Pix 501 VPN and Site to Site

Unanswered Question
Jan 25th, 2008

I have a Pix 501 configured for site to site access working correctly. However Cisco VPN clients stopped working when the Pix was setup for site to site. If the site to site configuration is removed the VPN client access is working.

Attached is the PIX configuration with site to site and Cisco client error log when trying to connect.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Fri, 01/25/2008 - 11:46

Tom,

If I understand the problem correctly, you are able to connect using the VPN Client but not able to access any resources on the inside correct.

If my understanding is correct, then please reconfigure your IP Pool to something different that 10.2.0.x. You cannot have the IP Pool in the range 10.2.0.x and also include this destination network in your L2L Tunnel. If you do this, the Pix will encrypt the traffic across the L2L tunnel instead of the VPN Client.

access-list 101 permit ip 10.0.0.0 255.255.255.0 10.2.0.0 255.255.255.0

ip local pool vpnpool 10.2.0.126-10.2.0.130 mask 255.255.255.0

Just for testing purposes, can you change the IP Pool to something like 192.168.1.x and connect the VPN Client at the same time your l2l is up. Also, make sure that you add a NAT 0 statement. For example.

ip local pool vpnpool 192.168.1.1-192.168.1.254 mask 255.255.255.0

access-list NoNat permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

Please make the changes and let us know how it goes. If not, please post the updated configuration along with "show cry is sa" and " show crypto ipsec sa" from the pix.

Regards,

Arul

** Please rate all helpful posts **

tommarrero Fri, 01/25/2008 - 11:56

Thanks for the reply.

The VPN client is not authenticating when the site to site configuration is enabled.

It does authenticate and inside resources are available when site to site is not configured.

Thank you again for your help.

ajagadee Fri, 01/25/2008 - 13:05

Tom,

I dont see anything obviously wrong with the configuration. Is it possible for you to post the outputs of "deb cry is" and "deb cry ips" from the pix along with the full logs from the VPN Client.

Regards,

Arul

** Please rate all helpful posts **

tommarrero Fri, 01/25/2008 - 13:04

I changed the pool addresses to the 192.168.XXX.XXX network along with all the related statements and the same issue exists.

Thanks again.

ajagadee Fri, 01/25/2008 - 14:25

Tom,

Thanks for all the information. You are motivated to resolve this issue, so am I. I think I might have finally found what the issue is,

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

The crypto instances for the crypto map needs to match. In the existing configuration 20 and 65535 do not match. Configure 20 on the both the lines and let me know how it works.

I know its Friday but I swear I haven't started drinking early.

Regards,

Arul

** Please rate all helpful posts **

Actions

This Discussion