03-03-2008 09:53 PM
Hi can anybody help me to know whether is it possible to configure both site-to-site vpn and remote access vpn on single interface(outside) on PIX 515E ??? if yes can anybody provide the configuration for the same.
03-03-2008 10:04 PM
Hi, the answer is yes, you can have both site-to-site and remote access at the same time. Take a look at this example below, maybe this will help some.
config t
!
! These access lists define what traffic should be routed through the VPN tunnel
access-list 101 permit ip [INSIDE NETWORK] [INSIDE MASK] [REMOTE NETWORK] [REMOTE MASK]
access-list nonat permit ip [INSIDE NETWORK] [INSIDE MASK] 192.168.172.0 255.255.255.0
access-list nonat permit ip [INSIDE NETWORK] [INSIDE MASK] [REMOTE NETWORK] [REMOTE MASK]
!
nat (inside) 0 access-list nonat
!
sysopt connection permit-ipsec
sysopt connection permit-pptp
!
ip local pool vpnpool 192.168.172.1-192.168.172.254
!
isakmp client configuration address-pool local vpnpool outside
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 authentication pre-share
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 authentication pre-share
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp identity address
isakmp key 0123456789 address [REMOTE PIX] netmask 255.255.255.255
isakmp key 0123456789 address 0.0.0.0 netmask 0.0.0.0
isakmp enable outside
!
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map vpnmap 10 ipsec-isakmp
crypto map vpnmap 10 match address 101
crypto map vpnmap 10 set peer [REMOTE PIX]
crypto map vpnmap 10 set transform-set vpnset
crypto map vpnmap 20 ipsec-isakmp dynamic dynmap
crypto map vpnmap client configuration address initiate
crypto map vpnmap client configuration address respond
crypto map vpnmap interface outside
!
! The vpngroup command is used to configure a VPN tunnel that will use the
! Cisco VPN Client. If you intend to only use the Microsoft VPN Client, this
! section may be left out
vpngroup [VPNGROUP] address-pool vpnpool
vpngroup [VPNGROUP] dns-server [DNS]
vpngroup [VPNGROUP] wins-server [WINS]
vpngroup [VPNGROUP] default-domain [DOMAIN]
vpngroup [VPNGROUP] idle-time 1800
vpngroup [VPNGROUP] password [VPNGROUPPW]
!
! The vpdn command is used to configured a VPN tunnel that will use the
! Microsoft VPN Client. If you intend to only use the Cisco VPN client, this
! section may be left out
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto required
vpdn group 1 client configuration address local vpnpool
vpdn group 1 client configuration dns [DNS]
vpdn group 1 client configuration wins [WINS]
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
!
! The following line can be repeated to configure the user names and passwords
! for users needing VPN access with the Microsoft VPN Client
vpdn username [VPN USER] password [VPN PASSWORD]
vpdn enable outside
!
exit
wri mem
03-07-2008 03:22 AM
thanxx joseph
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide