Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Adding Remote VPN Access with SitetoSite Tunnel

How can I add a Remote Access VPN Connection on a PIX for a user to access their network from home when the PIX already has a VPN to VPN Tunnel to another Network.

19 REPLIES
New Member

Re: Adding Remote VPN Access with SitetoSite Tunnel

Gold

Re: Adding Remote VPN Access with SitetoSite Tunnel

below are the sample codes for configuring both lan-lan vpn and remote vpn access on a single pix:

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

ip address outside 1.1.x.x.x.x.0

ip address inside 192.168.1.1 255.255.255.0

ip local pool ippool 10.1.1.11-10.1.1.21

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map myvpn 10 ipsec-isakmp

crypto map myvpn 10 match address 110

crypto map myvpn 10 set peer 1.1.1.2

crypto map myvpn 10 set transform-set vpnset

crypto map myvpn 20 ipsec-isakmp dynamic dynmap

crypto map myvpn client configuration address initiate

crypto map myvpn client configuration address respond

crypto map myvpn client authentication LOCAL

crypto map myvpn interface outside

isakmp enable outside

isakmp key cisco123 address 1.1.1.2 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnclient address-pool ippool

vpngroup vpnclient split-tunnel 120

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password xxxx

username xxxx password xxxx

aaa-server LOCAL protocol local

crypto map remote_vpn client authentication LOCAL

crypto map remote_vpn client configuration address initiate

crypto map remote_vpn client configuration address respond

New Member

Re: Adding Remote VPN Access with SitetoSite Tunnel

The problem I'm having is there already is an established VPN to VPN Tunnel there along with two nat (inside) and three access-lists...I'm trying to add a remote VPN to that and I'm struggling. I could post the config and let you guys look at it.

Gold

Re: Adding Remote VPN Access with SitetoSite Tunnel

please do so then. with public ip masked.

New Member

Re: Adding Remote VPN Access with SitetoSite Tunnel

Here it is Thanks...with the outside masked.

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname XXXXXXXXXXXX

domain-name Caresite.org

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.191.201

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.223.129

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.183.249

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.186.193

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.183.223

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.183.253

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 192.168.194.0 255.255.255.0

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.242.20

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.191.201

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.223.129

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.183.249

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.186.193

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 192.168.194.0 255.255.255.0

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.183.223

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.183.253

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.242.20

access-list INBOUND-ACL permit tcp host 24.104.25.121 host 71.39.xxx.xxx eq 3389

access-list INBOUND-ACL permit tcp host 70.150.232.75 host 71.39.xxx.xxx eq 3389

access-list caresiteedwardsvpn permit ip host 159.240.242.20 192.168.193.32 255.255.255.224

pager lines 24

logging on

logging buffered warnings

mtu outside 1500

mtu inside 1500

ip address outside 71.39.xxx.xxx 255.255.255.248

ip address inside 192.168.193.33 255.255.255.224

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list No-NAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 71.39.xxx.xxx 3389 192.168.193.34 3389 netmask 255.255.255.255 0 0

access-group INBOUND-ACL in interface outside

route outside 0.0.0.0 0.0.0.0 71.39.xxx.xxx 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map VPN-MAP 10 ipsec-isakmp

crypto map VPN-MAP 10 match address Geisinger-VPN

crypto map VPN-MAP 10 set peer 159.240.9.34

crypto map VPN-MAP 10 set transform-set ESP-AES-256-SHA

crypto map VPN-MAP interface outside

isakmp enable outside

isakmp key ******** address 159.240.9.34 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 5

isakmp policy 10 lifetime 86400

telnet timeout 5

ssh 204.186.64.224 255.255.255.240 outside

ssh 24.104.25.121 255.255.255.255 outside

ssh timeout 60

console timeout 0

dhcpd address 192.168.193.50-192.168.193.62 inside

dhcpd dns 159.x.x.x.x.0.35

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain CSEdwards

dhcpd enable inside

terminal width 80

Gold

Re: Adding Remote VPN Access with SitetoSite Tunnel

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 172.16.8.0 255.255.255.0

access-list 120 permit ip 192.168.193.32 255.255.255.224 172.16.8.0 255.255.255.0

ip local pool ippool 172.16.8.51-172.16.8.60

crypto dynamic-map dynmap 10 set transform-set ESP-AES-256-SHA

crypto map VPN-MAP 20 ipsec-isakmp dynamic dynmap

crypto map VPN-MAP client configuration address initiate

crypto map VPN-MAP client configuration address respond

crypto map VPN-MAP client authentication LOCAL

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnclient address-pool ippool

vpngroup vpnclient split-tunnel 120

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password cisco123

username xxxx password xxxx

New Member

Re: Adding Remote VPN Access with SitetoSite Tunnel

Will this work for a User to access the network from home, right? I have to change the username and passwords and it should work. The only thing I see that I have a question on is the isakmp on yours is almost exactly what I have except for the encryption,

my line: isakmp policy 10 encryption aes-256

your line:isakmp policy 10 encryption aes

what is the correct one? the rest is the same.

New Member

Re: Adding Remote VPN Access with SitetoSite Tunnel

Ok I added the commands that you have suggested except for the following:

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

I have these already in the config except the aes is different. I setup the VPN Client to try it and it does not connect.

New Member

Re: Adding Remote VPN Access with SitetoSite Tunnel

I entered the following commands above and it is not working it drops the VPN Session. I'm not sure what the issue could be.

Gold

Re: Adding Remote VPN Access with SitetoSite Tunnel

the matter is the "isakmp policy xx group 2". vpn client needs group 2, and the one in the current config is group 5.

New Member

Re: Adding Remote VPN Access with SitetoSite Tunnel

I have tried the command with that policy group but it didn't work. What does that VPN Client settings have to be? and what does group 5 used for?

Gold

Re: Adding Remote VPN Access with SitetoSite Tunnel

please post the entire config with the new codes for remote vpn access, and with public ip masked.

New Member

Re: Adding Remote VPN Access with SitetoSite Tunnel

I had to break the config into two posts:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 2H4EJa4GvUZX9c37 encrypted

passwd r2GpfkG8FmLh6qa5 encrypted

hostname XXXXXXXXXXX

domain-name Caresite.org

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.191.201

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.223.129

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.183.249

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.186.193

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.183.223

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.183.253

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 192.168.194.0 255.255.255.0

access-list Geisinger-VPN permit ip 192.168.193.32 255.255.255.224 host 159.240.242.20

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.191.201

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.223.129

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.183.249

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.186.193

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 192.168.194.0 255.255.255.0

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.183.223

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.183.253

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 host 159.240.242.20

access-list No-NAT permit ip 192.168.193.32 255.255.255.224 172.16.8.0 255.255.255.0

access-list INBOUND-ACL permit tcp host 24.104.25.121 host 71.39.xxx.xxx eq 3389

access-list INBOUND-ACL permit tcp host 70.150.232.75 host 71.39.xxx.xxx eq 3389

access-list caresiteedwardsvpn permit ip host 159.240.242.20 192.168.193.32 255.255.255.224

access-list 120 permit ip 192.168.193.32 255.255.255.224 172.16.8.0 255.255.255.0

pager lines 24

mtu outside 150

mtu inside 1500

ip address outside 71.39.xxx.xxx 255.255.255.248

ip address inside 192.168.193.33 255.255.255.224

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 172.16.8.51-172.16.8.60

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list No-NAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 71.39.xxx.xxx 3389 192.168.193.34 3389 netmask 255.255.255.255 0 0

access-group INBOUND-ACL in interface outside

route outside 0.0.0.0 0.0.0.0 71.39.xxx.xxx 1

New Member

Re: Adding Remote VPN Access with SitetoSite Tunnel

The second part:

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set ESP-AES-256-SHA

crypto map VPN-MAP 10 ipsec-isakmp

crypto map VPN-MAP 10 match address Geisinger-VPN

crypto map VPN-MAP 10 set peer 159.240.9.34

crypto map VPN-MAP 10 set transform-set ESP-AES-256-SHA

crypto map VPN-MAP 20 ipsec-isakmp dynamic dynmap

crypto map VPN-MAP client configuration address initiate

crypto map VPN-MAP client configuration address respond

crypto map VPN-MAP client authentication LOCAL

crypto map VPN-MAP interface outside

isakmp enable outside

isakmp key ******** address 159.240.9.34 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 5

isakmp policy 10 lifetime 86400

vpngroup vpnclient address-pool ippool

vpngroup vpnclient split-tunnel 120

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password ********

vpngroup split-tunnel idle-time 1800

telnet timeout 5

console timeout 0

dhcpd address 192.168.193.50-192.168.193.62 inside

dhcpd dns 159.240.191.201 24.104.0.35

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain CSEdwards

dhcpd enable inside

username homevpn password xxxx

privilege 2

terminal width 80

Cryptochecksum:xxx

: end

Gold

Re: Adding Remote VPN Access with SitetoSite Tunnel

the issue is related to the current isakmp policy. as mentioned, vpn client software needs group 2 instead of 5.

please add:

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

have a look at this cisco doc for further info:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a00802d3ac3.html#wp1168133

New Member

Re: Adding Remote VPN Access with SitetoSite Tunnel

I'm getting the following:

1 18:44:37.369 03/15/06 Sev=Warning/3 IKE/0xE3000056

The received HASH payload cannot be verified

2 18:44:37.369 03/15/06 Sev=Warning/2 IKE/0xE300007D

Hash verification failed... may be configured with invalid group password.

3 18:44:37.369 03/15/06 Sev=Warning/2 IKE/0xE3000099

Failed to authenticate peer (Navigator:904)

Gold

Re: Adding Remote VPN Access with SitetoSite Tunnel

vpngroup vpnclient address-pool ippool

vpngroup vpnclient split-tunnel 120

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password ********

verify the profile created on the vpn client software. the username should be "vpnclient" and the password should be "********" the value you put in with the last command above.

a popup window will appear for username and password after double click to start connecting. enter the one created by username command.

New Member

Re: Adding Remote VPN Access with SitetoSite Tunnel

I got it....Thanks for all your help...Thanks Again.

Gold

Re: Adding Remote VPN Access with SitetoSite Tunnel

it's good to learn that the issue has been resolved.

according to cisco:

Why should I rate posts?

If you see a post that you think deserves recognition, please take a moment to rate it.

You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.

170
Views
9
Helpful
19
Replies
CreatePlease login to create content