Hi, I am working on an old PIX 501 w/ 6.3(5) software, it already have remote access VPN setup and works fine but now it needs a L2L set up. One thing is I am trying to do all the work remotely over the VPN or ssh to the device. I do not know what is on the other end but they swear it is set up and may be my problem is when I start putting in the commands for the other VPN it breaks the remote access VPN. One thing that I am having to do is NAT a host on the inside to appear as another host on the far end. I am using these commands and I think this is working can't tell.
access-list 101 permit ip host local_server remote_network 255.255.255.0
static (inside,outside) 10.1.0.203 access-list 101
access-list 102 permit ip host 10.1.0.203 host 192.168.50.83
access-list 102 permit ip host 10.1.0.203 host 192.168.50.86
access-list 102 permit ip host 10.1.0.203 host 192.168.50.50
access-list 102 permit ip host 10.1.0.203 host 192.168.50.85
and use that to match against
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map emds-map 10 ipsec-isakmp
crypto map emds-map 10 match address 102
crypto map emds-map 10 set peer remote_vpn_server
crypto map emds-map 10 set transform-set ESP-3DES-SHA
isakmp key magic_key address remote_vpn_server netmask 255.255.255.255
isakmp identity hostname
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
and that is where it usually breaks the VPN, I am not sure if the other VPN works due not being able to get to that server to try to ping out, I really don't like to try this stuff remotely but I don't have a lot of choice at the moment.
Yes, just use different sequence number with 1 crypto map name. Please also make sure that your dynamic crypto map, which is for your vpn client has the lowest crypto map sequence (highest number), because you want to make sure that the static crypto map (for lan-to-lan tunnel has higher sequence number (lower number)).
The isakmp policy sequence number does not have to match, it is processed from top to bottom (lower number to high number) and as long as 1 set of isakmp policy matches the remote peer, it will be negotiated correctly.
Hope that answers your question, and please rate useful post. Thanks.