Re: Site-to-Site VPN and Client VPN together

burtj · ‎02-10-2006

I have 2 new Pix 501's. Can anyone tell me if you can have a site-to-site VPN running and access one of the PIX's via VPN Cisco Client Software at the same time?

I am able to get the site-to-site tunnel working with the Cisco documentation about creating a simple IPSec tunnel between 2 sites. I am also able to get the Client-to-Pix VPN working by using the Cisco doc's pertaining to creating a Client VPN with AES.

However, I can't seem to make them both work at the same time. Can someone help me with this issue? I need the 2 Pix's connected via VPN, but I also need to access each network from home. Thus, the need for Client-to-Pix and Site-to-Site.

Any help would be appreciated!

Thanks,

Burtman

attrgautam · ‎02-11-2006

Yes it is possible. Ensure that no xauth is configued for the static peer and the PIX is configured to accept IP Requests from the clients

This link should help you out

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml

burtj · ‎02-11-2006

Thanks! I will give it a try on Monday.

Burtman

burtj · ‎02-13-2006

Thanks for the help! I was able to get the site-to-site Tunnel and the VPN CLient Working at the same time.

However, when I get connected with the Cisco Client, I am unable to ping anything on the LAN. Thus, I am unable to connect to any machnes and/or files. It connects just fine to my branch, but I can't access anything.

What am I missing?

Thanks

attrgautam · ‎02-13-2006

Do you get an IP when u r connected ? Can you check the routing for your IP in the PIX. Also do you have sysopt connection permit-ipsec.

If this doesnt solve the issue can you show the relevent config with public IPs masked

HTH

burtj · ‎02-13-2006

Yes to Questions 1 & 3.

How do I check the routing for my IP in the PIX?

burtj · ‎02-13-2006

Here is my config for PIX 1:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.224

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.168.1.0 255.255.255.0

access-list 102 permit ip 192.168.1.0 255.255.255.0 10.168.1.0 255.255.255.0

access-list 103 permit ip 192.168.1.0 255.255.255.0 192.168.47.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside *.*.*.* 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool Home 192.168.47.50-192.168.47.59

pdm location 192.168.1.192 255.255.255.224 outside

pdm location 10.168.1.0 255.255.255.0 outside

pdm location 192.168.1.5 255.255.255.255 inside

pdm location 192.168.1.100 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

route outside 0.0.0.0 0.0.0.0 *.*.*.*

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto ipsec transform-set home esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 30 set transform-set chevelle

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 102

crypto map transam 1 set peer *.*.*.*

crypto map transam 1 set transform-set chevelle

crypto map transam 20 ipsec-isakmp dynamic dynmap

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address *.*.*.* netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup ********* address-pool Home

vpngroup ********* dns-server 192.168.1.5

vpngroup ********* wins-server 192.168.1.5

vpngroup ********* default-domain ********

vpngroup ********* idle-time 1800

vpngroup ********* password ********

telnet 192.168.1.5 255.255.255.255 inside

telnet 192.168.1.100 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.6-192.168.1.36 inside

dhcpd dns 192.168.1.5

dhcpd wins 192.168.1.5

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Thanks!

attrgautam · ‎02-13-2006

isakmp client configuration address-pool local VPNpool outside

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

Can you add these commands and check ? Would it also possible for you to include the traffic to the VPN Client IPs (192.168.47.0/24) also in NAT 0 and see if it helps

burtj · ‎02-13-2006

It only seems to allow one entry (i.e. access-list 101).

How do I add the VPN CLient IP's without losing the original entry?

Also, I am not sure how to make your first command work(i.e. isakmp client etc...). I am kind of new to the PIX.

attrgautam · ‎02-13-2006

This is the configuration you will need to. Also You can append to the access-list (no need to add a new ACL). Just add another entry to the PIX

ip local pool csvc 172.16.1.1-172.16.1.254

crypto isakmp client configuration address-pool local csvc outside

access-list 103 permit ip host 172.21.230.34 172.21.1.0 255.255.255.0

crypto ipsec transform-set pc esp-des esp-md5-hmac

crypto dynamic-map dyn 10 set transform-set pc

crypto map dyn client configuration address initiate

crypto map dyn client configuration address respond

crypto map dyn 10 ipsec-isakmp dynamic dyn

crypto map dyn interface outside

This link should help you

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb72d.html#wp997388

http://www.cisco.com/warp/public/110/B.html

jmia · ‎02-14-2006

Hi,

Going back to your question - 'you can connect via the vpn client but can not access any resources on the internal LAN, i.e. can not ping'

What you'll need to do is (in config mode) add the following command to the PIX that you are connecting to via the vpn client:

isakmp nat-traversal

Now you should be able to ping any internal LAN clients via your vpn client. Also, if you intend to manage the PIX via your vpn client, i.e. run PDM etc, what you can do is add the following command to your PIX, again in config mode:

management access-inside

http server enable

http 172.16.1.0 255.255.255.0 inside

save with: write mem

Now you should be able to ping the internal interface ip of you pix via the vpn client and also run PDM.

Hope this helps and if it does please rate post.

Let me know how you get on.

Jay