My main problem is that when I put in the commands the normal remote access VPN that I need to connect to the computer that is getting NATed breaks and I cant get to it to see if the other works. One problem I have had in the past is the other side that sets the endpoint of the L2L just sets it up and dont share any information, they just say we have done this hundered of times, it is on your end ... etc. I finally decided to set up ssh on the outside after the first time I killed myself off remotely, good thing a power cycle fixed that.

Jarrid

Please share the whole config. Need to know what you have configured for the rest, especially the NAT for vpn client? not sure how it breaks when you configure the LAN-to-LAN tunnel.

OK here is the config as it stands now with a little change of IPs and Passwords

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted

hostname HOSTNAME
domain-name DOMAIN.LOCAL
clock timezone EST 2
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 10.0.100.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_out permit icmp any any
access-list inside_out permit 22 any any
pager lines 24
logging on
logging timestamp
logging standby
mtu outside 1500
mtu inside 1500
ip address outside OUTSIDE_IP 255.255.255.252
ip address inside 10.0.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 192.168.200.200-192.168.200.209
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.100.0 255.255.255.0 0 0
access-group inside_out in interface outside
route outside 0.0.0.0 0.0.0.0 OUTSIDE_IP 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 10.0.100.10 ***** timeout 10
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap client authentication partnerauth
crypto map newmap interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPN address-pool clientpool
vpngroup VPN dns-server 10.0.100.10
vpngroup VPN default-domain uim.local
vpngroup VPN idle-time 1800
vpngroup VPN password ********
telnet 10.0.100.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.0.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
username admin password ***** encrypted privilege 15
terminal width 80
Cryptochecksum:d11b572de6929ddb8bd1240d17aa5dda
: end
[OK]

I start about like I listed in the first of the message but when I get right around the crypto part my VPN breaks , maybe the isakmp but I dont know. I just know after I put in all of the stuff in the ssh terminal when I tried to connect the VPN from the Cisco Client it just times out. to a reload and after it comes back up I can connect.

Thanks

Jarrid

OK, your crypto map name is "newmap", and you have configured a new crypto map "emds-map" for the lan-to-lan tunnel. You can't have 2 crypto map name configured on the PIX, because you can only assign 1 crypto map to the outside interface.

For the new lan-to-lan tunnel, please use the same crypto map name "newmap" with sequence 10 as follows:

crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match  address 102
crypto map newmap 10 set peer remote_vpn_server
crypto  map newmap 10 set transform-set ESP-3DES-SHA

OK I wondered about that, when it died is when I did the crypto map emds-map interface outside command. I will try it later on and see. So you could have multiple L2L VPNs as long as they use the same crypto map name and a different sequence number and use the same number in the isakmp lines ? If so I am guessing it knows what isakmp key line to use with the set remote peer? Not that we need more than the one L2L I just want  to know if my line on thinking is right so far.

Thanks

Jarrid