Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX SIte-SIte VPN & VPN client connections

I have a PIX which has been in production with remote VPN clients working fine. I just added a second pix to bring up a site - site tunnel. I can't get both to work at the same time. If the Site - Site is up the clients cannot connect and vis versa. Once I add the "crypto map 'dyn-map' interface outside" for the site - site the clients drop. What am I missing?

2 REPLIES
Bronze

Re: PIX SIte-SIte VPN & VPN client connections

when you have multiple VPN connections terminating on your firewall you apply only 1 static map to the interface...

for the RA VPN you map your dynamic map to your static map. The sequence number in the Dynamic map and static map can be the same or different.

For the site to site tunnel, you will NOT create a dynamic map. You only create a static map with the same name but a DIFFERENT SEQUENCE NUMBER.

Make sure your ACL's are right, and you are bypassing nat (nat (inside) 0 command)...

if still not working, post your configuration and I'll try to support you.

Regards,

New Member

Re: PIX SIte-SIte VPN & VPN client connections

The site - site was up and I was able to connect via VPN client but I couldn't pass traffic. Any additional help will be greatly appreciated.

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname Largo

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit ip 192.168.51.0 255.255.255.0 172.20.1.0 255.255.255.0

access-list 101 permit ip 192.168.51.0 255.255.255.0 192.168.62.0 255.255.255.0

access-list usvvpngroup_splitTunnelAcl permit ip 192.168.51.0 255.255.255.0 any

access-list CLIENT permit ip any 172.20.1.0 255.255.255.0

access-list NoNAT permit ip 192.168.51.0 255.255.255.0 192.168.62.0 255.255.255.0

pager lines 24

logging on

logging console debugging

logging host inside 192.168.1.40

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.248

ip address inside 192.168.51.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool usv-pool 172.20.1.1-172.20.1.254

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.x 192.168.51.10 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 172.20.1.0 255.255.255.0 inside

snmp-server host inside 192.168.51.107 trap

no snmp-server location

snmp-server contact

snmp-server community

snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set USVAC esp-des esp-md5-hmac

crypto ipsec transform-set VPN esp-aes-256 esp-sha-hmac

crypto dynamic-map CLIENT 2 match address CLIENT

crypto dynamic-map CLIENT 2 set transform-set VPN

crypto map MYMAP 1 ipsec-isakmp

crypto map MYMAP 1 match address 101

crypto map MYMAP 1 set peer x.x.x.x

crypto map MYMAP 1 set transform-set USVAC

crypto map MYMAP 10 ipsec-isakmp dynamic CLIENT

crypto map MYMAP interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.252

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup usvvpngroup address-pool usv-pool

vpngroup usvvpngroup dns-server 4.2.2.2

vpngroup usvvpngroup default-domain usvacation.org

vpngroup usvvpngroup split-tunnel usvvpngroup_splitTunnelAcl

vpngroup usvvpngroup split-dns usvacation.com

vpngroup usvvpngroup idle-time 1800

vpngroup usvvpngroup password ********

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

92
Views
0
Helpful
2
Replies