Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need help with Pix 515 VPN

I've been working on this problem for a month and I've hit a wall. I've got some users who need to start working from home and I have to get VPN up on our PIX515 ASAP. We have an inside,dmz,&outside zones setup currently. I have an IPSEC tunnel setup already on the pix to access ANX network. I also have group of users that use a Nortel Client to access another companies VPN. Everytime I try to setup ipsec for my remote users, I take down either my ANX tunnel or my Nortel VPN users.

I need my external users to be able to get to all inside network resources.

If someone is located in Southeastern Michigan, I will contract out for help since I'm desperate.

Here's my Pix config...

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password LTPL3EG2CAB2Dllq encrypted

passwd LTPL3EG2CAB2Dllq encrypted

hostname fwpartech1

domain-name partechgss.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 209.196.42.201 IsuzuONE

name 192.168.1.25 WebServer1

name 144.228.79.182 ITR_TAL_Server

name 64.118.139.52 secondary_dns

name 64.118.139.51 primary_dns

name 192.168.0.205 TAL_Gheald

name 192.168.0.204 TAL_MRuiz

name 192.168.0.203 TAL_GBriolat

name 192.168.0.202 TAL_GKolb

name 192.168.0.201 TAL_MWedge

name 192.168.0.206 eSI_PNair

name 192.85.5.49 GMeSI_dbserver

name 192.168.0.98 ACasadei

object-group service isuzuvpntcp tcp

port-object eq h323

port-object eq 17

port-object eq 50

object-group service isuzuvpn udp

port-object eq secureid-udp

port-object range isakmp 600

object-group network TAL_ref

network-object 64.118.150.213 255.255.255.255

network-object 64.118.150.214 255.255.255.255

network-object 64.118.150.215 255.255.255.255

network-object 64.118.150.217 255.255.255.255

network-object 64.118.150.216 255.255.255.255

object-group network TAL

network-object TAL_MWedge 255.255.255.255

network-object TAL_GKolb 255.255.255.255

network-object TAL_GBriolat 255.255.255.255

network-object TAL_MRuiz 255.255.255.255

network-object TAL_Gheald 255.255.255.255

object-group network TAL_ref_1

network-object 64.118.150.213 255.255.255.255

network-object 64.118.150.214 255.255.255.255

network-object 64.118.150.217 255.255.255.255

network-object 64.118.150.216 255.255.255.255

network-object 64.118.150.215 255.255.255.255

object-group network GM_eSI

network-object eSI_PNair 255.255.255.255

object-group network GM_eSI_ref

network-object 64.118.150.220 255.255.255.255

access-list outside_access_in permit tcp any host 64.118.150.212 eq www

access-list outside_access_in permit tcp any host 64.118.150.212 eq ftp

access-list outside_access_in permit tcp any host 64.118.150.212 eq ftp-data

access-list outside_access_in permit tcp any host 64.118.150.212 eq smtp

access-list outside_access_in permit icmp host 64.118.150.210 64.118.150.208 25

.255.255.240 echo-reply

access-list outside_access_in permit udp host ITR_TAL_Server eq isakmp object-g

oup TAL_ref_1

access-list outside_access_in permit esp host ITR_TAL_Server object-group TAL_r

f_1

access-list outside_access_in permit ip host GMeSI_dbserver object-group GM_eSI

ref

access-list outside_access_in permit icmp host GMeSI_dbserver object-group GM_e

I_ref

access-list outside_access_in permit udp host GMeSI_dbserver object-group GM_eS

_ref

access-list dmz_access_in permit icmp 192.168.1.0 255.255.255.0 192.168.0.0 255

255.255.0 echo-reply

access-list dmz_access_in permit tcp host WebServer1 host primary_dns

access-list dmz_access_in deny ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255

255.0

access-list dmz_access_in permit ip any any

access-list inside_access_in permit ip any any

access-list 110 permit ip host 64.118.150.210 host GMeSI_dbserver

access-list 110 permit ip host 64.118.150.220 host GMeSI_dbserver

pager lines 24

logging on

logging timestamp

logging trap notifications

logging history notifications

logging host inside 192.168.0.1

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 64.118.150.210 255.255.255.248

ip address inside 192.168.0.10 255.255.255.0

ip address dmz 192.168.1.10 255.255.255.0

ip verify reverse-path interface inside

ip verify reverse-path interface dmz

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.2 255.255.255.255 inside

pdm location 192.168.0.99 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.0 inside

pdm location 0.0.0.0 255.255.255.0 outside

pdm location 192.168.0.97 255.255.255.255 inside

pdm location WebServer1 255.255.255.255 dmz

pdm location IsuzuONE 255.255.255.255 outside

pdm location 192.168.0.1 255.255.255.255 inside

pdm location ITR_TAL_Server 255.255.255.255 outside

pdm location 206.126.161.15 255.255.255.255 outside

pdm location 64.118.150.212 255.255.255.255 outside

pdm location primary_dns 255.255.255.255 outside

pdm location secondary_dns 255.255.255.255 outside

pdm location TAL_MWedge 255.255.255.255 inside

pdm location TAL_GKolb 255.255.255.255 inside

pdm location TAL_GBriolat 255.255.255.255 inside

pdm location TAL_MRuiz 255.255.255.255 inside

pdm location TAL_Gheald 255.255.255.255 inside

pdm location 192.168.1.16 255.255.255.240 dmz

pdm location GMeSI_dbserver 255.255.255.255 outside

pdm location 192.168.0.192 255.255.255.192 inside

pdm location eSI_PNair 255.255.255.255 inside

pdm location ACasadei 255.255.255.255 inside

pdm group TAL inside

pdm group TAL_ref_1 outside reference TAL

pdm group GM_eSI inside

pdm group GM_eSI_ref outside reference GM_eSI

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.0.0 255.255.255.0 0 0

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

static (dmz,outside) 64.118.150.212 WebServer1 dns netmask 255.255.255.255 0 0

static (inside,outside) 64.118.150.213 TAL_MWedge netmask 255.255.255.255 0 0

static (inside,outside) 64.118.150.214 TAL_GKolb netmask 255.255.255.255 0 0

static (inside,outside) 64.118.150.215 TAL_Gheald netmask 255.255.255.255 0 0

static (inside,outside) 64.118.150.217 TAL_GBriolat netmask 255.255.255.255 0 0

static (inside,outside) 64.118.150.216 TAL_MRuiz netmask 255.255.255.255 0 0

static (inside,outside) 64.118.150.220 eSI_PNair netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 64.118.150.209 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http ACasadei 255.255.255.255 inside

http 192.168.0.99 255.255.255.255 inside

http 192.168.0.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set anx esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA

crypto dynamic-map inside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map interface inside

crypto map ipsec 30 ipsec-isakmp

crypto map ipsec 30 match address 110

crypto map ipsec 30 set peer 198.208.7.2

crypto map ipsec 30 set transform-set anx

crypto map ipsec interface outside

isakmp enable outside

isakmp enable inside

isakmp key ******** address 198.208.7.2 netmask 255.255.255.255

isakmp peer ip 144.228.79.182 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption des

isakmp policy 30 hash md5

isakmp policy 30 group 1

isakmp policy 30 lifetime 86400

isakmp policy 40 authentication rsa-sig

isakmp policy 40 encryption des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

isakmp policy 60 authentication pre-share

isakmp policy 60 encryption 3des

isakmp policy 60 hash sha

isakmp policy 60 group 2

isakmp policy 60 lifetime 86400

telnet 192.168.0.99 255.255.255.255 inside

telnet 192.168.0.1 255.255.255.255 inside

telnet ACasadei 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

vpdn username acasadei password ********

vpdn enable outside

vpdn enable inside

vpdn enable dmz

terminal width 80

3 REPLIES

Re: Need help with Pix 515 VPN

Hi,

Should not be a problem and we can probably save you a few bucks. First a few questions:

1. What is the purpose of these lines in the config?

crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA

crypto dynamic-map inside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map interface inside

2. Can I assume that the following are the clients that need to connect through the PIX to the remote VPN's?

name 192.168.0.205 TAL_Gheald

name 192.168.0.204 TAL_MRuiz

name 192.168.0.203 TAL_GBriolat

name 192.168.0.202 TAL_GKolb

name 192.168.0.201 TAL_MWedge

name 192.168.0.206 eSI_PNair

3. I assume your users that are going to be working from home will access this PIX via the Internet on the outside interface?

Let me know and we can start cleaning and then adding the proper config.

Scott

New Member

Re: Need help with Pix 515 VPN

Thanks for replying!!

1. I didn't setup the IPSEC tunnel for our ANX connection. The company that we contracted to added some lines. These would all be for a tunnel going to 64.118.150.210.

2. The named TAL_xxx users are using a Nortel VPN client to access an external company's VPN.

The named eSI_xxx users are using a static map to access the ANX site to site IPSEC tunnel.

3. Yes, my users are going to be accessing this PIX via the outside interface.

Thanks

Andrea

acasadei@partecghss.com

Re: Need help with Pix 515 VPN

OK, thanks. First thing is going to be to remove the following lines from the config to clean it up a bit (just paste the following commands into the PIX):

no crypto map inside_map interface inside

no isakmp enable inside

no crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA

no crypto dynamic-map inside_dyn_map 40 set transform-set ESP-3DES-SHA

no crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

The next part is going to be adding in the proper commands. In order to get this to work, you are going to need to take your working tunnel down temporarily until the changes can be made. So you may want to schedule this during off-hours. Once you are ready, try pasting the following commands in:

no crypto map ipsec interface outside

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map ipsec 10 ipsec-isakmp dynamic dynmap

ip local pool ippool 192.168.2.1-192.168.2.254

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 dns-server

vpngroup vpn3000 wins-server

vpngroup vpn3000 default-domain

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password cisco

access-list nonat permit 192.168.0.0 255.255.255 0 192.168.2.0 255.255.255.0

access-list nonat permit 192.168.1.0 255.255.255 0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list nonat

Add these commands into the PIX config and verify that they all look good. You will probably want to change the group name (vpn3000 above) and the password (cisco) to something specific. And, please add in the proper addresses for the DNS server and WINS server if needed. If all looks good, then go ahead and re-enable the crypto map by adding the following back into the PIX:

crypto map ipsec interface outside

Your Lan-Lan tunnel should come back up and your client tunnels should now work as well. The internal VPN clients should be unaffected. Of course there is a lot of stuff you can do but give this a shot and let us know. Good luck

Scott

PS - Please sanity check this guys (Glenn and Nadeem) as I did this kinda fast.

85
Views
0
Helpful
3
Replies