Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
283
Views
0
Helpful
1
Replies

PIX515 VPN issues

alcasadei
Level 1
Level 1

‎01-12-2004 11:10 AM - edited ‎02-21-2020 12:59 PM

I've been working on this problem for a month and I've hit a wall. I've got some users who need to start working from home and I have to get VPN up on our PIX515 ASAP. We have an inside,dmz,&outside zones setup currently. I have an IPSEC tunnel setup already on the pix to access ANX network. I also have group of users that use a Nortel Client to access another companies VPN. Everytime I try to setup ipsec for my remote users, I take down either my ANX tunnel or my Nortel VPN users.

I need my external users to be able to get to all inside network resources.

If someone is located in Southeastern Michigan, I will contract out for help since I'm desperate.

Here's my Pix config...

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password LTPL3EG2CAB2Dllq encrypted

passwd LTPL3EG2CAB2Dllq encrypted

hostname fwpartech1

domain-name partechgss.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 209.196.42.201 IsuzuONE

name 192.168.1.25 WebServer1

name 144.228.79.182 ITR_TAL_Server

name 64.118.139.52 secondary_dns

name 64.118.139.51 primary_dns

name 192.168.0.205 TAL_Gheald

name 192.168.0.204 TAL_MRuiz

name 192.168.0.203 TAL_GBriolat

name 192.168.0.202 TAL_GKolb

name 192.168.0.201 TAL_MWedge

name 192.168.0.206 eSI_PNair

name 192.85.5.49 GMeSI_dbserver

name 192.168.0.98 ACasadei

object-group service isuzuvpntcp tcp

port-object eq h323

port-object eq 17

port-object eq 50

object-group service isuzuvpn udp

port-object eq secureid-udp

port-object range isakmp 600

object-group network TAL_ref

network-object 64.118.150.213 255.255.255.255

network-object 64.118.150.214 255.255.255.255

network-object 64.118.150.215 255.255.255.255

network-object 64.118.150.217 255.255.255.255

network-object 64.118.150.216 255.255.255.255

object-group network TAL

network-object TAL_MWedge 255.255.255.255

network-object TAL_GKolb 255.255.255.255

network-object TAL_GBriolat 255.255.255.255

network-object TAL_MRuiz 255.255.255.255

network-object TAL_Gheald 255.255.255.255

object-group network TAL_ref_1

network-object 64.118.150.213 255.255.255.255

network-object 64.118.150.214 255.255.255.255

network-object 64.118.150.217 255.255.255.255

network-object 64.118.150.216 255.255.255.255

network-object 64.118.150.215 255.255.255.255

object-group network GM_eSI

network-object eSI_PNair 255.255.255.255

object-group network GM_eSI_ref

network-object 64.118.150.220 255.255.255.255

access-list outside_access_in permit tcp any host 64.118.150.212 eq www

access-list outside_access_in permit tcp any host 64.118.150.212 eq ftp

access-list outside_access_in permit tcp any host 64.118.150.212 eq ftp-data

access-list outside_access_in permit tcp any host 64.118.150.212 eq smtp

access-list outside_access_in permit icmp host 64.118.150.210 64.118.150.208 25

.255.255.240 echo-reply

access-list outside_access_in permit udp host ITR_TAL_Server eq isakmp object-g

oup TAL_ref_1

access-list outside_access_in permit esp host ITR_TAL_Server object-group TAL_r

f_1

access-list outside_access_in permit ip host GMeSI_dbserver object-group GM_eSI

ref

access-list outside_access_in permit icmp host GMeSI_dbserver object-group GM_e

I_ref

access-list outside_access_in permit udp host GMeSI_dbserver object-group GM_eS

_ref

access-list dmz_access_in permit icmp 192.168.1.0 255.255.255.0 192.168.0.0 255

255.255.0 echo-reply

access-list dmz_access_in permit tcp host WebServer1 host primary_dns

access-list dmz_access_in deny ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255

255.0

access-list dmz_access_in permit ip any any

access-list inside_access_in permit ip any any

access-list 110 permit ip host 64.118.150.210 host GMeSI_dbserver

access-list 110 permit ip host 64.118.150.220 host GMeSI_dbserver

pager lines 24

logging on

logging timestamp

logging trap notifications

logging history notifications

logging host inside 192.168.0.1

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 64.118.150.210 255.255.255.248

ip address inside 192.168.0.10 255.255.255.0

ip address dmz 192.168.1.10 255.255.255.0

ip verify reverse-path interface inside

ip verify reverse-path interface dmz

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.2 255.255.255.255 inside

pdm location 192.168.0.99 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.0 inside

pdm location 0.0.0.0 255.255.255.0 outside

pdm location 192.168.0.97 255.255.255.255 inside

pdm location WebServer1 255.255.255.255 dmz

pdm location IsuzuONE 255.255.255.255 outside

pdm location 192.168.0.1 255.255.255.255 inside

pdm location ITR_TAL_Server 255.255.255.255 outside

pdm location 206.126.161.15 255.255.255.255 outside

pdm location 64.118.150.212 255.255.255.255 outside

pdm location primary_dns 255.255.255.255 outside

pdm location secondary_dns 255.255.255.255 outside

pdm location TAL_MWedge 255.255.255.255 inside

pdm location TAL_GKolb 255.255.255.255 inside

pdm location TAL_GBriolat 255.255.255.255 inside

pdm location TAL_MRuiz 255.255.255.255 inside

pdm location TAL_Gheald 255.255.255.255 inside

pdm location 192.168.1.16 255.255.255.240 dmz

pdm location GMeSI_dbserver 255.255.255.255 outside

pdm location 192.168.0.192 255.255.255.192 inside

pdm location eSI_PNair 255.255.255.255 inside

pdm location ACasadei 255.255.255.255 inside

pdm group TAL inside

pdm group TAL_ref_1 outside reference TAL

pdm group GM_eSI inside

pdm group GM_eSI_ref outside reference GM_eSI

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.0.0 255.255.255.0 0 0

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

static (dmz,outside) 64.118.150.212 WebServer1 dns netmask 255.255.255.255 0 0

static (inside,outside) 64.118.150.213 TAL_MWedge netmask 255.255.255.255 0 0

static (inside,outside) 64.118.150.214 TAL_GKolb netmask 255.255.255.255 0 0

static (inside,outside) 64.118.150.215 TAL_Gheald netmask 255.255.255.255 0 0

static (inside,outside) 64.118.150.217 TAL_GBriolat netmask 255.255.255.255 0 0

static (inside,outside) 64.118.150.216 TAL_MRuiz netmask 255.255.255.255 0 0

static (inside,outside) 64.118.150.220 eSI_PNair netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 64.118.150.209 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http ACasadei 255.255.255.255 inside

http 192.168.0.99 255.255.255.255 inside

http 192.168.0.1 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set anx esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA

crypto dynamic-map inside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map interface inside

crypto map ipsec 30 ipsec-isakmp

crypto map ipsec 30 match address 110

crypto map ipsec 30 set peer 198.208.7.2

crypto map ipsec 30 set transform-set anx

crypto map ipsec interface outside

isakmp enable outside

isakmp enable inside

isakmp key ******** address 198.208.7.2 netmask 255.255.255.255

isakmp peer ip 144.228.79.182 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption des

isakmp policy 30 hash md5

isakmp policy 30 group 1

isakmp policy 30 lifetime 86400

isakmp policy 40 authentication rsa-sig

isakmp policy 40 encryption des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

isakmp policy 60 authentication pre-share

isakmp policy 60 encryption 3des

isakmp policy 60 hash sha

isakmp policy 60 group 2

isakmp policy 60 lifetime 86400

telnet 192.168.0.99 255.255.255.255 inside

telnet 192.168.0.1 255.255.255.255 inside

telnet ACasadei 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

vpdn username acasadei password ********

vpdn enable outside

vpdn enable inside

vpdn enable dmz

terminal width 80

Labels:
0 Helpful
1 Reply 1

melry88
Level 1
Level 1

‎01-12-2004 12:09 PM

Hello,

If I understand correctly you need to get your external users connected to the Outside interface by utilizing one Crypto map name but with a different number. I am running a PIX to PIX IPSec tunnel along with remote user access to the Outside interface.

Remove These Lines:

crypto map ipsec interface outside

crypto map inside_map interface inside

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

Add This Line:

crypto map ipsec 99 ipsec-isakmp dynamic inside_dyn_map

crypto map ipsec interface outside

This will allow remote users to connect to your Outside interface using your dynamic crypto map settings. Remember to make sure since I did not read your whole config, to have the following configured:

1. Address pool for vpngroup command set

2. Access-list allowing vpngroup access to inside without NAT

**Most of all remember before you config anything, make sure to remove the crypto map interface command and then edit your crypto map.

I hope this helps...

Ryan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents