Re: Adding Remote VPN Access with SitetoSite Tunnel

bfensty74 · ‎03-10-2006

How can I add a Remote Access VPN Connection on a PIX for a user to access their network from home when the PIX already has a VPN to VPN Tunnel to another Network.

mpalardy · ‎03-10-2006

You just need to add a few commands.

Please see this general example:

http://cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml

Some more examples depending of witch option you'll require

http://cisco.com/en/US/customer/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html#anchor14

jackko · ‎03-12-2006

below are the sample codes for configuring both lan-lan vpn and remote vpn access on a single pix:

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

ip address outside 1.1.x.x.x.x.0

ip address inside 192.168.1.1 255.255.255.0

ip local pool ippool 10.1.1.11-10.1.1.21

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map myvpn 10 ipsec-isakmp

crypto map myvpn 10 match address 110

crypto map myvpn 10 set peer 1.1.1.2

crypto map myvpn 10 set transform-set vpnset

crypto map myvpn 20 ipsec-isakmp dynamic dynmap

crypto map myvpn client configuration address initiate

crypto map myvpn client configuration address respond

crypto map myvpn client authentication LOCAL

crypto map myvpn interface outside

isakmp enable outside

isakmp key cisco123 address 1.1.1.2 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnclient address-pool ippool

vpngroup vpnclient split-tunnel 120

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password xxxx

username xxxx password xxxx

aaa-server LOCAL protocol local

crypto map remote_vpn client authentication LOCAL

crypto map remote_vpn client configuration address initiate

crypto map remote_vpn client configuration address respond

bfensty74 · ‎03-12-2006

The problem I'm having is there already is an established VPN to VPN Tunnel there along with two nat (inside) and three access-lists...I'm trying to add a remote VPN to that and I'm struggling. I could post the config and let you guys look at it.

jackko · ‎03-12-2006

please do so then. with public ip masked.

bfensty74 · ‎03-13-2006

Here it is Thanks...with the outside masked.

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname XXXXXXXXXXXX

domain-name Caresite.org

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.191.201

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.223.129

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.183.249

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.186.193

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.183.223

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.183.253

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 192.168.194.0 255.255.255.0

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.242.20

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.191.201

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.223.129

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.183.249

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.186.193

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 192.168.194.0 255.255.255.0

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.183.223

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.183.253

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.242.20

access-list INBOUND-ACL permit tcp host 24.104.25.121 host 71.39.xxx.xxx eq 3389

access-list INBOUND-ACL permit tcp host 70.150.232.75 host 71.39.xxx.xxx eq 3389

access-list caresiteedwardsvpn permit ip host 159.240.242.20 192.168.193.32 255.255.255.224

pager lines 24

logging on

logging buffered warnings

mtu outside 1500

mtu inside 1500

ip address outside 71.39.xxx.xxx 255.255.255.248

ip address inside 192.168.193.33 255.255.255.224

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list No-NAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 71.39.xxx.xxx 3389 192.168.193.34 3389 netmask 255.255.255.255 0 0

access-group INBOUND-ACL in interface outside

route outside 0.0.0.0 0.0.0.0 71.39.xxx.xxx 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map VPN-MAP 10 ipsec-isakmp

crypto map VPN-MAP 10 match address Geisinger-VPN

crypto map VPN-MAP 10 set peer 159.240.9.34

crypto map VPN-MAP 10 set transform-set ESP-AES-256-SHA

crypto map VPN-MAP interface outside

isakmp enable outside

isakmp key ******** address 159.240.9.34 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 5

isakmp policy 10 lifetime 86400

telnet timeout 5

ssh 204.186.64.224 255.255.255.240 outside

ssh 24.104.25.121 255.255.255.255 outside

ssh timeout 60

console timeout 0

dhcpd address 192.168.193.50-192.168.193.62 inside

dhcpd dns 159.x.x.x.x.0.35

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain CSEdwards

dhcpd enable inside

terminal width 80

jackko · ‎03-13-2006

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 172.16.8.0 255.255.255.0

access-list 120 permit ip 192.168.193.32 255.255.255.224 172.16.8.0 255.255.255.0

ip local pool ippool 172.16.8.51-172.16.8.60

crypto dynamic-map dynmap 10 set transform-set ESP-AES-256-SHA

crypto map VPN-MAP 20 ipsec-isakmp dynamic dynmap

crypto map VPN-MAP client configuration address initiate

crypto map VPN-MAP client configuration address respond

crypto map VPN-MAP client authentication LOCAL

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnclient address-pool ippool

vpngroup vpnclient split-tunnel 120

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password cisco123

username xxxx password xxxx

bfensty74 · ‎03-13-2006

Will this work for a User to access the network from home, right? I have to change the username and passwords and it should work. The only thing I see that I have a question on is the isakmp on yours is almost exactly what I have except for the encryption,

my line: isakmp policy 10 encryption aes-256

your line:isakmp policy 10 encryption aes

what is the correct one? the rest is the same.

bfensty74 · ‎03-14-2006

Ok I added the commands that you have suggested except for the following:

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

I have these already in the config except the aes is different. I setup the VPN Client to try it and it does not connect.

bfensty74 · ‎03-14-2006

I entered the following commands above and it is not working it drops the VPN Session. I'm not sure what the issue could be.

jackko · ‎03-14-2006

the matter is the "isakmp policy xx group 2". vpn client needs group 2, and the one in the current config is group 5.

bfensty74 · ‎03-14-2006

I have tried the command with that policy group but it didn't work. What does that VPN Client settings have to be? and what does group 5 used for?

jackko · ‎03-14-2006

please post the entire config with the new codes for remote vpn access, and with public ip masked.

bfensty74 · ‎03-15-2006

I had to break the config into two posts:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 2H4EJa4GvUZX9c37 encrypted

passwd r2GpfkG8FmLh6qa5 encrypted

hostname XXXXXXXXXXX