sysopt connection permit-ipsec

sysopt connection permit-l2tp

crypto ipsec transform-set TECH_TRANSFORM esp-des esp-md5-hmac

crypto ipsec transform-set TECH_TRANSFORM2 esp-3des esp-md5-hmac

crypto dynamic-map DYN-TECH 90 set transform-set TECH_TRANSFORM

crypto dynamic-map DYN-TECH2 92 set transform-set TECH_TRANSFORM2

crypto map TECH-MAP 90 ipsec-isakmp dynamic DYN-TECH

crypto map TECH-MAP2 92 ipsec-isakmp dynamic DYN-TECH2

crypto map TECH-MAP2 interface outside

isakmp enable outside

isakmp keepalive 30 10

isakmp policy 15 authentication pre-share

isakmp policy 15 encryption des

isakmp policy 15 hash md5

isakmp policy 15 group 2

isakmp policy 15 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup user1 address-pool TECH_VPN_POOL

vpngroup user1 dns-server 10.25.35.50 10.25.35.60

vpngroup user1 default-domain test.tld

vpngroup user1 idle-time 1800

vpngroup user1 password *************

ssh 10.25.0.0 255.255.0.0 inside

sh 192.168.200.0 255.255.255.0 inside

ssh timeout 10

Joshua,

I would start by using different network in TECH_VPN_POOL for RA client to differ from that of 192.168.200.0/24 already being routed internally.. I have seen ether works or just does not work when using VPN pool network as same as one already used in the LAN,sometimes cumersome to troubleshoot.

Second, after you change VPN pool net, re-write nat exempt ACL to reflect your new VPN pool network to access resources on 10.25.0.0/16 net add to PIX config isakmp nat-traversal 20

here are some tips for future reference

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

let us know how it works out

Regards

Ok, I removed the VPN pool and created ip local pool 2POOL 172.29.20.1-172.29.20.10

Then, removed the old nat 0 and made the new one access-list NONAT permit ip 172.29.20.0 255.255.255.0 10.25.0.0 255.255.0.0

access-list NONAT permit ip 172.29.20.0 255.255.255.0 192.168.25.0 255.255.255.0

nat (in) 0 access-list NONAT

I added isakmp nat-traversal 20. I also tried to add the route in 172.29.20.0 255.255.255.0 10.74.253.1, but I cant connect or ping anything on the on the inside of 10.74.253.1.. (10.74.253.1/30 is the ip of the 4507 and 10.74.253.2/30 is the pix. I miss typed in the 1st question.)

There is no route on the 4507 for the 172.29.20.0/24 network. Shouldnt I have one on there?

The 4507R points to another firewall that takes them out to the internet. The Firewall I an configuring is for testing and VPN connections. Its is not the default gateway for the LAN hosts.

Invert your nonat acl

from

access-list NONAT permit ip 172.29.20.0 255.255.255.0 10.25.0.0 255.255.0.0

to

access-list NONAT permit ip 10.25.0.0 255.255.0.0 172.29.20.0 255.255.255.0

you dont need route inside in ASA for VPN pool network.

you do not need to route 172.29.20.0 VPN pool in 4507 towards ASA5500 firewall if you have default route in 4507 pointing to ASA5500 firewall, if not then you will need static route in 4507 for VPN pool network via ASA inside interface , could you repost clear topology.

give it another try.

[edit]

same nonat applies for your other two networks 192.168.25.0/24 and 192.168.200.0/24 if you want RA to access those.

access-list NONAT permit ip 192.168.200.0 255.255.255.0 172.29.20.0 255.255.255.0

access-list NONAT permit ip 192.168.25.0 255.255.255.0 172.29.20.0 255.255.255.0

Regards

Ok, I attached a quick visio of what thinks look like.

I have a PIX515 = 10.25.20.1. This is the main firewall for the network.

The 4500, VLAN5= 10.25.200.2 and VLAN1 = 192.168.25.1. The DEFAULT GATEWAY is set for 10.25.20.1, the PIX515. I configured a point to point connection for the secondary firewall with the IP = 10.74.253.1/30

The firewall's inside IP = 10.74.253.2/30

TECH_VPN_POOL = 172.29.20.0/24

501

access-list NONAT permit ip 172.29.20.0 255.255.255.0 10.25.0.0 255.255.0.0

ip address outside World 255.255.255.248

ip address inside 10.74.253.2 255.255.255.252

ip local pool TECH_VPN_POOL 172.29.20.1-172.29.20.254

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 World 1

route inside 10.25.0.0 255.255.0.0 10.25.200.2 1

route inside 192.168.25.0 255.255.255.0 192.168.25.1 1

4500 switch

Gateway of last resort is 10.25.21.1 to network 0.0.0.0

C 10.25.0.0/16 is directly connected, Vlan10

C 192.168.25.0/24 is directly connected, Vlan1

S* 0.0.0.0/0 [1/0] via 10.25.21.1

C 10.74.253.0/30 is directly connected, FastEthernet5/48

Interface IP-Address OK? Method Status Protocol

Vlan1 192.168.25.7 YES NVRAM up up

Vlan10 10.25.200.2 YES NVRAM up up

So what you are saying is my NONAT needs switched like so:

access-list NONAT permit ip 10.25.0.0 255.255.0.0 172.29.20.0 255.255.255.0

access-list NONAT permit ip 192.168.25.0 255.255.0.0 172.29.20.0 255.255.255.0

So for the 4500 I should not need a route to the VPN but, when I configure VLANs for the building with the 6500 I will need to create a route to the VPN firewall using 10.25.200.2 correct?

Dumb question but why do I need to which the NONAT around? Is it because when the packet hits the inside interface, the from is 10.25.0.0/16 network and the to is the TECH_VPN_POOL, and not the other way around?

Joshua, thanks for posting diagram..

ok you have 515 as your primary default route device on 4500 L3 switch this chnages things a bit , you will need to enter static route for vpn pool network in 4500 back to PIX501 , if you were doing some dynamic routing internally you could redistribute that static route pertaining to VPN pool downsream to the 6500 core switch, but it seems you are doing static routing instead you will also need static route in 6500 for vpn pool network via 4500.

So in your 4500 you will need a route back to PIX501 for VPN network

ip route 172.29.20.0 255.255.255.0 10.74.253.2

So for the 4500 I should not need a route to the VPN but, when I configure VLANs for the building with the 6500 I will need to create a route to the VPN firewall using 10.25.200.2 correct?

on the 6500 for 10.25.200.0/24 to reach VPN pool network in PIX501 you need a route via 4500, again, if you were doing dynamic routing on the 4500 and 6500 only one static would have been required in the 4500 L3 switch.

ip route 172.29.20.0 255.255.255.0 < Via_4500_10.74.253.1>

why do I need to which the NONAT around? Is it because when the packet hits the inside interface, the from is 10.25.0.0/16 network and the to is the TECH_VPN_POOL, and not the other way around?

Yes, first try from secondary PIX501 to work your way down to the 4500 networks before touching the 6500 with regards to VPN pool, test connectivity from ra vpn to subnets in your 4500 after you correct nonat exempt access list I asked to invert.

post results

Regards

Joshua, any updates on your problem?

Sorry I am on vacation and was not here to test. I stopped in and made the changes and I still can not connect. I have copied all the configs and going to try to setup a test lab at home.

Do I need to setup split tunneling maybe. I have been trying all this out on my MacBookPro could that be stopping me?

I will try from home and see if with my pc it will work.

I am so cornfuzed....

I was thinking that maybe it was the vpn software on the Mac that was maybe stopping access but even from my PC at home, I can not talk to anything. I can not SSH or telnet to the 501 or anything else in the network. I am getting the VPN Pool address.

Tonight I am going to try to setup test network at home and see if I can get in.

Just for giggles, even though I am connecting to the PIX, could the ISP be blocking certain traffic? Just a thought.

Sorry for not responding sooner.

Last week I was able to get everything working. I tried reconfiguring from scratch so many times I lost count. After not getting anywhere, I reloaded the IOS 6.3.5 again. I copied over my config and everything was working beautifully. I don't know.

Thank you for all you help.