01-12-2004 11:10 AM - edited 02-21-2020 12:59 PM
I've been working on this problem for a month and I've hit a wall. I've got some users who need to start working from home and I have to get VPN up on our PIX515 ASAP. We have an inside,dmz,&outside zones setup currently. I have an IPSEC tunnel setup already on the pix to access ANX network. I also have group of users that use a Nortel Client to access another companies VPN. Everytime I try to setup ipsec for my remote users, I take down either my ANX tunnel or my Nortel VPN users.
I need my external users to be able to get to all inside network resources.
If someone is located in Southeastern Michigan, I will contract out for help since I'm desperate.
Here's my Pix config...
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password LTPL3EG2CAB2Dllq encrypted
passwd LTPL3EG2CAB2Dllq encrypted
hostname fwpartech1
domain-name partechgss.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 209.196.42.201 IsuzuONE
name 192.168.1.25 WebServer1
name 144.228.79.182 ITR_TAL_Server
name 64.118.139.52 secondary_dns
name 64.118.139.51 primary_dns
name 192.168.0.205 TAL_Gheald
name 192.168.0.204 TAL_MRuiz
name 192.168.0.203 TAL_GBriolat
name 192.168.0.202 TAL_GKolb
name 192.168.0.201 TAL_MWedge
name 192.168.0.206 eSI_PNair
name 192.85.5.49 GMeSI_dbserver
name 192.168.0.98 ACasadei
object-group service isuzuvpntcp tcp
port-object eq h323
port-object eq 17
port-object eq 50
object-group service isuzuvpn udp
port-object eq secureid-udp
port-object range isakmp 600
object-group network TAL_ref
network-object 64.118.150.213 255.255.255.255
network-object 64.118.150.214 255.255.255.255
network-object 64.118.150.215 255.255.255.255
network-object 64.118.150.217 255.255.255.255
network-object 64.118.150.216 255.255.255.255
object-group network TAL
network-object TAL_MWedge 255.255.255.255
network-object TAL_GKolb 255.255.255.255
network-object TAL_GBriolat 255.255.255.255
network-object TAL_MRuiz 255.255.255.255
network-object TAL_Gheald 255.255.255.255
object-group network TAL_ref_1
network-object 64.118.150.213 255.255.255.255
network-object 64.118.150.214 255.255.255.255
network-object 64.118.150.217 255.255.255.255
network-object 64.118.150.216 255.255.255.255
network-object 64.118.150.215 255.255.255.255
object-group network GM_eSI
network-object eSI_PNair 255.255.255.255
object-group network GM_eSI_ref
network-object 64.118.150.220 255.255.255.255
access-list outside_access_in permit tcp any host 64.118.150.212 eq www
access-list outside_access_in permit tcp any host 64.118.150.212 eq ftp
access-list outside_access_in permit tcp any host 64.118.150.212 eq ftp-data
access-list outside_access_in permit tcp any host 64.118.150.212 eq smtp
access-list outside_access_in permit icmp host 64.118.150.210 64.118.150.208 25
.255.255.240 echo-reply
access-list outside_access_in permit udp host ITR_TAL_Server eq isakmp object-g
oup TAL_ref_1
access-list outside_access_in permit esp host ITR_TAL_Server object-group TAL_r
f_1
access-list outside_access_in permit ip host GMeSI_dbserver object-group GM_eSI
ref
access-list outside_access_in permit icmp host GMeSI_dbserver object-group GM_e
I_ref
access-list outside_access_in permit udp host GMeSI_dbserver object-group GM_eS
_ref
access-list dmz_access_in permit icmp 192.168.1.0 255.255.255.0 192.168.0.0 255
255.255.0 echo-reply
access-list dmz_access_in permit tcp host WebServer1 host primary_dns
access-list dmz_access_in deny ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255
255.0
access-list dmz_access_in permit ip any any
access-list inside_access_in permit ip any any
access-list 110 permit ip host 64.118.150.210 host GMeSI_dbserver
access-list 110 permit ip host 64.118.150.220 host GMeSI_dbserver
pager lines 24
logging on
logging timestamp
logging trap notifications
logging history notifications
logging host inside 192.168.0.1
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 64.118.150.210 255.255.255.248
ip address inside 192.168.0.10 255.255.255.0
ip address dmz 192.168.1.10 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.2 255.255.255.255 inside
pdm location 192.168.0.99 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.0.97 255.255.255.255 inside
pdm location WebServer1 255.255.255.255 dmz
pdm location IsuzuONE 255.255.255.255 outside
pdm location 192.168.0.1 255.255.255.255 inside
pdm location ITR_TAL_Server 255.255.255.255 outside
pdm location 206.126.161.15 255.255.255.255 outside
pdm location 64.118.150.212 255.255.255.255 outside
pdm location primary_dns 255.255.255.255 outside
pdm location secondary_dns 255.255.255.255 outside
pdm location TAL_MWedge 255.255.255.255 inside
pdm location TAL_GKolb 255.255.255.255 inside
pdm location TAL_GBriolat 255.255.255.255 inside
pdm location TAL_MRuiz 255.255.255.255 inside
pdm location TAL_Gheald 255.255.255.255 inside
pdm location 192.168.1.16 255.255.255.240 dmz
pdm location GMeSI_dbserver 255.255.255.255 outside
pdm location 192.168.0.192 255.255.255.192 inside
pdm location eSI_PNair 255.255.255.255 inside
pdm location ACasadei 255.255.255.255 inside
pdm group TAL inside
pdm group TAL_ref_1 outside reference TAL
pdm group GM_eSI inside
pdm group GM_eSI_ref outside reference GM_eSI
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
static (dmz,outside) 64.118.150.212 WebServer1 dns netmask 255.255.255.255 0 0
static (inside,outside) 64.118.150.213 TAL_MWedge netmask 255.255.255.255 0 0
static (inside,outside) 64.118.150.214 TAL_GKolb netmask 255.255.255.255 0 0
static (inside,outside) 64.118.150.215 TAL_Gheald netmask 255.255.255.255 0 0
static (inside,outside) 64.118.150.217 TAL_GBriolat netmask 255.255.255.255 0 0
static (inside,outside) 64.118.150.216 TAL_MRuiz netmask 255.255.255.255 0 0
static (inside,outside) 64.118.150.220 eSI_PNair netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 64.118.150.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http ACasadei 255.255.255.255 inside
http 192.168.0.99 255.255.255.255 inside
http 192.168.0.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set anx esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map inside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto map ipsec 30 ipsec-isakmp
crypto map ipsec 30 match address 110
crypto map ipsec 30 set peer 198.208.7.2
crypto map ipsec 30 set transform-set anx
crypto map ipsec interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address 198.208.7.2 netmask 255.255.255.255
isakmp peer ip 144.228.79.182 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication rsa-sig
isakmp policy 40 encryption des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash sha
isakmp policy 60 group 2
isakmp policy 60 lifetime 86400
telnet 192.168.0.99 255.255.255.255 inside
telnet 192.168.0.1 255.255.255.255 inside
telnet ACasadei 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
vpdn username acasadei password ********
vpdn enable outside
vpdn enable inside
vpdn enable dmz
terminal width 80
01-12-2004 12:09 PM
Hello,
If I understand correctly you need to get your external users connected to the Outside interface by utilizing one Crypto map name but with a different number. I am running a PIX to PIX IPSec tunnel along with remote user access to the Outside interface.
Remove These Lines:
crypto map ipsec interface outside
crypto map inside_map interface inside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
Add This Line:
crypto map ipsec 99 ipsec-isakmp dynamic inside_dyn_map
crypto map ipsec interface outside
This will allow remote users to connect to your Outside interface using your dynamic crypto map settings. Remember to make sure since I did not read your whole config, to have the following configured:
1. Address pool for vpngroup command set
2. Access-list allowing vpngroup access to inside without NAT
**Most of all remember before you config anything, make sure to remove the crypto map interface command and then edit your crypto map.
I hope this helps...
Ryan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: