11-29-2006 09:07 AM
Hi, I'm setting up a test network between 2 sites. SiteA has a 515E PIX and SiteB has a 501 PIX. Both sites have been setup with a site to site VPN tunnel, see SiteA config below. I also require that remote clients using Cisco VPN client 3.6 be able to connect into SiteA, be authenticated, get DHCP info and connect to hosts inside the network. However, when I add these config lines, see below, to SiteA PIX it stops the vpn tunnel to SiteB. However, the client can conect and do as needed so that part of my config is correct but I cannot see why the site to site vpn tunnel is then no longer.
SiteA config with working VPN tunnel to SiteB:
SITE A
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 webdmz security20
enable password xxx
passwd xxx
hostname SiteA-pix
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 200.x.x.0 SiteA_INT
name 201.x.x.201 SiteA_EXT
name 200.x.x.254 PIX_INT
name 10.10.10.0 SiteB_INT
name 11.x.x.11 SiteB_EXT
access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
access-list acl_inside permit icmp any any
access-list acl_inside permit ip any any
access-list acl_outside permit ip any any
access-list acl_outside permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu webdmz 1500
ip address outside SiteA_EXT 255.x.x.128
ip address inside PIX_INT 255.255.0.0
no ip address webdmz
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
route outside 0.0.0.x.x.0.0 201.201.201.202 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer SiteB_EXT
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
SiteA-pix(config)#
Lines I add for Cisco VPN clients is attached
I entered each line one by one and did a reload and sh crypto map all was OK until I entered the crypto map VPNPEER lines.
Anyone any ideas what this can be?
Thanks
01-04-2007 02:48 AM
Well done, one more step needed:
Add the communication between 200.220.200.x and 200.200.200.x to NAT 0, i.e.:
access-list inside_outbound_nat0_acl permit ip 200.220.200.0 255.255.255.0 200.200.200.0 255.255.255.0
Please rate if this helped.
Regards,
Daniel
01-05-2007 03:25 AM
Daniel, thanks thats done it. Ive changed the IP pool slightly but this acces-list allows ping from remote client to inside pcs.
Is there an alternative to radius, like be use anymous or a local pc username to connect rather than a domain account?
Cheers
01-05-2007 08:40 AM
Hi,
just replace:
crypto map outside_map client authentication RADIUS
with
crypto map outside_map client authentication LOCAL
and make sure you add some local users on the PIX:
username aaaa password aaaa
Please rate if this helped.
Cheers,
Daniel
01-18-2007 11:35 AM
Daniel, perhapse you can help me out as well as I have a similar problem with a project that I've just inherited. I'm using a PIX 515 with 6.3(5) at my primary location and I have a PIX 501 with 6.3(5) at a remote location. I have a VPN tunnel up between both locations which partly works, and individuals are able to connect to the 515 with the VPN client installed on laptops, but I'm having some problems. First, I can map drives to the machine at the remote location and I can ping it from the primary location, but I cannot start a remote desktop session or a VNC session (both of which are enabled) across the network. The machine at the remote site is also having problems connecting to a mainframe application that runs on a specific TCP port. Can you offer me any suggestions on how to troubleshoot the connection? I've attached a copy of my config file here at the primary location.
Thanks!
01-19-2007 04:31 AM
Hi,
Sometimes you have problem with VPNs if both remote access and site to site are configured on the same machine.
Try adding the command:
isakmp key ******** address abc.abc.abc.abc netmask 255.255.255.255 no-xauth no-config-mode
If this doesn't work, the problem might be the MTU.
You can lower the MTU setting on both PIX inside interfaces to 1400 and give it a try.
Please rate if this helped.
Regards,
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide