01-23-2008 08:17 AM - edited 03-09-2019 07:56 PM
I have 2 Pix 501s configured for site to site access (HomePIX, OfficePIX) . Site to site between the peers works correctly but Cisco client access does not work from any other site. When I reconfigure the office pix to exclude site to site Cisco client access works correctly from any location.
Any assistance would be appreciated.
OfficePIX configuration:
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup tekconvpn address-pool vpnpool
vpngroup tekconvpn dns-server TekConMain
vpngroup tekconvpn default-domain tekconllc.local
vpngroup tekconvpn split-tunnel tekconvpn_splitTunnelAcl
vpngroup tekconvpn idle-time 1800
vpngroup tekconvpn password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxxxx@xxxxxx.net
vpdn group pppoe_group ppp authentication pap
vpdn username xxxxxxx@xxxxxx.net password ********* store-local
dhcpd address 10.0.0.111-10.0.0.125 inside
dhcpd dns TekConMain
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain local.local
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
01-23-2008 08:38 AM
If possible can you post the full configuration of the Pix 501. I am interested in looking at the crypto crypto map configuration. For example, if you look at the below URL, the crypto dynamic map instance 30 is higher than 10. So, if your pix configured with a dynamic map instance less than Lan to Lan tunnel or higher.
crypto dynamic-map dynmap 30 set transform-set myset
!--- Use the crypto-map sequence 10 command for PIX to PIX.
crypto map newmap 10 ipsec-isakmp
Also, make sure that there are no overlapping IPSec ACL's on the Pix.
Regards,
Arul
** Please rate helpful posts **
01-23-2008 08:48 AM
01-23-2008 09:29 AM
NP, thanks for the config. Definitely helps.
I think the problem is with the POOL of ip addresses that is configured for the VPN Clients
ip local pool vpnpool 10.0.0.126-10.0.0.130
You L2L tunnel has an ACL of
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255.0
So, when you have L2L tunnel and VPN Client at the same time, the VPN Clients pool of IP is following the L2L tunnel and not back to the VPN client.
Here is what I would do. Change the pool of IP Addresses for the VPN Clients to something different other than your LAN. Example, 192.168.1.x.24. Include this in your NAT 0 Statement and then you should be all set.
Give it a shot and let me know how it goes.
Regards,
Arul
** Please rate helpful posts **
01-23-2008 01:59 PM
01-23-2008 02:35 PM
So, are you able to connect using the VPN Client but not access the LAN behind the Pix. Can you post the below outputs:
1. Copy of the current configuration
2. The ip address that you are trying to from the VPN Client
3. Show cry is sa and show cry ipsec sa, when the VPN Client is getting connected and not able to ping the LAN behind the Pix.
Regards,
Arul
01-24-2008 09:25 AM
I am unable to connect with the VPN client but the site to site connection is working.
I am attaching the VPN Client error log and the Pix 501 configuration.
Before I configured site to site the VPN client worked properly. If I remove the site to site configuration the VPN will work again.
Thanks again for your help.
01-25-2008 11:49 AM
Tom,
If I understand the problem correctly, you are able to connect using the VPN Client but not able to access any resources on the inside correct.
If my understanding is correct, then please reconfigure your IP Pool to something different that 10.2.0.x. You cannot have the IP Pool in the range 10.2.0.x and also include this destination network in your L2L Tunnel. If you do this, the Pix will encrypt the traffic across the L2L tunnel instead of the VPN Client.
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.2.0.0 255.255.255.0
ip local pool vpnpool 10.2.0.126-10.2.0.130 mask 255.255.255.0
Just for testing purposes, can you change the IP Pool to something like 192.168.1.x and connect the VPN Client at the same time your l2l is up. Also, make sure that you add a NAT 0 statement. For example.
ip local pool vpnpool 192.168.1.1-192.168.1.254 mask 255.255.255.0
access-list NoNat permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
Please make the changes and let us know how it goes. If not, please post the updated configuration along with "show cry is sa" and " show crypto ipsec sa" from the pix.
Regards,
Arul
** Please rate all helpful posts **
01-25-2008 02:26 PM
Tom,
Thanks for all the information. You are motivated to resolve this issue, so am I. I think I might have finally found what the issue is,
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
The crypto instances for the crypto map needs to match. In the existing configuration 20 and 65535 do not match. Configure 20 on the both the lines and let me know how it works.
I know its Friday but I swear I haven't started drinking early.
Regards,
Arul
** Please rate all helpful posts *
01-25-2008 04:45 PM
Arul,
Fortunately I have already started drinking.
I appreciate your time and I will implement the configuration changes this weekend. I will keep you informed.
Thanks again.
01-27-2008 12:05 PM
Hi,
I checked the config and as per the latest attached config we have a misconfiguration for vpn client and hence the issue.
Try the following steps:
1. no crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
2. crypto map transam 65535 ipsec-isakmp dynamic outside_dyn_map
Note:
--You can apply one crypto map in one interface.
-- The crypto map "outside_map" haven't applied to any interface.
**rate the post, if helpful**
01-31-2008 07:22 AM
Thank you for your help.
I resolved the issue by removing the lines:
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
and
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.2.0.0 255.255.255.0
and adding:
crypto map transam 65535 ipsec-isakmp dynamic outside_dyn_map
Thanks again for your help.
01-31-2008 07:21 AM
Arul,
Thank you for your help.
I resolved the issue by removing the lines:
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
and
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.2.0.0 255.255.255.0
and adding:
crypto map transam 65535 ipsec-isakmp dynamic outside_dyn_map
Thanks again for your help.
01-31-2008 07:28 AM
Tom,
Thanks for the update! Glad everything is working.
Regards,
Arul
05-06-2008 11:52 AM
Could you post your working config as I must have lost something along the way in the thread. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide