Re: Configure a VPN client and Site to Site VPN tunnel - Page 2

martymailey · ‎11-29-2006

Hi, I'm setting up a test network between 2 sites. SiteA has a 515E PIX and SiteB has a 501 PIX. Both sites have been setup with a site to site VPN tunnel, see SiteA config below. I also require that remote clients using Cisco VPN client 3.6 be able to connect into SiteA, be authenticated, get DHCP info and connect to hosts inside the network. However, when I add these config lines, see below, to SiteA PIX it stops the vpn tunnel to SiteB. However, the client can conect and do as needed so that part of my config is correct but I cannot see why the site to site vpn tunnel is then no longer.

SiteA config with working VPN tunnel to SiteB:

SITE A

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 webdmz security20

enable password xxx

passwd xxx

hostname SiteA-pix

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 200.x.x.0 SiteA_INT

name 201.x.x.201 SiteA_EXT

name 200.x.x.254 PIX_INT

name 10.10.10.0 SiteB_INT

name 11.x.x.11 SiteB_EXT

access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0

access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0

access-list acl_inside permit icmp any any

access-list acl_inside permit ip any any

access-list acl_outside permit ip any any

access-list acl_outside permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu webdmz 1500

ip address outside SiteA_EXT 255.x.x.128

ip address inside PIX_INT 255.255.0.0

no ip address webdmz

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

route outside 0.0.0.x.x.0.0 201.201.201.202 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer SiteB_EXT

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

SiteA-pix(config)#

Lines I add for Cisco VPN clients is attached

I entered each line one by one and did a reload and sh crypto map all was OK until I entered the crypto map VPNPEER lines.

Anyone any ideas what this can be?

Thanks

5220 · ‎01-04-2007

Well done, one more step needed:

Add the communication between 200.220.200.x and 200.200.200.x to NAT 0, i.e.:

access-list inside_outbound_nat0_acl permit ip 200.220.200.0 255.255.255.0 200.200.200.0 255.255.255.0

Please rate if this helped.

Regards,

Daniel

martymailey · ‎01-05-2007

Daniel, thanks thats done it. Ive changed the IP pool slightly but this acces-list allows ping from remote client to inside pcs.

Is there an alternative to radius, like be use anymous or a local pc username to connect rather than a domain account?

Cheers

5220 · ‎01-05-2007

Hi,

just replace:

crypto map outside_map client authentication RADIUS

with

crypto map outside_map client authentication LOCAL

and make sure you add some local users on the PIX:

username aaaa password aaaa

Please rate if this helped.

Cheers,

Daniel

indplsfred · ‎01-18-2007

Daniel, perhapse you can help me out as well as I have a similar problem with a project that I've just inherited. I'm using a PIX 515 with 6.3(5) at my primary location and I have a PIX 501 with 6.3(5) at a remote location. I have a VPN tunnel up between both locations which partly works, and individuals are able to connect to the 515 with the VPN client installed on laptops, but I'm having some problems. First, I can map drives to the machine at the remote location and I can ping it from the primary location, but I cannot start a remote desktop session or a VNC session (both of which are enabled) across the network. The machine at the remote site is also having problems connecting to a mainframe application that runs on a specific TCP port. Can you offer me any suggestions on how to troubleshoot the connection? I've attached a copy of my config file here at the primary location.

Thanks!

5220 · ‎01-19-2007

Hi,

Sometimes you have problem with VPNs if both remote access and site to site are configured on the same machine.

Try adding the command:

isakmp key ******** address abc.abc.abc.abc netmask 255.255.255.255 no-xauth no-config-mode

If this doesn't work, the problem might be the MTU.

You can lower the MTU setting on both PIX inside interfaces to 1400 and give it a try.

Please rate if this helped.

Regards,

Daniel