03-15-2005 05:15 AM - edited 02-21-2020 12:00 AM
I have been running a remote access VPN successfully with my PIX (6.34) and Cisco VPN client 4.01. See the configuration below:
object-group network VPN_POOL
network-object host x.x.x.x
object-group network A_SERVERS
network-object host x.x.x.x
access-list 101 permit ip object-group A_SERVERS object-group VPN_POOL
access-list NAT_EXEMPT permit ip object-group A_SERVERS object-group VPN_POOL
aaa-server MYTACACS protocol tacacs+
aaa-server MYTACACS max-failed-attempts 3
aaa-server MYTACACS deadtime 10
aaa-server MYTACACS (inside) host x.x.x.x xxxxxxxx timeout 5
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
ip local pool VPN (Range same as in VPN_POOL)
nat (inside) 0 access-list NAT_EXEMPT
sysopt connection permit-ipsec
crypto ipsec transform-set TRANS1 esp-3des esp-sha-hmac
crypto dynamic-map DYNOMAP 10 set transform-set TRANS1
crypto map VPNPEER 20 ipsec-isakmp dynamic DYNOMAP
crypto map VPNPEER client authentication MYTACACS
crypto map VPNPEER interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup GROUP1 address-pool VPN
vpngroup GROUP1 default-domain xxxxxxxxxx
vpngroup GROUP1 split-tunnel 101
vpngroup GROUP1 idle-time 1800
vpngroup GROUP1 password ********
I have now had to configure a site to site vpn on the same PIX. I have added the following lines to my configuration which includes new crypto map entires and a new isakmp policy as this needs to be different from the first isakmp policy.
object-group network B_SVRS
network-object host x.x.x.x
access-list 201 permit ip object-group B_SVRS (Site-2-site remote site private IP network) 255.255.255.248
access-list 201 permit ip (Site-2-site remote site private IP network) 255.255.255.248 object-group B_SVRS
access-list NAT_EXEMPT permit ip object-group B_SVRS (Site-2-site remote site private IP network) 255.255.255.248
access-list NAT_EXEMPT permit ip (Site-2-site remote site private IP network) 255.255.255.248 object-group B_SVRS
crypto ipsec transform-set TRANS2 esp-3des esp-sha-hmac
crypto map VPNPEER 5 ipsec-isakmp
crypto map VPNPEER 5 match address 201
crypto map VPNPEER 5 set pfs group2
crypto map VPNPEER 5 set peer (Site-2-Site IP)
crypto map VPNPEER 5 set transform-set TRANS2
crypto map VPNPEER 5 set security-association lifetime seconds 3600 kilobytes 8192
crypto map VPNPEER interface outside
isakmp key ******** address (Site-2-Site IP) netmask 255.255.255.248
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 28800
Is there anything obviously wrong with this configuration (some parts I have omitted obviously) as I am having issues with both vpns now? Can you run different vpn configurations on the same PIX? Can you run site-to-site and remote access vpns together? Any help is greatly appreciated.
03-18-2005 02:47 PM
Can you run site-to-site and remote access vpns together in PIX? yes.
What issue do you have on the remote access VPN?
What terminates your site to site VPN another PIX?
a router ?
You should remove :
access-list 201 permit ip (Site-2-site remote site private IP network) 255.255.255.248 object-group B_SVRS
access-list NAT_EXEMPT permit ip (Site-2-site remote site private IP network) 255.255.255.248 object-group B_SVRS
you should add "no-xauth no-config-mode " after
isakmp key ******** address (Site-2-Site IP) netmask 255.255.255.248
pls note that SHA does not work anymore with recent version of vpn client. (Due to the introduction of AES support, Cisco reduced the number of combinations)
Here is an example I often use :
nat (inside) 0 access-list inside_outbound_nat0_acl
access-list inside_outbound_nat0_acl permit ip
access-list inside_outbound_nat0_acl permit ip
access-list outside_cryptomap_20 permit ip
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxxx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication TACACS+
crypto map outside_map interface outside
isakmp enable outside
isakmp key xxx address xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPN-Servers address-pool SVRPool
vpngroup VPN-Servers dns-server xxxx
vpngroup VPN-Servers wins-server xxxx
vpngroup VPN-Servers default-domain xxxx
vpngroup VPN-Servers idle-time 1800
vpngroup VPN-Servers password xxx
04-08-2005 03:34 AM
Hi
Sorry for not responding for a while. I have configured my PIX as per your example above and my remote access client vpn works. However my remote site vpn is not quite there. It seems the tunnel is coming up however from the "sh isakmp sa" and "sh ipsec sa" outputs. My remote site client says that his firewall reports packets have been sent down the tunnel but not received. When I try to ping one of their internal hosts from one of my internal hosts I get the icmp messages denied by the access-list that is bound to the inside interface which permits unencrypted traffic to the Internet. Yet this communication should be being put down the tunnel?
Any ideas? Would greatly appreciate this as I think we're close!
Gary
04-08-2005 05:30 AM
You do not show your access lists and your access group statements, but pix os 6.xxx is not stateful for ICMP so it might be possible the echo requests are allowed to go through the tunnel, hit a host, but the echo replies back are blocked by an ACL. If we could see the inside bound ACL, it would help.
04-08-2005 06:30 AM
These are the ACLs I have setup:
access-list LAN permit tcp host (inside host) host (external host) eq pptp
access-list LAN permit gre host (inside host) host (external host)
access-list LAN permit tcp host (inside host) host (external host) eq www
access-list LAN permit tcp host (inside host) host (external host) eq pptp
access-list LAN permit gre host (inside host) host (external host)
access-list LAN deny ip any any
access-group LAN in interface inside
nat (inside) 1 access-list LAN 0 0
The above is for non-ipsec traffic. Includes entries for an external pptp server.
access-list NAT_EXEMPT permit ip object-group INT_SERVERS1 object-group VPN_POOL
access-list NAT_EXEMPT permit ip object-group INT_SERVERS2 (site vpn internal net) 255.255.255.248
nat (inside) 0 access-list NAT_EXEMPT
The above is for NAT exemption
access-list REMOTE_ACCESS_VPN permit ip object-group INT_SERVERS1 object-group VPN_POOL
access-list SITE_VPN permit ip object-group INT_SERVERS2 (site vpn internal net) 255.255.255.248
The above is used in crypto map and vpngroup configuration.
04-08-2005 11:26 AM
1)Is that we can configure vpn client on outside interface only... why not on DMZ(security 50)???
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide