Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix 501 L2L and remote access VPN

Hi, I am working on an old PIX 501 w/ 6.3(5) software, it already have remote access VPN setup and works fine but now it needs a L2L set up. One thing is I am trying to do all the work remotely over the VPN or ssh to the device. I do not know what is on the other end but they swear it is set up and may be my problem is when I start putting in the commands for the other VPN it breaks the remote access VPN. One thing that I am having to do is NAT a host on the inside to appear as another host on the far end. I am using these commands and I think this is working can't tell.

access-list 101 permit ip host local_server remote_network 255.255.255.0

static (inside,outside) 10.1.0.203  access-list 101

then

access-list 102  permit ip host 10.1.0.203 host 192.168.50.83
access-list 102  permit ip host 10.1.0.203 host 192.168.50.86
access-list 102  permit ip host 10.1.0.203 host 192.168.50.50
access-list 102  permit ip host 10.1.0.203 host 192.168.50.85


and use that to match against

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map emds-map 10 ipsec-isakmp
crypto map emds-map 10 match address 102
crypto map emds-map 10 set peer remote_vpn_server
crypto map emds-map 10 set transform-set ESP-3DES-SHA

then

isakmp key magic_key address remote_vpn_server netmask 255.255.255.255
isakmp identity hostname
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

and that is where it usually breaks the VPN, I am not sure if the other VPN works due not being able to get to that server to try to ping out, I really don't like to try this stuff remotely but I don't have a lot of choice at the moment.

Any thoughts?

Thanks

Jarrid Graham

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Pix 501 L2L and remote access VPN

Yes, just use different sequence number with 1 crypto map name. Please also make sure that your dynamic crypto map, which is for your vpn client has the lowest crypto map sequence (highest number), because you want to make sure that the static crypto map (for lan-to-lan tunnel has higher sequence number (lower number)).

The isakmp policy sequence number does not have to match, it is processed from top to bottom (lower number to high number) and as long as 1 set of isakmp policy matches the remote peer, it will be negotiated correctly.

Hope that answers your question, and please rate useful post. Thanks.

7 REPLIES
Cisco Employee

Re: Pix 501 L2L and remote access VPN

What phase does the LAN-to-LAN tunnel break? What is the output of "show crypto isa sa" and "show crypto ipsec sa peer ?

Configuration on this end looks correct, and just have to make sure that the remote peer has exactly mirror image ACL of your ACL 102. You have 4 lines of ACL, and the remote peer needs to have the exact 4 lines too but mirror image.

New Member

Re: Pix 501 L2L and remote access VPN

My main problem is that when I put in the commands the normal remote access VPN that I need to connect to the computer that is getting NATed breaks and I cant get to it to see if the other works. One problem I have had in the past is the other side that sets the endpoint of the L2L just sets it up and dont share any information, they just say we have done this hundered of times, it is on your end ... etc. I finally decided to set up ssh on the outside after the first time I killed myself off remotely, good thing a power cycle fixed that.

Jarrid

Cisco Employee

Re: Pix 501 L2L and remote access VPN

Please share the whole config. Need to know what you have configured for the rest, especially the NAT for vpn client? not sure how it breaks when you configure the LAN-to-LAN tunnel.

New Member

Re: Pix 501 L2L and remote access VPN

OK here is the config as it stands now with a little change of IPs and Passwords

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted

hostname HOSTNAME
domain-name DOMAIN.LOCAL
clock timezone EST 2
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 10.0.100.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_out permit icmp any any
access-list inside_out permit 22 any any
pager lines 24
logging on
logging timestamp
logging standby
mtu outside 1500
mtu inside 1500
ip address outside OUTSIDE_IP 255.255.255.252
ip address inside 10.0.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 192.168.200.200-192.168.200.209
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.100.0 255.255.255.0 0 0
access-group inside_out in interface outside
route outside 0.0.0.0 0.0.0.0 OUTSIDE_IP 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 10.0.100.10 ***** timeout 10
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap client authentication partnerauth
crypto map newmap interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPN address-pool clientpool
vpngroup VPN dns-server 10.0.100.10
vpngroup VPN default-domain uim.local
vpngroup VPN idle-time 1800
vpngroup VPN password ********
telnet 10.0.100.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.0.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
username admin password ***** encrypted privilege 15
terminal width 80
Cryptochecksum:d11b572de6929ddb8bd1240d17aa5dda
: end
[OK]

I start about like I listed in the first of the message but when I get right around the crypto part my VPN breaks , maybe the isakmp but I dont know. I just know after I put in all of the stuff in the ssh terminal when I tried to connect the VPN from the Cisco Client it just times out. to a reload and after it comes back up I can connect.

Thanks

Jarrid

Cisco Employee

Re: Pix 501 L2L and remote access VPN

OK, your crypto map name is "newmap", and you have configured a new crypto map "emds-map" for the lan-to-lan tunnel. You can't have 2 crypto map name configured on the PIX, because you can only assign 1 crypto map to the outside interface.

For the new lan-to-lan tunnel, please use the same crypto map name "newmap" with sequence 10 as follows:

crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match  address 102
crypto map newmap 10 set peer remote_vpn_server
crypto  map newmap 10 set transform-set ESP-3DES-SHA

New Member

Re: Pix 501 L2L and remote access VPN

OK I wondered about that, when it died is when I did the crypto map emds-map interface outside command. I will try it later on and see. So you could have multiple L2L VPNs as long as they use the same crypto map name and a different sequence number and use the same number in the isakmp lines ? If so I am guessing it knows what isakmp key line to use with the set remote peer? Not that we need more than the one L2L I just want  to know if my line on thinking is right so far.

Thanks

Jarrid

Cisco Employee

Re: Pix 501 L2L and remote access VPN

Yes, just use different sequence number with 1 crypto map name. Please also make sure that your dynamic crypto map, which is for your vpn client has the lowest crypto map sequence (highest number), because you want to make sure that the static crypto map (for lan-to-lan tunnel has higher sequence number (lower number)).

The isakmp policy sequence number does not have to match, it is processed from top to bottom (lower number to high number) and as long as 1 set of isakmp policy matches the remote peer, it will be negotiated correctly.

Hope that answers your question, and please rate useful post. Thanks.

1420
Views
0
Helpful
7
Replies
CreatePlease to create content