Site to Site VPN with VPN client access

Answered Question

I have a pix 500 series configured with VPN client access. When I configure a site-to-site vpn to a remote location, the client access no longer works. If I remove the site-to-site vpn, the client vpn works again. I have tried the PDM and the CLI. Could someone look at my config and let me know what I am missing. See the two attached configs.

Thanks,

Lost in VPN

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 4 months ago

Ah, I missed that. You can change the crypto map statements for the vpns to be on the same crypto map like this...

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 match address ipsecvpn

crypto map mymap 20 set peer xxx.xxx.100.180

crypto map mymap 20 set transform-set sha-set

crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

or

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address ipsecvpn

crypto map outside_map 20 set peer xxx.xxx.100.180

crypto map outside_map 20 set transform-set sha-set

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication RADIUS

crypto map outside_map interface outside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
Loading.
acomiskey Tue, 08/28/2007 - 07:40

Yes, in pix 6 that is the entire command. Actually it will add "20" on the end by default so you could also enter

pix(config)#isakmp nat-traversal 20

Nat-traversal is for your vpn clients, this should not affect your tunnel to the cybergaurd firewall. This allows your vpn clients to connect over udp 4500.

Also, in your Orig_clientworking.txt config. You would also have problems connecting more than 1 remote access vpn client at a time without the nat-traversal command.

Hope this helps.

Correct Answer
acomiskey Wed, 08/29/2007 - 09:43

Ah, I missed that. You can change the crypto map statements for the vpns to be on the same crypto map like this...

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 match address ipsecvpn

crypto map mymap 20 set peer xxx.xxx.100.180

crypto map mymap 20 set transform-set sha-set

crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

or

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address ipsecvpn

crypto map outside_map 20 set peer xxx.xxx.100.180

crypto map outside_map 20 set transform-set sha-set

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication RADIUS

crypto map outside_map interface outside

nauman.shahid Wed, 08/29/2007 - 15:45

hi guys was trying to find out something and saw ur issue. well i can help in this scenario. acomiskey is trying his best to help. but the config he suggested has little bit errors. i have done it before. so do as following it will work.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set sha-set esp-des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication RADIUS

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address ipsecvpn

crypto map outside_map 20 set peer xxx.xxx.100.180

crypto map outside_map 20 set transform-set sha-set

crypto map outside_map interface outside

MAP NAME WOULD BE SAME FOR BOTH SITE TO SITE AND CLIENT IPSEC CONFIG. ONLY PRIORITY WOULD BE DIFFERENT. BECAUSE AT ONE TIME YOU CAN APPLY ONE MAP ONLY. SO CHOOSING 2 MAPS WOULD NOT WORK. USE ONE MAP NAME WITH 2 DIFFERENT PRIORITY NUMBERS. AS I DID ABOVE.

WAITING FOR YOUR RESPONSE. MUST LEAVE MESSAGE IF IT DOES NOT WORK. I CAN HELP YOU FURTHER MORE.

PEACE

Actions

This Discussion