cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
381
Views
0
Helpful
1
Replies

Pix to Pix VPN + VPN Client....

tauseef
Level 1
Level 1

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

Hi ,

I have set up a vpn between our Main office Running a Pix 515 Ver 6.1 connecting to a remote branch office Running Pix 506 . The VPN works out fine.

The new requirement is to Add in a VPN 3.5 Client for Roaming users.

I did try it out , but it used to fail my existing connection to the Remote office and when the client used to log on successfully and get an IP from the PIX , but then it would no longer ping any local LAN IP addresses .

Its a Very simple Design Scenario ...

LAN --- Pix 515 ---- Router ---- Internet.

I have placed below both tthe configurations an earlier one which works perfectly fine with the branch office and the modified one where in the Requirement is for VPN 3.5 Client users to long on to the Main office Running

Pix 515 . Please Note am not using Xauth .

Current Config to the branch ....

WORKING PERFECTLY FINE : )

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password ***** encrypted

passwd **** encrypted

hostname moti-firewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list smtp permit tcp any host nnn.nn.nn.180 eq domain

access-list smtp permit tcp any host nnn.nn.nn.180 eq smtp

access-list smtp permit tcp any host nnn.nn.nn.180 eq www

access-list 110 permit ip xxx.x.2.0 255.255.255.0 yyy.y.2.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside X.X.X.178 255.255.255.240

ip address inside xxx.x.2.100 255.255.0.0

ip address dmz 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 1 X.X.X.179

nat (inside) 0 access-list 110

nat (inside) 1 xxx.x.2.0 255.255.255.0 0 0

nat (inside) 1 xxx.x.0.0 255.255.0.0 0 0

nat (inside) 1 xxx.x.0.0 255.0.0.0 0 0

static (inside,outside) X.X.X.180 xxx.x.2.5 netmask 255.255.255.255 0 0

access-group smtp in interface outside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 x.x.x.177 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set motivate esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 110

crypto map transam 1 set peer Y.Y.Y.106

crypto map transam 1 set transform-set motivate

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address Y.Y.Y.106 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet xxx.x.0.0 255.255.0.0 inside

telnet xxx.x.0.0 255.255.0.0 dmz

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:**********

: end

[OK]

moti-firewall#

The MODIFIED CONFIGUARATION as to incorporate the VPN client 3.5 , but gives me nightmares : (

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

hostname moti-firewall

names

access-list smtp permit tcp any host nnn.nn.nn.180 eq domain

access-list smtp permit tcp any host nnn.nn.nn.180 eq smtp

access-list smtp permit tcp any host nnn.nn.nn.180 eq www

access-list 110 permit ip xxx.x.2.0 255.255.255.0 yyy.y.2.0 255.255.255.0

access-list 110 permit ip xxx.x.2.0 255.255.255.0 zzz.z.2.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool mypool zzz.z.2.1-zzz.z.2.50

ip address outside X.X.X.178 255.255.255.240

ip address inside xxx.x.2.100 255.255.0.0

ip address dmz 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 1 X.X.X.179

nat (inside) 0 access-list 110

nat (inside) 1 xxx.x.2.0 255.255.255.0 0 0

nat (inside) 1 xxx.x.0.0 255.255.0.0 0 0

nat (inside) 1 xxx.x.0.0 255.0.0.0 0 0

static (inside,outside) X.X.X.180 xxx.x.2.5 netmask 255.255.255.255 0 0

access-group smtp in interface outside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 x.x.x.177 1

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 110

crypto map mymap 10 set peer y.y.y.106

crypto map mymap 10 set transform-set myset

crypto map mymap 20 ipsec-isakmp dynamic dynmap

no crypto map mymap client authentication

crypto map mymap interface outside

isakmp enable outside

isakmp key **** address y.y.y.106 netmask 255.255.255.255

isakmp key **** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup motiuae address-pool mypool

vpngroup motiuae dns-server xxx.x.2.7

vpngroup motiuae wins-server xxx.x.2.7

vpngroup motiuae idle-time 1800

telnet xxx.x.0.0 255.255.0.0 inside

telnet xxx.x.0.0 255.255.0.0 dmz

Please do have time to go through this patiently and Advise on the same.

THANX IN ADVANCE.

tauseef.

tauseef@cadgulf.com

1 Reply 1

owillins
Level 6
Level 6

Check the following document. Might help.

http://www.cisco.com/warp/public/110/dynamicpix.html