02-24-2006 08:22 AM - edited 02-21-2020 02:16 PM
I have a site to site vpn that's working between pixA and pixB. I would also like to setup remote access vpn on pixA. Does someone has a working config that i can use as a template in this scenerio?
Thanks for any help.
02-24-2006 02:16 PM
02-24-2006 07:31 PM
below are the sample codes for configuring both lan-lan vpn and remtoe vpn on pix:
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
ip address outside 1.1.1.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip local pool ippool 10.1.1.11-10.1.1.21
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map myvpn 10 ipsec-isakmp
crypto map myvpn 10 match address 110
crypto map myvpn 10 set peer 1.1.1.2
crypto map myvpn 10 set transform-set vpnset
crypto map myvpn 20 ipsec-isakmp dynamic dynmap
crypto map myvpn client configuration address initiate
crypto map myvpn client configuration address respond
crypto map myvpn client authentication LOCAL
crypto map myvpn interface outside
isakmp enable outside
isakmp key cisco123 address 1.1.1.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpnclient address-pool ippool
vpngroup vpnclient split-tunnel 120
vpngroup vpnclient idle-time 1800
vpngroup vpnclient password cisco456
username cisco password cisco123
aaa-server LOCAL protocol local
crypto map remote_vpn client authentication LOCAL
crypto map remote_vpn client configuration address initiate
crypto map remote_vpn client configuration address respond
please excuse me for not reading the posted config, as the layout is a bit hard to read. one simple way to capture the config is to do "sh run" on the telnet/ssh session, and then copy and paste to a notepad.
02-25-2006 07:46 PM
Thanks for all your help Jackko. But i have a two questions for you or anyone of the guys who is willing to help me. Since i don't have access to the remote pix i just needed to clear up a couple things about the access lists.
I assume that these two access list commands are for the site to site vpn?
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Are these two access list commands for the remote access vpn?
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
Thanks again for all the help
02-26-2006 04:28 AM
yes. 192.168.1.x and 192.168.2.x is lan-lan; whereas 10.1.1.x is remote vpn access.
02-27-2006 05:56 AM
Thanks a lot Jaccko. I appreciate that.
03-08-2006 09:49 AM
Hello, gentlemen!
Could you please tell me, if this configuration will be valid for the router Cisco 2811?
I have the same problem - I need to configure both site-to site vpn and remote access vpn on the same device.
I understand, that the syntax will be quite different, but may be the main idea is the same?
If somebody can post here an example of such a configuration or at least a link to example, I will be very happy! =)
03-08-2006 01:19 PM
the codes on pix and router are quiet different.
below are the sample codes for configuring both lan-lan vpn and remote vpn on a router:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address
crypto isakmp client configuration group vpngroup
key xxxxxxxx
pool vpnpool
acl 130
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set vpnset
crypto map vpnmap client authentication list vpnauthen
crypto map vpnmap isakmp authorization list vpnauthor
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
crypto map vpnmap 20 ipsec-isakmp
set peer
set transform-set superset
match address 140
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface Dialer0
ip address
ip nat outside
crypto map vpnmap
ip local pool vpnpool 10.1.1.1 10.1.1.10
ip nat inside source route-map nonat interface Dialer0 overload
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 130 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
route-map nonat permit 10
match ip address 101
03-09-2006 06:07 AM
Thanks a lot!!!!! :)
..and one little question about aaa configuration...
If I want local authentication, the config lines will be like this, won't they?
!
aaa new-model
!
aaa authentication login vpnauthen local
aaa authorization network vpnauthor local
!
username blablabla password blablabla
!
Is that correct?
The matter is that I have pptp vpn working, and I can not configure a general pair of login-password. The connection is established only in case the user enters username that is the same as the name of his PC... And I have to enter
!
username name_of_PC password blablabla
!
to grant access to my network for that user....
But I want to set username-password pairs by myself! And then i would give that pairs to users..
I'm afraid, that i will have the same problem with ipsec vpn....
PS: sorry if it's offtop.... and sorry for my bared English...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide