02-10-2006 01:40 PM - edited 02-21-2020 02:15 PM
I have 2 new Pix 501's. Can anyone tell me if you can have a site-to-site VPN running and access one of the PIX's via VPN Cisco Client Software at the same time?
I am able to get the site-to-site tunnel working with the Cisco documentation about creating a simple IPSec tunnel between 2 sites. I am also able to get the Client-to-Pix VPN working by using the Cisco doc's pertaining to creating a Client VPN with AES.
However, I can't seem to make them both work at the same time. Can someone help me with this issue? I need the 2 Pix's connected via VPN, but I also need to access each network from home. Thus, the need for Client-to-Pix and Site-to-Site.
Any help would be appreciated!
Thanks,
Burtman
02-11-2006 03:46 AM
Yes it is possible. Ensure that no xauth is configued for the static peer and the PIX is configured to accept IP Requests from the clients
This link should help you out
02-11-2006 09:42 AM
Thanks! I will give it a try on Monday.
Burtman
02-13-2006 09:00 PM
Thanks for the help! I was able to get the site-to-site Tunnel and the VPN CLient Working at the same time.
However, when I get connected with the Cisco Client, I am unable to ping anything on the LAN. Thus, I am unable to connect to any machnes and/or files. It connects just fine to my branch, but I can't access anything.
What am I missing?
Thanks
02-13-2006 09:11 PM
Do you get an IP when u r connected ? Can you check the routing for your IP in the PIX. Also do you have sysopt connection permit-ipsec.
If this doesnt solve the issue can you show the relevent config with public IPs masked
HTH
02-13-2006 09:31 PM
Yes to Questions 1 & 3.
How do I check the routing for my IP in the PIX?
02-13-2006 09:56 PM
Here is my config for PIX 1:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.224
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.168.1.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 10.168.1.0 255.255.255.0
access-list 103 permit ip 192.168.1.0 255.255.255.0 192.168.47.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.* 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Home 192.168.47.50-192.168.47.59
pdm location 192.168.1.192 255.255.255.224 outside
pdm location 10.168.1.0 255.255.255.0 outside
pdm location 192.168.1.5 255.255.255.255 inside
pdm location 192.168.1.100 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
route outside 0.0.0.0 0.0.0.0 *.*.*.*
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto ipsec transform-set home esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 30 set transform-set chevelle
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 102
crypto map transam 1 set peer *.*.*.*
crypto map transam 1 set transform-set chevelle
crypto map transam 20 ipsec-isakmp dynamic dynmap
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address *.*.*.* netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup ********* address-pool Home
vpngroup ********* dns-server 192.168.1.5
vpngroup ********* wins-server 192.168.1.5
vpngroup ********* default-domain ********
vpngroup ********* idle-time 1800
vpngroup ********* password ********
telnet 192.168.1.5 255.255.255.255 inside
telnet 192.168.1.100 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.6-192.168.1.36 inside
dhcpd dns 192.168.1.5
dhcpd wins 192.168.1.5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Thanks!
02-13-2006 10:05 PM
isakmp client configuration address-pool local VPNpool outside
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
Can you add these commands and check ? Would it also possible for you to include the traffic to the VPN Client IPs (192.168.47.0/24) also in NAT 0 and see if it helps
02-13-2006 10:36 PM
It only seems to allow one entry (i.e. access-list 101).
How do I add the VPN CLient IP's without losing the original entry?
Also, I am not sure how to make your first command work(i.e. isakmp client etc...). I am kind of new to the PIX.
02-13-2006 11:05 PM
This is the configuration you will need to. Also You can append to the access-list (no need to add a new ACL). Just add another entry to the PIX
ip local pool csvc 172.16.1.1-172.16.1.254
crypto isakmp client configuration address-pool local csvc outside
access-list 103 permit ip host 172.21.230.34 172.21.1.0 255.255.255.0
crypto ipsec transform-set pc esp-des esp-md5-hmac
crypto dynamic-map dyn 10 set transform-set pc
crypto map dyn client configuration address initiate
crypto map dyn client configuration address respond
crypto map dyn 10 ipsec-isakmp dynamic dyn
crypto map dyn interface outside
This link should help you
02-14-2006 12:25 AM
Hi,
Going back to your question - 'you can connect via the vpn client but can not access any resources on the internal LAN, i.e. can not ping'
What you'll need to do is (in config mode) add the following command to the PIX that you are connecting to via the vpn client:
isakmp nat-traversal
Now you should be able to ping any internal LAN clients via your vpn client. Also, if you intend to manage the PIX via your vpn client, i.e. run PDM etc, what you can do is add the following command to your PIX, again in config mode:
management access-inside
http server enable
http 172.16.1.0 255.255.255.0 inside
save with: write mem
Now you should be able to ping the internal interface ip of you pix via the vpn client and also run PDM.
Hope this helps and if it does please rate post.
Let me know how you get on.
Jay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide