cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
392
Views
5
Helpful
4
Replies

Site to site VPN with VPN Client access to both sites?

rollotomnasi
Level 1
Level 1

Current:

Scenario is remote office to main office. Site to site IPSEC tunnel from remote (netscreen) to main (pix 506e). Users use Cisco VPN Client to access main office remotely.

This is all working perfectly.

Problem:

Now we want remote users who connect to the main office to also be able to access resources in the remote office.

This seems like it would be easy to implement but I cannot figure it out.

Thanks in advance.

Rollo

----------

#10.10.10.0 = network1

#10.10.11.0 = network2

#172.16.1.0 = vpn pool

PIX Version 6.3(4)

access-list 101 permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

access-list splitTunnel permit ip 10.10.10.0 255.255.255.0 any

access-list splitTunnel permit ip 10.10.11.0 255.255.255.0 any

access-list 115 permit ip any 172.16.1.0 255.255.255.0

access-list 116 permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

access-list 116 permit ip any 10.10.11.0 255.255.255.0

access-list 116 permit ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 209.x.x.x 255.255.255.224

ip address inside 10.10.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 172.16.1.0-172.16.1.50

global (outside) 1 interface

global (outside) 10 209.x.x.x 255.255.255.224

nat (inside) 0 access-list 101

nat (inside) 10 10.10.10.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 209.x.x.x 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map vpnclients-dynmap 10 set transform-set myset

crypto map myset1 35 ipsec-isakmp

crypto map myset1 35 match address 116

crypto map myset1 35 set peer x.x.x.x

crypto map myset1 35 set transform-set myset1

crypto map myset1 90 ipsec-isakmp dynamic vpnclients-dynmap

crypto map myset1 client configuration address initiate

crypto map myset1 client configuration address respond

crypto map myset1 interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 15 authentication pre-share

isakmp policy 15 encryption 3des

isakmp policy 15 hash sha

isakmp policy 15 group 1

isakmp policy 15 lifetime 28800

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 3600

isakmp policy 25 authentication pre-share

isakmp policy 25 encryption des

isakmp policy 25 hash md5

isakmp policy 25 group 2

isakmp policy 25 lifetime 3600

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption aes-256

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup mygroup address-pool vpnpool

vpngroup mygroup dns-server dns1 dns2

vpngroup mygroup wins-server wins1 wins2

vpngroup mygroup default-domain mydomain

vpngroup mygroup split-tunnel splitTunnel

vpngroup mygroup idle-time 64000

vpngroup mygroup password **********

telnet timeout 5

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

1 Accepted Solution

Accepted Solutions

Kamal Malhotra
Cisco Employee
Cisco Employee

Hi Rollo,

You can not implement it for a simple reason, it is not supported on the the PIX version 6.x. It is supported on the PIX ver 7.x but 7.x is not supported on PIX 506. So, in a nutshell, it can not be achieved on a PIX 506. If you have an ASA, a PIX 515 running 7.x, a router or even a concentrator, it can be achieved.

HTH,

Please rate if it helps,

Regards,

Kamal

View solution in original post

4 Replies 4

Kamal Malhotra
Cisco Employee
Cisco Employee

Hi Rollo,

You can not implement it for a simple reason, it is not supported on the the PIX version 6.x. It is supported on the PIX ver 7.x but 7.x is not supported on PIX 506. So, in a nutshell, it can not be achieved on a PIX 506. If you have an ASA, a PIX 515 running 7.x, a router or even a concentrator, it can be achieved.

HTH,

Please rate if it helps,

Regards,

Kamal

Thanks Kamal.

What is this configuration called? How is it achieved with 7.x or an ASA (we have both).

I am also interested... please report your workaround. Thanks ;)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: