06-06-2003 08:08 PM - edited 02-21-2020 12:35 PM
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
Hi ,
I have set up a vpn between our Main office Running a Pix 515 Ver 6.1 connecting to a remote branch office Running Pix 506 . The VPN works out fine.
The new requirement is to Add in a VPN 3.5 Client for Roaming users.
I did try it out , but it used to fail my existing connection to the Remote office and when the client used to log on successfully and get an IP from the PIX , but then it would no longer ping any local LAN IP addresses .
Its a Very simple Design Scenario ...
LAN --- Pix 515 ---- Router ---- Internet.
I have placed below both tthe configurations an earlier one which works perfectly fine with the branch office and the modified one where in the Requirement is for VPN 3.5 Client users to long on to the Main office Running
Pix 515 . Please Note am not using Xauth .
Current Config to the branch ....
WORKING PERFECTLY FINE : )
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password ***** encrypted
passwd **** encrypted
hostname moti-firewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list smtp permit tcp any host nnn.nn.nn.180 eq domain
access-list smtp permit tcp any host nnn.nn.nn.180 eq smtp
access-list smtp permit tcp any host nnn.nn.nn.180 eq www
access-list 110 permit ip xxx.x.2.0 255.255.255.0 yyy.y.2.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside X.X.X.178 255.255.255.240
ip address inside xxx.x.2.100 255.255.0.0
ip address dmz 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 X.X.X.179
nat (inside) 0 access-list 110
nat (inside) 1 xxx.x.2.0 255.255.255.0 0 0
nat (inside) 1 xxx.x.0.0 255.255.0.0 0 0
nat (inside) 1 xxx.x.0.0 255.0.0.0 0 0
static (inside,outside) X.X.X.180 xxx.x.2.5 netmask 255.255.255.255 0 0
access-group smtp in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set motivate esp-des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 110
crypto map transam 1 set peer Y.Y.Y.106
crypto map transam 1 set transform-set motivate
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address Y.Y.Y.106 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet xxx.x.0.0 255.255.0.0 inside
telnet xxx.x.0.0 255.255.0.0 dmz
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:**********
: end
[OK]
moti-firewall#
The MODIFIED CONFIGUARATION as to incorporate the VPN client 3.5 , but gives me nightmares : (
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname moti-firewall
names
access-list smtp permit tcp any host nnn.nn.nn.180 eq domain
access-list smtp permit tcp any host nnn.nn.nn.180 eq smtp
access-list smtp permit tcp any host nnn.nn.nn.180 eq www
access-list 110 permit ip xxx.x.2.0 255.255.255.0 yyy.y.2.0 255.255.255.0
access-list 110 permit ip xxx.x.2.0 255.255.255.0 zzz.z.2.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool mypool zzz.z.2.1-zzz.z.2.50
ip address outside X.X.X.178 255.255.255.240
ip address inside xxx.x.2.100 255.255.0.0
ip address dmz 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 X.X.X.179
nat (inside) 0 access-list 110
nat (inside) 1 xxx.x.2.0 255.255.255.0 0 0
nat (inside) 1 xxx.x.0.0 255.255.0.0 0 0
nat (inside) 1 xxx.x.0.0 255.0.0.0 0 0
static (inside,outside) X.X.X.180 xxx.x.2.5 netmask 255.255.255.255 0 0
access-group smtp in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 110
crypto map mymap 10 set peer y.y.y.106
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic dynmap
no crypto map mymap client authentication
crypto map mymap interface outside
isakmp enable outside
isakmp key **** address y.y.y.106 netmask 255.255.255.255
isakmp key **** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup motiuae address-pool mypool
vpngroup motiuae dns-server xxx.x.2.7
vpngroup motiuae wins-server xxx.x.2.7
vpngroup motiuae idle-time 1800
telnet xxx.x.0.0 255.255.0.0 inside
telnet xxx.x.0.0 255.255.0.0 dmz
Please do have time to go through this patiently and Advise on the same.
THANX IN ADVANCE.
tauseef.
06-12-2003 11:41 AM
Check the following document. Might help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide