Site to Site & client access

Unanswered Question
Jan 23rd, 2008
User Badges:

I have 2 Pix 501s configured for site to site access (HomePIX, OfficePIX) . Site to site between the peers works correctly but Cisco client access does not work from any other site. When I reconfigure the office pix to exclude site to site Cisco client access works correctly from any location.

Any assistance would be appreciated.


OfficePIX configuration:


isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup tekconvpn address-pool vpnpool

vpngroup tekconvpn dns-server TekConMain

vpngroup tekconvpn default-domain tekconllc.local

vpngroup tekconvpn split-tunnel tekconvpn_splitTunnelAcl

vpngroup tekconvpn idle-time 1800

vpngroup tekconvpn password ********

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname [email protected]

vpdn group pppoe_group ppp authentication pap

vpdn username [email protected] password ********* store-local

dhcpd address 10.0.0.111-10.0.0.125 inside

dhcpd dns TekConMain

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain local.local

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Wed, 01/23/2008 - 08:38
User Badges:
  • Cisco Employee,

If possible can you post the full configuration of the Pix 501. I am interested in looking at the crypto crypto map configuration. For example, if you look at the below URL, the crypto dynamic map instance 30 is higher than 10. So, if your pix configured with a dynamic map instance less than Lan to Lan tunnel or higher.


crypto dynamic-map dynmap 30 set transform-set myset

!--- Use the crypto-map sequence 10 command for PIX to PIX.

crypto map newmap 10 ipsec-isakmp


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml


Also, make sure that there are no overlapping IPSec ACL's on the Pix.


Regards,

Arul


** Please rate helpful posts **

ajagadee Wed, 01/23/2008 - 09:29
User Badges:
  • Cisco Employee,

NP, thanks for the config. Definitely helps.


I think the problem is with the POOL of ip addresses that is configured for the VPN Clients


ip local pool vpnpool 10.0.0.126-10.0.0.130


You L2L tunnel has an ACL of


access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255.0


So, when you have L2L tunnel and VPN Client at the same time, the VPN Clients pool of IP is following the L2L tunnel and not back to the VPN client.


Here is what I would do. Change the pool of IP Addresses for the VPN Clients to something different other than your LAN. Example, 192.168.1.x.24. Include this in your NAT 0 Statement and then you should be all set.


Give it a shot and let me know how it goes.


Regards,

Arul


** Please rate helpful posts **

tommarrero Wed, 01/23/2008 - 13:59
User Badges:

Thanks for the reply. I made the configuration changes and addition but I still have the same issue. I created a log from the Cisco client and attached it to this message.



Attachment: 
ajagadee Wed, 01/23/2008 - 14:35
User Badges:
  • Cisco Employee,

So, are you able to connect using the VPN Client but not access the LAN behind the Pix. Can you post the below outputs:


1. Copy of the current configuration

2. The ip address that you are trying to from the VPN Client

3. Show cry is sa and show cry ipsec sa, when the VPN Client is getting connected and not able to ping the LAN behind the Pix.


Regards,

Arul

tommarrero Thu, 01/24/2008 - 09:25
User Badges:

I am unable to connect with the VPN client but the site to site connection is working.

I am attaching the VPN Client error log and the Pix 501 configuration.

Before I configured site to site the VPN client worked properly. If I remove the site to site configuration the VPN will work again.

Thanks again for your help.




Attachment: 
ajagadee Fri, 01/25/2008 - 11:49
User Badges:
  • Cisco Employee,

Tom,


If I understand the problem correctly, you are able to connect using the VPN Client but not able to access any resources on the inside correct.


If my understanding is correct, then please reconfigure your IP Pool to something different that 10.2.0.x. You cannot have the IP Pool in the range 10.2.0.x and also include this destination network in your L2L Tunnel. If you do this, the Pix will encrypt the traffic across the L2L tunnel instead of the VPN Client.


access-list 101 permit ip 10.0.0.0 255.255.255.0 10.2.0.0 255.255.255.0


ip local pool vpnpool 10.2.0.126-10.2.0.130 mask 255.255.255.0


Just for testing purposes, can you change the IP Pool to something like 192.168.1.x and connect the VPN Client at the same time your l2l is up. Also, make sure that you add a NAT 0 statement. For example.


ip local pool vpnpool 192.168.1.1-192.168.1.254 mask 255.255.255.0


access-list NoNat permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0


Please make the changes and let us know how it goes. If not, please post the updated configuration along with "show cry is sa" and " show crypto ipsec sa" from the pix.


Regards,

Arul


** Please rate all helpful posts **

ajagadee Fri, 01/25/2008 - 14:26
User Badges:
  • Cisco Employee,

Tom,


Thanks for all the information. You are motivated to resolve this issue, so am I. I think I might have finally found what the issue is,


crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map


The crypto instances for the crypto map needs to match. In the existing configuration 20 and 65535 do not match. Configure 20 on the both the lines and let me know how it works.


I know its Friday but I swear I haven't started drinking early.


Regards,

Arul


** Please rate all helpful posts *

tommarrero Fri, 01/25/2008 - 16:45
User Badges:

Arul,

Fortunately I have already started drinking.

I appreciate your time and I will implement the configuration changes this weekend. I will keep you informed.

Thanks again.

Bikramjit Majumdar Sun, 01/27/2008 - 12:05
User Badges:
  • Cisco Employee,

Hi,


I checked the config and as per the latest attached config we have a misconfiguration for vpn client and hence the issue.


Try the following steps:


1. no crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map


2. crypto map transam 65535 ipsec-isakmp dynamic outside_dyn_map


Note:


--You can apply one crypto map in one interface.


-- The crypto map "outside_map" haven't applied to any interface.


**rate the post, if helpful**



tommarrero Thu, 01/31/2008 - 07:22
User Badges:

Thank you for your help.

I resolved the issue by removing the lines:


crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

and


access-list 101 permit ip 10.0.0.0 255.255.255.0 10.2.0.0 255.255.255.0


and adding:

crypto map transam 65535 ipsec-isakmp dynamic outside_dyn_map


Thanks again for your help.

tommarrero Thu, 01/31/2008 - 07:21
User Badges:

Arul,

Thank you for your help.

I resolved the issue by removing the lines:


crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

and


access-list 101 permit ip 10.0.0.0 255.255.255.0 10.2.0.0 255.255.255.0


and adding:

crypto map transam 65535 ipsec-isakmp dynamic outside_dyn_map


Thanks again for your help.


ajagadee Thu, 01/31/2008 - 07:28
User Badges:
  • Cisco Employee,

Tom,


Thanks for the update! Glad everything is working.


Regards,

Arul

sdemlow007 Tue, 05/06/2008 - 11:52
User Badges:

Could you post your working config as I must have lost something along the way in the thread. Thanks.

Actions

This Discussion