access_out permit tcp host 192.168.10.202 any eq pop3
access-list inside_access_out permit tcp host 192.168.10.203 any eq pop3
access-list inside_access_out remark EDITELNET
access-list inside_access_out permit tcp host 192.168.11.40 host xxx.xxx.xx.xxx eq 102
access-list inside_access_out remark TELNET
access-list inside_access_out permit tcp host 192.168.10.200 any eq telnet
access-list inside_access_out permit tcp host 192.168.10.201 any eq telnet
access-list inside_access_out permit tcp host 192.168.10.202 any eq telnet
access-list inside_access_out permit tcp host 192.168.10.203 any eq telnet
access-list inside_access_out remark INLEZEN BONNEN
access-list inside_access_out permit tcp any host xxx.xxx.xxx.xx eq 50000
access-list inside_access_out remark RDP
access-list inside_access_out permit tcp 192.168.10.0 255.255.254.0 any eq 3389
access-list inside_access_out remark ELSTER FORMULAR
access-list inside_access_out permit tcp any any eq 8000
access-list inside_access_out remark FTP
access-list inside_access_out permit tcp host 192.168.10.200 any eq ftp-data
access-list inside_access_out permit tcp host 192.168.10.201 any eq ftp-data
access-list inside_access_out permit tcp host 192.168.10.202 any eq ftp-data
access-list inside_access_out permit tcp host 192.168.10.203 any eq ftp-data
access-list inside_access_out permit tcp host 192.168.10.200 any eq ftp
access-list inside_access_out permit tcp host 192.168.10.201 any eq ftp
access-list inside_access_out permit tcp host 192.168.10.202 any eq ftp
access-list inside_access_out permit tcp host 192.168.10.203 any eq ftp
access-list inside_access_out remark PRINT HECO
access-list inside_access_out permit tcp any host 172.16.1.50 eq 9100
access-list inside_access_out permit tcp any host 172.16.1.51 eq 9100
access-list inside_access_out permit icmp any any
access-list inside_access_out deny ip any any
access-list outside_access_in remark Toegang van buiten naar LAN
access-list outside_access_in remark DNS
access-list outside_access_in permit tcp any interface outside eq domain
access-list outside_access_in permit udp any interface outside eq domain
access-list outside_access_in remark SMTP
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in remark RDP NAAR TERMINAL
access-list outside_access_in permit tcp any interface outside eq 3389
access-list outside_access_in remark EDITELNET
access-list outside_access_in permit tcp host xxx.xxx.xxx.xx host 192.168.11.40 eq 102
access-list outside_access_in remark PCANYWHERE NAAR KOELPC
access-list outside_access_in permit tcp host xxx.xxx.xxx.xx interface outside eq pcanywhere-data
access-list outside_access_in permit udp host xxx.xxx.xxx.xx interface outside eq pcanywhere-status
access-list outside_access_in permit icmp any any
access-list outside_access_in deny ip any any
pager lines 24
logging timestamp
logging standby
logging trap debugging
logging facility 19
logging host inside 192.168.11.190
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.15.15 255.255.255.0
ip address inside 192.168.11.9 255.255.254.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Client 172.20.100.20-172.20.100.60
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 192.168.10.0 255.255.254.0 0 0
static (inside,outside) tcp interface smtp 192.168.11.4 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 102 192.168.11.40 102 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pcanywhere-data 192.168.11.42 pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status 192.168.11.42 pcanywhere-status netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.11.2 3389 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.15.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.11.2 255.255.255.255 inside
http 192.168.11.11 255.255.255.255 inside
http 192.168.11.21 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set vpnset
crypto map vpnmap 10 ipsec-isakmp
crypto map vpnmap 10 match address VPNSCHERP
crypto map vpnmap 10 set peer yy.yy.yyy.yy
crypto map vpnmap 10 set transform-set vpnset
crypto map vpnmap 100 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address yy.yy.yyy.yy netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup SCHERP address-pool VPN_Client
vpngroup SCHERP dns-server 192.168.11.4
vpngroup SCHERP default-domain
vpngroup SCHERP idle-time 1800
vpngroup SCHERP password ********
telnet 192.168.10.0 255.255.254.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:9cf82b711b20eec5c81ee3b7d68e2726
What is going wrong?
After more than a week of searching the web, I'm almost giving up hope to find a solution for my problem.
I have 2 pix 501, a vpn connection working between them, a cisco vpn client working. But I can't make a remote desktop connection to any external IP.
When a enable debugging isakmp on the pix I get following output;
crypto_isakmp_process_block:src:xxx.xxx.x.xxx, dest:yyy.yyy.yy.yy spt:2475 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 381
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 64
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 381
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 64
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 381
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 64
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 381
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 64
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 381
ISAKMP (0): deleting SA: src xxx.xxx.x.xxx, dst yyy.yyy.yy.yy
ISADB: reaper checking SA 0xb4e5e4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for xxx.xxx.x.xxx/2475 not found - peers:1
ISADB: reaper checking SA 0xb4ed6c, conn_id = 0
Here's the configuration of my pix;
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list no_nat permit ip 192.168.10.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list no_nat permit ip 192.168.10.0 255.255.254.0 172.20.100.0 255.255.255.0
access-list VPNSCHERP permit ip 192.168.10.0 255.255.254.0 172.16.1.0 255.255.255.0
access-list inside_access_out remark Toegang naar buiten voor LAN
access-list inside_access_out remark DNS
access-list inside_access_out permit tcp any any eq domain
access-list inside_access_out permit udp any any eq domain
access-list inside_access_out remark WWW
access-list inside_access_out permit tcp 192.168.10.0 255.255.254.0 any eq www
access-list inside_access_out remark HTTPS
access-list inside_access_out permit tcp 192.168.10.0 255.255.254.0 any eq https
access-list inside_access_out permit tcp 192.168.10.0 255.255.254.0 any eq 8443
access-list inside_access_out remark SMTP
access-list inside_access_out permit tcp any any eq smtp
access-list inside_access_out remark POP3
access-list inside_access_out permit tcp host 192.168.10.200 any eq pop3
access-list inside_access_out permit tcp host 192.168.10.201 any eq pop3
access-list inside_access_out permit tcp host 192.168.10.202 any eq pop3
access-list inside_access_out permit tcp host 192.168.10.203 any eq pop3
access-list inside_access_out remark EDITELNET
access-list inside_access_out permit tcp host 192.168.11.40 host xxx.xxx.xx.xxx eq 102
access-list inside_access_out remark TELNET
access-list inside_access_out permit tcp host 192.168.10.200 any eq telnet
access-list inside_access_out permit tcp host 192.168.10.201 any eq telnet
access-list inside_access_out permit tcp host 192.168.10.202 any eq telnet
access-list inside_access_out permit tcp host 192.168.10.203 any eq telnet
access-list inside_access_out remark INLEZEN BONNEN
access-list inside_access_out permit tcp any host xxx.xxx.xxx.xx eq 50000
access-list inside_access_out remark RDP
access-list inside_access_out permit tcp 192.168.10.0 255.255.254.0 any eq 3389
access-list inside_access_out remark ELSTER FORMULAR
access-list inside_access_out permit tcp any any eq 8000
access-list inside_access_out remark FTP
access-list inside_access_out permit tcp host 192.168.10.200 any eq ftp-data
access-list inside_access_out permit tcp host 192.168.10.201 any eq ftp-data
access-list inside_access_out permit tcp host 192.168.10.202 any eq ftp-data
access-list inside_access_out permit tcp host 192.168.10.203 any eq ftp-data
access-list inside_access_out permit tcp host 192.168.10.200 any eq ftp
access-list inside_access_out permit tcp host 192.168.10.201 any eq ftp
access-list inside_access_out permit tcp host 192.168.10.202 any eq ftp
access-list inside_access_out permit tcp host 192.168.10.203 any eq ftp
access-list inside_access_out remark PRINT HECO
access-list inside_access_out permit tcp any host 172.16.1.50 eq 9100
access-list inside_access_out permit tcp any host 172.16.1.51 eq 9100
access-list inside_access_out permit icmp any any
access-list inside_access_out deny ip any any
access-list outside_access_in remark Toegang van buiten naar LAN
access-list outside_access_in remark DNS
access-list outside_access_in permit tcp any interface outside eq domain
access-list outside_access_in permit udp any interface outside eq domain
access-list outside_access_in remark SMTP
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in remark RDP NAAR TERMINAL
access-list outside_access_in permit tcp any interface outside eq 3389
access-list outside_access_in remark EDITELNET
access-list outside_access_in permit tcp host xxx.xxx.xxx.xx host 192.168.11.40 eq 102
access-list outside_access_in remark PCANYWHERE NAAR KOELPC
access-list outside_access_in permit tcp host xxx.xxx.xxx.xx interface outside eq pcanywhere-data
access-list outside_access_in permit udp host xxx.xxx.xxx.xx interface outside eq pcanywhere-status
access-list outside_access_in permit icmp any any
access-list outside_access_in deny ip any any
pager lines 24
logging timestamp
logging standby
logging trap debugging
logging facility 19
logging host inside 192.168.11.190
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.15.15 255.255.255.0
ip address inside 192.168.11.9 255.255.254.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Client 172.20.100.20-172.20.100.60
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 192.168.10.0 255.255.254.0 0 0
static (inside,outside) tcp interface smtp 192.168.11.4 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 102 192.168.11.40 102 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pcanywhere-data 192.168.11.42 pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status 192.168.11.42 pcanywhere-status netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.11.2 3389 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.15.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.11.2 255.255.255.255 inside
http 192.168.11.11 255.255.255.255 inside
http 192.168.11.21 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set vpnset
crypto map vpnmap 10 ipsec-isakmp
crypto map vpnmap 10 match address VPNSCHERP
crypto map vpnmap 10 set peer yy.yy.yyy.yy
crypto map vpnmap 10 set transform-set vpnset
crypto map vpnmap 100 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address yy.yy.yyy.yy netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup SCHERP address-pool VPN_Client
vpngroup SCHERP dns-server 192.168.11.4
vpngroup SCHERP default-domain
vpngroup SCHERP idle-time 1800
vpngroup SCHERP password ********
telnet 192.168.10.0 255.255.254.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:9cf82b711b20eec5c81ee3b7d68e2726
What is going wrong?
