Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

vpn remote access and site2site on same pix

I have a site to site vpn that's working between pixA and pixB. I would also like to setup remote access vpn on pixA. Does someone has a working config that i can use as a template in this scenerio?

Thanks for any help.

8 REPLIES
New Member

Re: vpn remote access and site2site on same pix

Can you please have a look at my vpn configuration. I setup the site to site vpn first and it works fine but as soon as I setup the remote access vpn it stops working.

Thanks for any help

Gold

Re: vpn remote access and site2site on same pix

below are the sample codes for configuring both lan-lan vpn and remtoe vpn on pix:

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

ip address outside 1.1.1.1 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip local pool ippool 10.1.1.11-10.1.1.21

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map myvpn 10 ipsec-isakmp

crypto map myvpn 10 match address 110

crypto map myvpn 10 set peer 1.1.1.2

crypto map myvpn 10 set transform-set vpnset

crypto map myvpn 20 ipsec-isakmp dynamic dynmap

crypto map myvpn client configuration address initiate

crypto map myvpn client configuration address respond

crypto map myvpn client authentication LOCAL

crypto map myvpn interface outside

isakmp enable outside

isakmp key cisco123 address 1.1.1.2 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnclient address-pool ippool

vpngroup vpnclient split-tunnel 120

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password cisco456

username cisco password cisco123

aaa-server LOCAL protocol local

crypto map remote_vpn client authentication LOCAL

crypto map remote_vpn client configuration address initiate

crypto map remote_vpn client configuration address respond

please excuse me for not reading the posted config, as the layout is a bit hard to read. one simple way to capture the config is to do "sh run" on the telnet/ssh session, and then copy and paste to a notepad.

New Member

Re: vpn remote access and site2site on same pix

Thanks for all your help Jackko. But i have a two questions for you or anyone of the guys who is willing to help me. Since i don't have access to the remote pix i just needed to clear up a couple things about the access lists.

I assume that these two access list commands are for the site to site vpn?

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Are these two access list commands for the remote access vpn?

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

Thanks again for all the help

Gold

Re: vpn remote access and site2site on same pix

yes. 192.168.1.x and 192.168.2.x is lan-lan; whereas 10.1.1.x is remote vpn access.

New Member

Re: vpn remote access and site2site on same pix

Thanks a lot Jaccko. I appreciate that.

New Member

Re: vpn remote access and site2site on same pix

Hello, gentlemen!

Could you please tell me, if this configuration will be valid for the router Cisco 2811?

I have the same problem - I need to configure both site-to site vpn and remote access vpn on the same device.

I understand, that the syntax will be quite different, but may be the main idea is the same?

If somebody can post here an example of such a configuration or at least a link to example, I will be very happy! =)

Gold

Re: vpn remote access and site2site on same pix

the codes on pix and router are quiet different.

below are the sample codes for configuring both lan-lan vpn and remote vpn on a router:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxxx address no-xauth

crypto isakmp client configuration group vpngroup

key xxxxxxxx

pool vpnpool

acl 130

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set vpnset

crypto map vpnmap client authentication list vpnauthen

crypto map vpnmap isakmp authorization list vpnauthor

crypto map vpnmap client configuration address respond

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

crypto map vpnmap 20 ipsec-isakmp

set peer

set transform-set superset

match address 140

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

interface Dialer0

ip address

ip nat outside

crypto map vpnmap

ip local pool vpnpool 10.1.1.1 10.1.1.10

ip nat inside source route-map nonat interface Dialer0 overload

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 130 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

route-map nonat permit 10

match ip address 101

New Member

Re: vpn remote access and site2site on same pix

Thanks a lot!!!!! :)

..and one little question about aaa configuration...

If I want local authentication, the config lines will be like this, won't they?

!

aaa new-model

!

aaa authentication login vpnauthen local

aaa authorization network vpnauthor local

!

username blablabla password blablabla

!

Is that correct?

The matter is that I have pptp vpn working, and I can not configure a general pair of login-password. The connection is established only in case the user enters username that is the same as the name of his PC... And I have to enter

!

username name_of_PC password blablabla

!

to grant access to my network for that user....

But I want to set username-password pairs by myself! And then i would give that pairs to users..

I'm afraid, that i will have the same problem with ipsec vpn....

PS: sorry if it's offtop.... and sorry for my bared English...

147
Views
5
Helpful
8
Replies
CreatePlease to create content