Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
296
Views
0
Helpful
3
Replies

site to site and remote access tunnel on same pix

Go to solution
WILLIAM STEGMAN
Level 4
Level 4

‎08-19-2006 08:00 AM - edited ‎02-21-2020 01:07 AM

I have a 515 running ASDM 5.2, and have configured remote access VPN. That works fine, but when trying to add a site to site tunnel it appears my crypto map is overwritten for my remote access VPN configuration, and the remote acess config stops working. I assumed you can have remote access and tunnels running on the same PIX, but know you can have only one crypto map assigned to an interface. Is there a good note on configuring both to run simultaneously, or is it a matter of editing that single crypto map from the command line and associating it with the IPSec policy for the tunnel? Below is some of my config that relates to the vpn config for my remote access setup

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-3DES-SHA ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

crypto isakmp ipsec-over-tcp port 10000

thank you,

Bill

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jmia
Level 7
Level 7

‎08-19-2006 08:37 AM

Bill

Yes, you can setup site-to-site and vpn client access on the same pix, take a look here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Let me know if you need any help and or explanation and please rate post if it helps.

Jay

View solution in original post

0 Helpful
3 Replies 3

Go to solution
jmia
Level 7
Level 7

‎08-19-2006 08:37 AM

Bill

Yes, you can setup site-to-site and vpn client access on the same pix, take a look here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Let me know if you need any help and or explanation and please rate post if it helps.

Jay

0 Helpful

Go to solution
WILLIAM STEGMAN
Level 4
Level 4
In response to jmia

‎08-21-2006 10:01 AM

it mostly works...The remote access clients are able to connect, and the remote side of the tunnel is able to connect back to the hub pix, but I'm unable to get to the remote side of the tunnel from the hub pix. I've triple checked the config with the note reference above, but I don't see anything. I'm not getting anything in the syslog messages either. Some of my config is below.

interface Ethernet0

nameif outside

security-level 0

ip address 10.1.10.11 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.4.0.2 255.255.255.0

!

interface Ethernet2

nameif DMZ

security-level 50

ip address 192.168.32.1 255.255.255.0

access-list 100 extended permit ip 192.168.64.0 255.255.255.0 10.4.0.0 255.255.0.0

access-list 100 extended permit ip 192.168.64.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list nonat extended permit ip 192.168.64.0 255.255.255.0 10.4.0.0 255.255.0.0

access-list nonat extended permit ip 192.168.64.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.8.0 255.255.255.0

access-list nonat extended permit ip 10.4.0.0 255.255.0.0 192.168.64.0 255.255.255.0

access-list splittunnel standard permit 10.0.0.0 255.0.0.0

access-list splittunnel standard permit 192.168.64.0 255.255.255.0

ip local pool VPN 192.168.8.100-192.168.8.254 mask 255.255.255.0

global (outside) 1 interface

global (inside) 1 interface

global (DMZ) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

crypto dynamic-map rtpdynmap 20 set transform-set myset

crypto map mymap 10 match address 100

crypto map mymap 10 set peer 68.36.105.130

crypto map mymap 10 set transform-set myset

crypto map mymap 20 ipsec-isakmp dynamic rtpdynmap

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

tunnel-group 68.36.105.130 type ipsec-l2l

tunnel-group 68.36.105.130 ipsec-attributes

pre-shared-key *

tunnel-group Harrisburg type ipsec-ra

tunnel-group Harrisburg general-attributes

address-pool VPN

authentication-server-group RADIUS LOCAL

default-group-policy Harrisburg

tunnel-group Harrisburg ipsec-attributes

pre-shared-key *

S 192.168.8.0 255.255.255.0 [1/0] via 10.1.10.10, inside

S 192.168.64.0 255.255.255.0 [1/0] via 10.1.10.10, inside

C 10.1.10.0 255.255.255.0 is directly connected, outside

S 10.0.0.0 255.0.0.0 [1/0] via 10.4.0.84, inside

C 10.4.0.0 255.255.255.0 is directly connected, inside

C 192.168.32.0 255.255.255.0 is directly connected, DMZ

S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.10.1, outside

0 Helpful

Go to solution
WILLIAM STEGMAN
Level 4
Level 4
In response to WILLIAM STEGMAN

‎08-21-2006 05:27 PM

please disregard the previous message. I needed to clean up a route and an access list and everything started working fine.

Thank you!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card