08-19-2006 08:00 AM - edited 02-21-2020 01:07 AM
I have a 515 running ASDM 5.2, and have configured remote access VPN. That works fine, but when trying to add a site to site tunnel it appears my crypto map is overwritten for my remote access VPN configuration, and the remote acess config stops working. I assumed you can have remote access and tunnels running on the same PIX, but know you can have only one crypto map assigned to an interface. Is there a good note on configuring both to run simultaneously, or is it a matter of editing that single crypto map from the command line and associating it with the IPSec policy for the tunnel? Below is some of my config that relates to the vpn config for my remote access setup
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
thank you,
Bill
Solved! Go to Solution.
08-19-2006 08:37 AM
Bill
Yes, you can setup site-to-site and vpn client access on the same pix, take a look here:
Let me know if you need any help and or explanation and please rate post if it helps.
Jay
08-19-2006 08:37 AM
Bill
Yes, you can setup site-to-site and vpn client access on the same pix, take a look here:
Let me know if you need any help and or explanation and please rate post if it helps.
Jay
08-21-2006 10:01 AM
it mostly works...The remote access clients are able to connect, and the remote side of the tunnel is able to connect back to the hub pix, but I'm unable to get to the remote side of the tunnel from the hub pix. I've triple checked the config with the note reference above, but I don't see anything. I'm not getting anything in the syslog messages either. Some of my config is below.
interface Ethernet0
nameif outside
security-level 0
ip address 10.1.10.11 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.4.0.2 255.255.255.0
!
interface Ethernet2
nameif DMZ
security-level 50
ip address 192.168.32.1 255.255.255.0
access-list 100 extended permit ip 192.168.64.0 255.255.255.0 10.4.0.0 255.255.0.0
access-list 100 extended permit ip 192.168.64.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.64.0 255.255.255.0 10.4.0.0 255.255.0.0
access-list nonat extended permit ip 192.168.64.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 10.4.0.0 255.255.0.0 192.168.64.0 255.255.255.0
access-list splittunnel standard permit 10.0.0.0 255.0.0.0
access-list splittunnel standard permit 192.168.64.0 255.255.255.0
ip local pool VPN 192.168.8.100-192.168.8.254 mask 255.255.255.0
global (outside) 1 interface
global (inside) 1 interface
global (DMZ) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map rtpdynmap 20 set transform-set myset
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 68.36.105.130
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic rtpdynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
tunnel-group 68.36.105.130 type ipsec-l2l
tunnel-group 68.36.105.130 ipsec-attributes
pre-shared-key *
tunnel-group Harrisburg type ipsec-ra
tunnel-group Harrisburg general-attributes
address-pool VPN
authentication-server-group RADIUS LOCAL
default-group-policy Harrisburg
tunnel-group Harrisburg ipsec-attributes
pre-shared-key *
S 192.168.8.0 255.255.255.0 [1/0] via 10.1.10.10, inside
S 192.168.64.0 255.255.255.0 [1/0] via 10.1.10.10, inside
C 10.1.10.0 255.255.255.0 is directly connected, outside
S 10.0.0.0 255.0.0.0 [1/0] via 10.4.0.84, inside
C 10.4.0.0 255.255.255.0 is directly connected, inside
C 192.168.32.0 255.255.255.0 is directly connected, DMZ
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.10.1, outside
08-21-2006 05:27 PM
please disregard the previous message. I needed to clean up a route and an access list and everything started working fine.
Thank you!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: