Solved: PIX 501 VPN problem

dredd123 · ‎04-06-2005

Hi,

Have a situation as follows:

Office 1

10.0.0.x/24

PIX inside = 10.0.0.254

PIX outside = live IP

Office 2

192.168.3.0/24

PIX inside = 192.168.3.254

PIX outside = live IP

I want to have a LAN to LAN IPSec tunnel between Office 1 and Office 2, and also have the ability for remote PPTP VPN to both PIX's for remote support.

At the moment, I can only get one or the other to work (not both at the same time).

The following config additions to factory defaults allow me to PPTP onto the PIX at Office 1 and get access (using RDP) to any of the hosts on the 10.0.0.x network:

ip address outside x.x.x.x 255.255.255.248

ip address inside 10.0.0.254 255.255.255.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x

telnet 10.0.0.0 255.255.255.0 inside

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

ip local pool pptp-pool 192.168.50.200-192.168.50.250

access-list 101 permit ip 10.0.0.0 255.255.255.0 192.168.50.0 255.255.255.0

nat (inside) 0 access-list 101

sysopt connection permit-pptp

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto

vpdn group 1 client configuration address local pptp-pool

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username xxx password xxx

vpdn enable outside

I then configure the IPSec Lan to Lan tunnel using the following commands:

access-list 101 permit ip 10.0.0.0 255.255.255.0 192.168.3.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer x.x.x.x

crypto map transam 1 set transform-set chevelle

crypto map transam interface outside

isakmp enable outside

isakmp key xxx address x.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

At this point, the Lan 2 Lan IPSec tunnel works and hosts on the 192.168.3.0 network can access hosts on the 10.0.0.0 network (great!!). I can also estblish a PPTP connection to the PIX at Office 1. However, using the PPTP connection, I can no longer access any of the hosts on the 10.0.0.0 network using RDP!!!

PLEASE HELP!!!

Thanks,

D.

mostiguy · ‎04-06-2005

You want different access-lists.

1. You want a combined access-list, lets call it 105 for nat 0

access-list 105 permit ip 10.0.0.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list 105 permit ip 10.0.0.0 255.255.255.0 192.168.3.0 255.255.255.0

Use this list ONLY for nat 0.

You want separate access-lists, 102 and 103

access-list 103 permit ip 10.0.0.0 255.255.255.0 192.168.3.0 255.255.255.0

You want to use access-list 103 in

crypto map transam 1 match address 103

and remove

crypto map transam 1 match address 101

When you were using address-list 101, and it included

access-list 102 permit ip 10.0.0.0 255.255.255.0 192.168.50.0 255.255.255.0, that caused the PIX to expect to be communication to 192.168.50.0/24 via the IPsec tunnel to the other pix NOT thru a dynamic PPTP client.

SO you want one unified access-list for all of your nat 0, but a specific access-list 103 that *just* classified what is on the other end of the tunnel for crypto map usage

View solution in original post

mostiguy · ‎04-06-2005

You want different access-lists.

1. You want a combined access-list, lets call it 105 for nat 0

access-list 105 permit ip 10.0.0.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list 105 permit ip 10.0.0.0 255.255.255.0 192.168.3.0 255.255.255.0

Use this list ONLY for nat 0.

You want separate access-lists, 102 and 103

access-list 103 permit ip 10.0.0.0 255.255.255.0 192.168.3.0 255.255.255.0

You want to use access-list 103 in

crypto map transam 1 match address 103

and remove

crypto map transam 1 match address 101

When you were using address-list 101, and it included

access-list 102 permit ip 10.0.0.0 255.255.255.0 192.168.50.0 255.255.255.0, that caused the PIX to expect to be communication to 192.168.50.0/24 via the IPsec tunnel to the other pix NOT thru a dynamic PPTP client.

SO you want one unified access-list for all of your nat 0, but a specific access-list 103 that *just* classified what is on the other end of the tunnel for crypto map usage

dredd123 · ‎04-06-2005

TVM Mostiguy - that was perfect and did the trick!!

Cheers,

D.