×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

vpn remote access and site2site on same pix

Unanswered Question
Feb 24th, 2006
User Badges:

I have a site to site vpn that's working between pixA and pixB. I would also like to setup remote access vpn on pixA. Does someone has a working config that i can use as a template in this scenerio?


Thanks for any help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Lharrypersaud Fri, 02/24/2006 - 14:16
User Badges:

Can you please have a look at my vpn configuration. I setup the site to site vpn first and it works fine but as soon as I setup the remote access vpn it stops working.


Thanks for any help



Attachment: 
jackko Fri, 02/24/2006 - 19:31
User Badges:
  • Gold, 750 points or more

below are the sample codes for configuring both lan-lan vpn and remtoe vpn on pix:


access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0


access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0


ip address outside 1.1.1.1 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0


ip local pool ippool 10.1.1.11-10.1.1.21


global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0


sysopt connection permit-ipsec


crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpnset


crypto map myvpn 10 ipsec-isakmp

crypto map myvpn 10 match address 110

crypto map myvpn 10 set peer 1.1.1.2

crypto map myvpn 10 set transform-set vpnset


crypto map myvpn 20 ipsec-isakmp dynamic dynmap


crypto map myvpn client configuration address initiate

crypto map myvpn client configuration address respond

crypto map myvpn client authentication LOCAL


crypto map myvpn interface outside

isakmp enable outside


isakmp key cisco123 address 1.1.1.2 netmask 255.255.255.255 no-xauth no-config-mode


isakmp identity address

isakmp nat-traversal 20


isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400


vpngroup vpnclient address-pool ippool

vpngroup vpnclient split-tunnel 120

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password cisco456


username cisco password cisco123


aaa-server LOCAL protocol local

crypto map remote_vpn client authentication LOCAL

crypto map remote_vpn client configuration address initiate

crypto map remote_vpn client configuration address respond



please excuse me for not reading the posted config, as the layout is a bit hard to read. one simple way to capture the config is to do "sh run" on the telnet/ssh session, and then copy and paste to a notepad.

Lharrypersaud Sat, 02/25/2006 - 19:46
User Badges:

Thanks for all your help Jackko. But i have a two questions for you or anyone of the guys who is willing to help me. Since i don't have access to the remote pix i just needed to clear up a couple things about the access lists.


I assume that these two access list commands are for the site to site vpn?

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


Are these two access list commands for the remote access vpn?

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0


Thanks again for all the help

jackko Sun, 02/26/2006 - 04:28
User Badges:
  • Gold, 750 points or more

yes. 192.168.1.x and 192.168.2.x is lan-lan; whereas 10.1.1.x is remote vpn access.

moonshiner Wed, 03/08/2006 - 09:49
User Badges:

Hello, gentlemen!

Could you please tell me, if this configuration will be valid for the router Cisco 2811?

I have the same problem - I need to configure both site-to site vpn and remote access vpn on the same device.

I understand, that the syntax will be quite different, but may be the main idea is the same?


If somebody can post here an example of such a configuration or at least a link to example, I will be very happy! =)

jackko Wed, 03/08/2006 - 13:19
User Badges:
  • Gold, 750 points or more

the codes on pix and router are quiet different.


below are the sample codes for configuring both lan-lan vpn and remote vpn on a router:


crypto isakmp policy 10

encr 3des

authentication pre-share

group 2


crypto isakmp key xxxxxxxx address no-xauth


crypto isakmp client configuration group vpngroup

key xxxxxxxx

pool vpnpool

acl 130


crypto ipsec transform-set vpnset esp-3des esp-md5-hmac


crypto dynamic-map dynmap 10

set transform-set vpnset

crypto map vpnmap client authentication list vpnauthen

crypto map vpnmap isakmp authorization list vpnauthor

crypto map vpnmap client configuration address respond

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap


crypto map vpnmap 20 ipsec-isakmp

set peer

set transform-set superset

match address 140


interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside


interface Dialer0

ip address

ip nat outside

crypto map vpnmap


ip local pool vpnpool 10.1.1.1 10.1.1.10

ip nat inside source route-map nonat interface Dialer0 overload


access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 130 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255


route-map nonat permit 10

match ip address 101

moonshiner Thu, 03/09/2006 - 06:07
User Badges:

Thanks a lot!!!!! :)


..and one little question about aaa configuration...

If I want local authentication, the config lines will be like this, won't they?


!

aaa new-model

!

aaa authentication login vpnauthen local

aaa authorization network vpnauthor local

!

username blablabla password blablabla

!



Is that correct?

The matter is that I have pptp vpn working, and I can not configure a general pair of login-password. The connection is established only in case the user enters username that is the same as the name of his PC... And I have to enter


!

username name_of_PC password blablabla

!


to grant access to my network for that user....

But I want to set username-password pairs by myself! And then i would give that pairs to users..


I'm afraid, that i will have the same problem with ipsec vpn....



PS: sorry if it's offtop.... and sorry for my bared English...

Actions

This Discussion