pix 525 vpnclient users and another vpn with a checkpoint.

bellefontainea · ‎03-11-2003

I have a pix 525 ios 5..1(1)

Today I have remote mobile users access services on the local lan thru the internet with the VPN tunnel.

I need to add another tunnel with a checkpoint. We wil be using des and has md5.

However when I get one the new one workig the orginal vpn doesnt work.

I think I know why but do not know how to fix it.

The orginal config

is

access-list vpnaccess permit ip 172.x.x.0 255.255.252.0 172.x.x 255.255.25

2.0

ip local pool vpnpool 172.x.x.221-172.x.x.240

nat (inside) 0 access-list vpnaccess

crypto ipsec transform-set strong esp-des esp-md5-hmac

crypto dynamic-map vpnname 1 set transform-set strong

crypto map wbxxx 2 ipsec-isakmp dynamic vpnname

crypto map wbxxx client configuration address initiate

crypto map wbxxx client configuration address respond

crypto map wbxxxx client authentication cm200s13

crypto map wbxxx interface outside

isakmp enable outside

isakmp key mypresharekey address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local vpnpool outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 14400

This is when my orginal VPN works ( Client to F/wall )

I have set up this for the new vpntunnel.

another access list

access-list 105 permit ip host x.x.x.x host x.x.x.x ( he only needs to access one machine in the internal to push purchase orders to it using port 5555.

When I do the nat (inside ) 0 access-list 105 , I lose the orginal one of the access list vpnaccess.

I had also added the following.

crypto ipsec transform-set (name) esp-des-md5-hmac

crypto map mro 10 ipsec-isakmp

crypto map mro 10 match address 105

crypto map mro 10 set peer ( Ip address of the checkpoint outside interface)

crypto map mro 10 set security-association lifetime seconds 900 kilobytes 460800

crypto map mro interface outside ( when I do this I lose my orginal of wbxxx

ISAKMP KEY ( WHAT ME AND CHECKPOINT AGREED UPON )

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 900

Can I not have two separate VPN;s using two separate policies and authentication practises.

gfullage · ‎03-11-2003

You can have two separate VPN's, but you can only have one crypto mapo applied to the outside interface, so you have to put them both under the one crypto map. You can also only have one "nat 0" access-list command, so you need to combine these also.

For your nat 0 stuff, do:

access-list vpnaccess permit ip 172.x.x.0 255.255.252.0 172.x.x.x 255.255.252.0

access-list vpnaccess permit ip host x.x.x.x host x.x.x.x

nat (inside) 0 access-list vpnaccess

Leave ACL 105 in there also cause you need it for your crypto map, just note that the 2nd line of the "vpnaccess" ACL above is the same as ACL 105. Now for your crypto maps, do:

> crypto ipsec transform-set (name) esp-des esp-md5-hmac

> crypto ipsec transform-set strong esp-des esp-md5-hmac

> crypto dynamic-map vpnname 1 set transform-set strong

> crypto map mro 10 ipsec-isakmp

> crypto map mro 10 match address 105

> crypto map mro 10 set peer ( Ip address of the checkpoint outside interface)

> crypto map mro 10 set trans (name)

> crypto map mro 10 set security-association lifetime seconds 900 kilobytes 460800

> crypto map mro 20 ipsec-isakmp dynamic vpnname

> crypto map mro client configuration address initiate

> crypto map mro client configuration address respond

> crypto map mro client authentication cm200s13

This combines the two together using a different instance number (10 and 20). Then put this one crypto map on the outside interface with:

> crypto map mro interface outside

Then for your pre-shared keys, do:

> isakmp key address netmask 255.255.255.255 no-xauth no-config-mode

> isakmp key mypresharekey address 0.0.0.0 netmask 0.0.0.0

The "no-xauth no-config-mode" at the end of the CP pre-shared key is important cause it'll tell the PIX not to do extended authentication and try and assign the CheckPoint an IP address like it would with a VPN Client coming in.

bellefontainea · ‎03-28-2003

tks , this has fixed it up I now have all both VPN working.

wbuchinger · ‎03-28-2003

You need to configure your second Crypto map statements into the wbxxx statements. For example you need to use a differant line number such as 10 that you already have. Crypto map wbxxx 10 ipsec-isakmp, etc. As long as you use differant priority numbers in the map you can use the same map name. To use multiple tunnles on one interface you must use the same map name because only one Crypto map name at a time can be confugured on an interface. When you enable the other Crypto map on the outside interface you pulled off your original map and that is why it stops working.