I have a PIX 501 setup with three different VPNs. VPN1 and VPN2 work fine. The third VPN is having some issues. I've included part of my config file. The problem is this. I have the following and it will work until I restart the PIX. Before I reboot I do a write mem. After restarting the third VPN no longer works. I can get it to work by removing the following access-list rules.
access-list 101 permit ip host 192.168.40.10 192.168.2.0 255.255.255.0
access-list 101 permit ip host 192.168.40.10 host 192.168.4.2
When I add them back and do a write mem, the VPN comes back and works.
names
name 192.168.2.0 BSSI
name 192.168.4.2 BSSIWEB1
object-group service BRANCHOFFICETCP tcp
description Service Group for Branch Office VPN Policies
port-object range 137 netbios-ssn
port-object eq lpd
port-object eq ftp-data
port-object eq ftp
port-object eq lotusnotes
port-object eq www
port-object eq login
port-object eq cmd
port-object eq 449
port-object eq pcanywhere-data
port-object eq 446
port-object eq https
port-object range 8470 8476
port-object eq telnet
port-object eq 135
port-object eq smtp
port-object eq 1433
port-object eq 8080
access-list NAT4ONE permit ip 192.168.40.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 150 permit ip 10.150.176.232 255.255.255.248 172.16.1.0 255.255.255.0
access-list inside_access_out remark Incoming from BSSI
access-list inside_access_out permit tcp 192.168.2.0 255.255.255.0 object-group BRANCHOFFICETCP host 192.168.40.10 object-group BRANCHOFFICETCP
access-list inside_access_out remark Incoming from BSSIWEBSERVER
access-list inside_outbound_nat0_acl permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_140 permit ip host 192.168.40.10 192.168.2.0 255.255.255.0
access-list outside_cryptomap_140 permit ip host 192.168.40.10 host 192.168.4.2
access-list 101 permit ip 192.168.40.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 permit ip host 192.168.40.10 192.168.2.0 255.255.255.0
access-list 101 permit ip host 192.168.40.10 host 192.168.4.2
ip address outside wanip 255.255.255.248
ip address inside lanip 255.255.255.0
global (outside) 1 10.150.176.233 (for another VPN)
global (outside) 2 interface
nat (inside) 0 access-list 101
nat (inside) 1 access-list NAT4ONE 0 0
nat (inside) 3 access-list outside_cryptomap_140 0 0
nat (inside) 4 access-list inside_outbound_nat0_acl 0 0
nat (inside) 2 192.168.40.0 255.255.255.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set one esp-aes-256 esp-sha-hmac
crypto ipsec transform-set two esp-aes-256 esp-sha-hmac
crypto ipsec transform-set three esp-3des esp-sha-hmac
crypto map VPN 10 ipsec-isakmp
crypto map VPN 10 match address 150
crypto map VPN 10 set peer oneip
crypto map VPN 10 set transform-set one
crypto map VPN 20 ipsec-isakmp
crypto map VPN 20 match address 101
crypto map VPN 20 set peer twoip
crypto map VPN 20 set transform-set two
crypto map VPN 30 ipsec-isakmp
crypto map VPN 30 match address outside_cryptomap_140
crypto map VPN 30 set peer threeip
crypto map VPN 30 set transform-set three
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address oneip netmask 255.255.255.255
isakmp key ******** address twoip netmask 255.255.255.255
isakmp key ******** address threeip netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 1000
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash sha
isakmp policy 50 group 1
isakmp policy 50 lifetime 86400
It seems like something is overriding the two necessary access-list rules after it restarts. Let me know what you think.
Phusion
