Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem with 3rd VPN

I have a PIX 501 setup with three different VPNs. VPN1 and VPN2 work fine. The third VPN is having some issues. I've included part of my config file. The problem is this. I have the following and it will work until I restart the PIX. Before I reboot I do a write mem. After restarting the third VPN no longer works. I can get it to work by removing the following access-list rules.

access-list 101 permit ip host 192.168.40.10 192.168.2.0 255.255.255.0

access-list 101 permit ip host 192.168.40.10 host 192.168.4.2

When I add them back and do a write mem, the VPN comes back and works.

names

name 192.168.2.0 BSSI

name 192.168.4.2 BSSIWEB1

object-group service BRANCHOFFICETCP tcp

description Service Group for Branch Office VPN Policies

port-object range 137 netbios-ssn

port-object eq lpd

port-object eq ftp-data

port-object eq ftp

port-object eq lotusnotes

port-object eq www

port-object eq login

port-object eq cmd

port-object eq 449

port-object eq pcanywhere-data

port-object eq 446

port-object eq https

port-object range 8470 8476

port-object eq telnet

port-object eq 135

port-object eq smtp

port-object eq 1433

port-object eq 8080

access-list NAT4ONE permit ip 192.168.40.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 150 permit ip 10.150.176.232 255.255.255.248 172.16.1.0 255.255.255.0

access-list inside_access_out remark Incoming from BSSI

access-list inside_access_out permit tcp 192.168.2.0 255.255.255.0 object-group BRANCHOFFICETCP host 192.168.40.10 object-group BRANCHOFFICETCP

access-list inside_access_out remark Incoming from BSSIWEBSERVER

access-list inside_outbound_nat0_acl permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list outside_cryptomap_140 permit ip host 192.168.40.10 192.168.2.0 255.255.255.0

access-list outside_cryptomap_140 permit ip host 192.168.40.10 host 192.168.4.2

access-list 101 permit ip 192.168.40.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 101 permit ip host 192.168.40.10 192.168.2.0 255.255.255.0

access-list 101 permit ip host 192.168.40.10 host 192.168.4.2

ip address outside wanip 255.255.255.248

ip address inside lanip 255.255.255.0

global (outside) 1 10.150.176.233 (for another VPN)

global (outside) 2 interface

nat (inside) 0 access-list 101

nat (inside) 1 access-list NAT4ONE 0 0

nat (inside) 3 access-list outside_cryptomap_140 0 0

nat (inside) 4 access-list inside_outbound_nat0_acl 0 0

nat (inside) 2 192.168.40.0 255.255.255.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set one esp-aes-256 esp-sha-hmac

crypto ipsec transform-set two esp-aes-256 esp-sha-hmac

crypto ipsec transform-set three esp-3des esp-sha-hmac

crypto map VPN 10 ipsec-isakmp

crypto map VPN 10 match address 150

crypto map VPN 10 set peer oneip

crypto map VPN 10 set transform-set one

crypto map VPN 20 ipsec-isakmp

crypto map VPN 20 match address 101

crypto map VPN 20 set peer twoip

crypto map VPN 20 set transform-set two

crypto map VPN 30 ipsec-isakmp

crypto map VPN 30 match address outside_cryptomap_140

crypto map VPN 30 set peer threeip

crypto map VPN 30 set transform-set three

crypto map VPN interface outside

isakmp enable outside

isakmp key ******** address oneip netmask 255.255.255.255

isakmp key ******** address twoip netmask 255.255.255.255

isakmp key ******** address threeip netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 1000

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption des

isakmp policy 50 hash sha

isakmp policy 50 group 1

isakmp policy 50 lifetime 86400

It seems like something is overriding the two necessary access-list rules after it restarts. Let me know what you think.

Phusion

1 REPLY
New Member

Re: Problem with 3rd VPN

I figured out what the problem was.

Phusion

101
Views
0
Helpful
1
Replies