03-11-2003 09:51 AM - edited 02-21-2020 12:24 PM
I have a pix 525 ios 5..1(1)
Today I have remote mobile users access services on the local lan thru the internet with the VPN tunnel.
I need to add another tunnel with a checkpoint. We wil be using des and has md5.
However when I get one the new one workig the orginal vpn doesnt work.
I think I know why but do not know how to fix it.
The orginal config
is
access-list vpnaccess permit ip 172.x.x.0 255.255.252.0 172.x.x 255.255.25
2.0
ip local pool vpnpool 172.x.x.221-172.x.x.240
nat (inside) 0 access-list vpnaccess
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto dynamic-map vpnname 1 set transform-set strong
crypto map wbxxx 2 ipsec-isakmp dynamic vpnname
crypto map wbxxx client configuration address initiate
crypto map wbxxx client configuration address respond
crypto map wbxxxx client authentication cm200s13
crypto map wbxxx interface outside
isakmp enable outside
isakmp key mypresharekey address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local vpnpool outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 14400
This is when my orginal VPN works ( Client to F/wall )
I have set up this for the new vpntunnel.
another access list
access-list 105 permit ip host x.x.x.x host x.x.x.x ( he only needs to access one machine in the internal to push purchase orders to it using port 5555.
When I do the nat (inside ) 0 access-list 105 , I lose the orginal one of the access list vpnaccess.
I had also added the following.
crypto ipsec transform-set (name) esp-des-md5-hmac
crypto map mro 10 ipsec-isakmp
crypto map mro 10 match address 105
crypto map mro 10 set peer ( Ip address of the checkpoint outside interface)
crypto map mro 10 set security-association lifetime seconds 900 kilobytes 460800
crypto map mro interface outside ( when I do this I lose my orginal of wbxxx
ISAKMP KEY ( WHAT ME AND CHECKPOINT AGREED UPON )
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 900
Can I not have two separate VPN;s using two separate policies and authentication practises.
03-11-2003 07:49 PM
You can have two separate VPN's, but you can only have one crypto mapo applied to the outside interface, so you have to put them both under the one crypto map. You can also only have one "nat 0" access-list command, so you need to combine these also.
For your nat 0 stuff, do:
access-list vpnaccess permit ip 172.x.x.0 255.255.252.0 172.x.x.x 255.255.252.0
access-list vpnaccess permit ip host x.x.x.x host x.x.x.x
nat (inside) 0 access-list vpnaccess
Leave ACL 105 in there also cause you need it for your crypto map, just note that the 2nd line of the "vpnaccess" ACL above is the same as ACL 105. Now for your crypto maps, do:
> crypto ipsec transform-set (name) esp-des esp-md5-hmac
> crypto ipsec transform-set strong esp-des esp-md5-hmac
> crypto dynamic-map vpnname 1 set transform-set strong
> crypto map mro 10 ipsec-isakmp
> crypto map mro 10 match address 105
> crypto map mro 10 set peer ( Ip address of the checkpoint outside interface)
> crypto map mro 10 set trans (name)
> crypto map mro 10 set security-association lifetime seconds 900 kilobytes 460800
> crypto map mro 20 ipsec-isakmp dynamic vpnname
> crypto map mro client configuration address initiate
> crypto map mro client configuration address respond
> crypto map mro client authentication cm200s13
This combines the two together using a different instance number (10 and 20). Then put this one crypto map on the outside interface with:
> crypto map mro interface outside
Then for your pre-shared keys, do:
> isakmp key
> isakmp key mypresharekey address 0.0.0.0 netmask 0.0.0.0
The "no-xauth no-config-mode" at the end of the CP pre-shared key is important cause it'll tell the PIX not to do extended authentication and try and assign the CheckPoint an IP address like it would with a VPN Client coming in.
03-28-2003 04:53 AM
tks , this has fixed it up I now have all both VPN working.
03-28-2003 06:58 AM
You need to configure your second Crypto map statements into the wbxxx statements. For example you need to use a differant line number such as 10 that you already have. Crypto map wbxxx 10 ipsec-isakmp, etc. As long as you use differant priority numbers in the map you can use the same map name. To use multiple tunnles on one interface you must use the same map name because only one Crypto map name at a time can be confugured on an interface. When you enable the other Crypto map on the outside interface you pulled off your original map and that is why it stops working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide