Re: Multiple VPN configurations on one PIX

0rsnaric · ‎11-29-2004

We are trying to setup a site-to-site vpn between our PIX 515 and a SonicWALL. Currently our PIX has vpn configuration for IPSEC clients and whenever I enter the commands for the site-to-site the cisco client vpn stops working. Is it possible to have both? I thought as long as there were different policy numbers there should be no conflicts?

Here is my current config. I've omitted the access-lists, passwords, names and what not, but all the current vpn config stuff is there.

*******************************************

: Saved

: Written by enable_15 at 09:48:20.445 UTC Mon Nov 29 2004

PIX Version 6.3(3)

names

access-list vpn permit ip 172.16.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list dmz permit ip 10.0.0.0 255.255.255.0 172.17.0.0 255.255.0.0

ip local pool vpnpool 172.17.1.1-172.17.1.60

ip local pool ipsec 172.17.1.100-172.17.1.200

arp timeout 14400

global (outside) 1 x.x.x.x-x.x.x.x

global (outside) 1 x.x.x.x

global (outside) 2 x.x.x.x

global (dmz) 1 10.0.0.100-10.0.0.150

nat (inside) 0 access-list vpn

nat (inside) 0 access-list vpn outside

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 1 172.16.0.0 255.255.0.0 0 0

nat (dmz) 0 access-list dmz

nat (dmz) 2 10.0.0.10 255.255.255.255 0 0

access-group outside_acl in interface outside

access-group dmz_acl in interface dmz

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 192.168.1.0 255.255.255.0 172.16.222.222 1

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server AuthInbound protocol radius

aaa-server AuthInbound (inside) host 172.16.1.251 x timeout 30

aaa-server AuthInbound (inside) host Vanpdc01 x timeout 30

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt noproxyarp inside

sysopt noproxyarp dmz

crypto ipsec transform-set impac esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set impac

crypto map impacmap 10 ipsec-isakmp dynamic dynmap

crypto map impacmap client authentication AuthInbound

crypto map impacmap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup ciscovpn address-pool ipsec

vpngroup ciscovpn dns-server Vanpdc01

vpngroup ciscovpn wins-server 172.16.1.251

vpngroup ciscovpn default-domain impacservices.com

vpngroup ciscovpn split-tunnel vpn

vpngroup ciscovpn idle-time 1800

vpngroup ciscovpn password ********

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication mschap

vpdn group 1 client configuration address local vpnpool

vpdn group 1 client configuration dns Vanpdc01

vpdn group 1 client configuration wins 172.16.1.251

vpdn group 1 client authentication aaa AuthInbound

vpdn group 1 pptp echo 60

vpdn enable outside

************************************************

What I'm trying to add is the following lines -

access-list pixtosw permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0

nat (inside) 0 access-list pixtosw

crypto ipsec transform-set tosonicwall esp-3des esp-sha-hmac

crypto map tosonicwall 20 ipsec-isakmp

crypto map tosonicwall 20 match address pixtosw

crypto map tosonicwall 20 set peer x.x.x.x

crypto map tosonicwall 20 set transform-set tosonicwall

crypto map tosonicwall interface outside

isakmp key xxx address x.x.x.x netamsk 255.255.255.255

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

Thanks for any help.

~rick

gfullage · ‎11-29-2004

You can onl have one crypto map assigned to an interface at one time. Yes that crypto map can have multiple peers by using a different instance number, but the crypto map name also has to be the same.

You currently have a crypto map called impacmap on the outside interface. When you do the:

crypto map tosonicwall interface outside

command you remove the impacmap crypto map from the outside int (and hence kill all your vpn clients), and replace it with the tosonicwall crypto map. what you need to do is just add another instance to the impacmap crypto map with the following:

crypto map impacmap 5 ipsec-isakmp

crypto map impacmap 5 match address pixtosw

crypto map impacmap 5 set peer x.x.x.x

crypto map impacmap 5 set transform-set tosonicwall

I've used an instance number of 5 so that this static peer will be inserted BEFORE your vpn client section. You always want static peers before vpn clients because you have specific matches for static peers, whereas vpn clients are just a "match-all" kind of thing. If you used 20 as your instance number, this static map would be AFTER your vpn clients, and the sonicwall would match on the vpn client instance rather than the instance you want it to.

Also, assuming that you have the 172.16.0.0/16 net on th einside of your PIX, your ACL should be:

access-list pixtosw permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0

And finally, you can also only have one "nat 0 access-list" command per interface, so you need to add this pixtosw traffic into the current nat 0 ACL with:

access-list vpn permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0

rather than replace it with a new ACL as you were currently trying.

0rsnaric · ‎11-30-2004

Thank you very much, I'll give this a try.

Rick

mikevm · ‎11-30-2004

Hello,

Would you kindly make a post if the reults are successful? I am very interested to know as I have allmost the same scenario, I 'd like to create a fixed link between a PIX 515 (main 10.1.1.0) and 506(remote 192.168.1.0 - 50) + a small PPTP pool for dial-up clients. I got it to work well, except that when connecting with a PPTP dial-up client, I could not "see" any of the hosts on the inside network. I suspect it was either because od the one nat 0 command, or because the PPTP vpn required a transport instead of a tunnel. And I wasn't sure which address pool to assign to the dial-ups, in the same network as the 506 or different?

pkapoor · ‎12-09-2004

Verify that "Enable NetBIOS over TCP/IP" is selected in the TCP/IP Properties > Advance settings (under WINS).

0rsnaric · ‎12-08-2004

Okay, have it configured per above, but still something is not right. Here is the output from the sonic wall -

SENDING>>>> ISAKMP OAK QM (InitCookie 0x3503bc16621ef42d, MsgID: 0xD0009213) *(HASH, SA, NON, ID, ID)

Just hangs there. From debug mode on pix I get this output -

crypto_isakmp_process_block:src:208.X.X.X, dest:65.X.X.X spt:500 dpt:5

00

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 5 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): ID payload

next-payload : 10

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:208.X.X.X, dest:65.X.X.X spt:500 dpt:5

00

OAK_AG exchange

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP: Created a peer struct for 208.X.X.X, peer port 62465

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:208.X.X.X/500 Total VPN Peers:3

VPN Peer: ISAKMP: Peer ip:208.X.X.X/500 Ref cnt incremented to:1 Total VPN

Peers:3

crypto_isakmp_process_block:src:208.X.X.X, dest:65.X.X.X spt:500 dpt:5

00

OAK_QM exchange

ISAKMP (0:0): Need XAUTH

ISAKMP/xauth: request attribute XAUTH_TYPE

ISAKMP/xauth: request attribute XAUTH_USER_NAME

ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD

ISAKMP (0:0): initiating peer config to 208.X.X.X. ID = 1543323393 (0x5bfd3

f01)

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:208.X.X.X, dest:65.X.X.X spt:500 dpt:5

00

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

crypto_isakmp_process_block:src:208.X.X.X, dest:65.X.X.X spt:500 dpt:5

00

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

ISAKMP (0): retransmitting Config Mode Request...

crypto_isakmp_process_block:src:208.X.X.X, dest:65.X.X.X spt:500 dpt:5

00

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

ISAKMP (0): retransmitting Config Mode Request...

Any ideas?

Thanks,

Rick

pkapoor · ‎12-09-2004

Use this example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094cea.shtml

It talks about a PIX-to-PIX and a VPN client. However, the remote PIX can be "substituted" for your SonicWall.

Also, in the isakmp key command, include the following at the end - "no-xauth no-config-mode".

Further, make sure that PFS is not enabled on the Sonicwall.

If it does not work, then if you want, I can SSH into your PIX and fix it.

0rsnaric · ‎12-09-2004

Okay, appreciate all the help. Turned out that it was the xauth trying to get a username and password from the sonicwall. So with that turned off on the isakmp key command all is working perfectly.

Thanks!!!

Rick

pkapoor · ‎12-09-2004

Glad to note that the issue was resolved with that recommendation.

FYI, when configuring IPSec with non-Cisco devices, always (almost) turn of xauth and config-mode.