Re: site2site & remote access vpns on same pix

g.leonard · ‎03-15-2005

I have been running a remote access VPN successfully with my PIX (6.34) and Cisco VPN client 4.01. See the configuration below:

object-group network VPN_POOL

network-object host x.x.x.x

object-group network A_SERVERS

network-object host x.x.x.x

access-list 101 permit ip object-group A_SERVERS object-group VPN_POOL

access-list NAT_EXEMPT permit ip object-group A_SERVERS object-group VPN_POOL

aaa-server MYTACACS protocol tacacs+

aaa-server MYTACACS max-failed-attempts 3

aaa-server MYTACACS deadtime 10

aaa-server MYTACACS (inside) host x.x.x.x xxxxxxxx timeout 5

aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

ip local pool VPN (Range same as in VPN_POOL)

nat (inside) 0 access-list NAT_EXEMPT

sysopt connection permit-ipsec

crypto ipsec transform-set TRANS1 esp-3des esp-sha-hmac

crypto dynamic-map DYNOMAP 10 set transform-set TRANS1

crypto map VPNPEER 20 ipsec-isakmp dynamic DYNOMAP

crypto map VPNPEER client authentication MYTACACS

crypto map VPNPEER interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup GROUP1 address-pool VPN

vpngroup GROUP1 default-domain xxxxxxxxxx

vpngroup GROUP1 split-tunnel 101

vpngroup GROUP1 idle-time 1800

vpngroup GROUP1 password ********

I have now had to configure a site to site vpn on the same PIX. I have added the following lines to my configuration which includes new crypto map entires and a new isakmp policy as this needs to be different from the first isakmp policy.

object-group network B_SVRS

network-object host x.x.x.x

access-list 201 permit ip object-group B_SVRS (Site-2-site remote site private IP network) 255.255.255.248

access-list 201 permit ip (Site-2-site remote site private IP network) 255.255.255.248 object-group B_SVRS

access-list NAT_EXEMPT permit ip object-group B_SVRS (Site-2-site remote site private IP network) 255.255.255.248

access-list NAT_EXEMPT permit ip (Site-2-site remote site private IP network) 255.255.255.248 object-group B_SVRS

crypto ipsec transform-set TRANS2 esp-3des esp-sha-hmac

crypto map VPNPEER 5 ipsec-isakmp

crypto map VPNPEER 5 match address 201

crypto map VPNPEER 5 set pfs group2

crypto map VPNPEER 5 set peer (Site-2-Site IP)

crypto map VPNPEER 5 set transform-set TRANS2

crypto map VPNPEER 5 set security-association lifetime seconds 3600 kilobytes 8192

crypto map VPNPEER interface outside

isakmp key ******** address (Site-2-Site IP) netmask 255.255.255.248

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption 3des

isakmp policy 5 hash sha

isakmp policy 5 group 2

isakmp policy 5 lifetime 28800

Is there anything obviously wrong with this configuration (some parts I have omitted obviously) as I am having issues with both vpns now? Can you run different vpn configurations on the same PIX? Can you run site-to-site and remote access vpns together? Any help is greatly appreciated.

Jean-Noel Poulet · ‎03-18-2005

Can you run site-to-site and remote access vpns together in PIX? yes.

What issue do you have on the remote access VPN?

What terminates your site to site VPN another PIX?

a router ?

You should remove :

access-list 201 permit ip (Site-2-site remote site private IP network) 255.255.255.248 object-group B_SVRS

access-list NAT_EXEMPT permit ip (Site-2-site remote site private IP network) 255.255.255.248 object-group B_SVRS

you should add "no-xauth no-config-mode " after

isakmp key ******** address (Site-2-Site IP) netmask 255.255.255.248

pls note that SHA does not work anymore with recent version of vpn client. (Due to the introduction of AES support, Cisco reduced the number of combinations)

Here is an example I often use :

nat (inside) 0 access-list inside_outbound_nat0_acl

access-list inside_outbound_nat0_acl permit ip 255.0.0.0 VPNPool 255.255.252.0

access-list inside_outbound_nat0_acl permit ip 255.255.255.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 255.255.255.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer xxxx

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication TACACS+

crypto map outside_map interface outside

isakmp enable outside

isakmp key xxx address xxx netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup VPN-Servers address-pool SVRPool

vpngroup VPN-Servers dns-server xxxx

vpngroup VPN-Servers wins-server xxxx

vpngroup VPN-Servers default-domain xxxx

vpngroup VPN-Servers idle-time 1800

vpngroup VPN-Servers password xxx

g.leonard · ‎04-08-2005

Hi

Sorry for not responding for a while. I have configured my PIX as per your example above and my remote access client vpn works. However my remote site vpn is not quite there. It seems the tunnel is coming up however from the "sh isakmp sa" and "sh ipsec sa" outputs. My remote site client says that his firewall reports packets have been sent down the tunnel but not received. When I try to ping one of their internal hosts from one of my internal hosts I get the icmp messages denied by the access-list that is bound to the inside interface which permits unencrypted traffic to the Internet. Yet this communication should be being put down the tunnel?

Any ideas? Would greatly appreciate this as I think we're close!

Gary

mostiguy · ‎04-08-2005

You do not show your access lists and your access group statements, but pix os 6.xxx is not stateful for ICMP so it might be possible the echo requests are allowed to go through the tunnel, hit a host, but the echo replies back are blocked by an ACL. If we could see the inside bound ACL, it would help.

g.leonard · ‎04-08-2005

These are the ACLs I have setup:

access-list LAN permit tcp host (inside host) host (external host) eq pptp

access-list LAN permit gre host (inside host) host (external host)

access-list LAN permit tcp host (inside host) host (external host) eq www

access-list LAN permit tcp host (inside host) host (external host) eq pptp

access-list LAN permit gre host (inside host) host (external host)

access-list LAN deny ip any any

access-group LAN in interface inside

nat (inside) 1 access-list LAN 0 0

The above is for non-ipsec traffic. Includes entries for an external pptp server.

access-list NAT_EXEMPT permit ip object-group INT_SERVERS1 object-group VPN_POOL

access-list NAT_EXEMPT permit ip object-group INT_SERVERS2 (site vpn internal net) 255.255.255.248

nat (inside) 0 access-list NAT_EXEMPT

The above is for NAT exemption

access-list REMOTE_ACCESS_VPN permit ip object-group INT_SERVERS1 object-group VPN_POOL

access-list SITE_VPN permit ip object-group INT_SERVERS2 (site vpn internal net) 255.255.255.248

The above is used in crypto map and vpngroup configuration.

tchacko · ‎04-08-2005

1)Is that we can configure vpn client on outside interface only... why not on DMZ(security 50)???