Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Please help, VPN clients die when ........

I have a PIX 506E and mobile users connecting via Cisco VPN client. I'm trying to setup another tunnel on the PIX to a static office.

Currently the clients using Dynamic keys, but, the remote office will obviously have a static key.

When I finish defining the crypto maps, and add the branch office crypto map to the outside interface, it totally kills the VPN clients access.

Anyone have any ideas?

  • Other Security Subjects
2 REPLIES
New Member

Re: Please help, VPN clients die when ........

you can only have 1 crypto map applied per interface

you can have many policies per crypto map (10, 20, 30, etc) but only one map applied to the interface. You create a seperate "crypto dynamic-map" and bind that to the static map. When you applied the new second crypto map to the interface on you deleted the active IKE session keys from the VPN Client based tunnels established on that interface.

remember to always make the policies for the roaming clients (using VPN Client Software) with the highest policy number.

i.e.,......... this example applies to IOS but the concept is the same for the PIX

look for the line that reads

'crypto map rtp 10 ipsec-isakmp dynamic rtp-dynamic'

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef7ba.shtml

here's one for PIX to PIX with VPN Client

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

New Member

Re: Please help, VPN clients die when ........

Thanks for the reply..

We had a couple challenges.

1) The first linksys box was dead.

2) we got a second one, created one crypto map with different priorities for the mobile users and branch office.

3) Then, I pointed to users going to the remote branch NOT to nat ( nonat permit ) and everything works great. :)

Thanks for your help

82
Views
0
Helpful
2
Replies
This widget could not be displayed.