Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1029
Views
4
Helpful
9
Replies

Site to Site VPN with VPN client access

Go to solution
gda
Level 1
Level 1

‎08-27-2007 06:44 AM - edited ‎02-21-2020 03:14 PM

I have a pix 500 series configured with VPN client access. When I configure a site-to-site vpn to a remote location, the client access no longer works. If I remove the site-to-site vpn, the client vpn works again. I have tried the PDM and the CLI. Could someone look at my config and let me know what I am missing. See the two attached configs.

Thanks,

Lost in VPN

Labels:
Preview file
7 KB
Preview file
6 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10
In response to gda

‎08-29-2007 09:43 AM

Ah, I missed that. You can change the crypto map statements for the vpns to be on the same crypto map like this...

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 match address ipsecvpn

crypto map mymap 20 set peer xxx.xxx.100.180

crypto map mymap 20 set transform-set sha-set

crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

or

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address ipsecvpn

crypto map outside_map 20 set peer xxx.xxx.100.180

crypto map outside_map 20 set transform-set sha-set

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication RADIUS

crypto map outside_map interface outside

View solution in original post

0 Helpful
9 Replies 9

Go to solution
acomiskey
Level 10
Level 10

‎08-27-2007 08:10 AM

Try adding...

isakmp nat-traversal

Go to solution
gda
Level 1
Level 1
In response to acomiskey

‎08-28-2007 05:29 AM

Is that all of the command? Also, there is a CyberGaurd SnapGear firewall at the other end of the site-to-site. Will it work with nat-traversal?

Thanks,

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to gda

‎08-28-2007 07:40 AM

Yes, in pix 6 that is the entire command. Actually it will add "20" on the end by default so you could also enter

pix(config)#isakmp nat-traversal 20

Nat-traversal is for your vpn clients, this should not affect your tunnel to the cybergaurd firewall. This allows your vpn clients to connect over udp 4500.

Also, in your Orig_clientworking.txt config. You would also have problems connecting more than 1 remote access vpn client at a time without the nat-traversal command.

Hope this helps.

0 Helpful

Go to solution
gda
Level 1
Level 1
In response to acomiskey

‎08-28-2007 10:40 AM

Thanks for the response. I will give that a try and let you know what I find. Thanks again.

0 Helpful

Go to solution
gda
Level 1
Level 1
In response to acomiskey

‎08-29-2007 09:34 AM

acomiskey,

I think that we are getting closer. I can flip-flop between the VPN's working by entering the following commands:

crypto map outside_map interface outside

and

crypto map mymap interface outside

Is there a way to enable both crypto map's on the outside interface at the same time?

Thanks,

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to gda

‎08-29-2007 09:43 AM

Ah, I missed that. You can change the crypto map statements for the vpns to be on the same crypto map like this...

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 match address ipsecvpn

crypto map mymap 20 set peer xxx.xxx.100.180

crypto map mymap 20 set transform-set sha-set

crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

or

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address ipsecvpn

crypto map outside_map 20 set peer xxx.xxx.100.180

crypto map outside_map 20 set transform-set sha-set

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication RADIUS

crypto map outside_map interface outside

0 Helpful

Go to solution
gda
Level 1
Level 1
In response to acomiskey

‎08-29-2007 10:15 AM

Thanks acomiskey, that was the direction I was thinking about heading. Your quick responses and knowledgeble answers were extremely helpful. Thanks again!!!

0 Helpful

Go to solution
nauman.shahid
Level 1
Level 1
In response to gda

‎08-29-2007 03:45 PM

hi guys was trying to find out something and saw ur issue. well i can help in this scenario. acomiskey is trying his best to help. but the config he suggested has little bit errors. i have done it before. so do as following it will work.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set sha-set esp-des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication RADIUS

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address ipsecvpn

crypto map outside_map 20 set peer xxx.xxx.100.180

crypto map outside_map 20 set transform-set sha-set

crypto map outside_map interface outside

MAP NAME WOULD BE SAME FOR BOTH SITE TO SITE AND CLIENT IPSEC CONFIG. ONLY PRIORITY WOULD BE DIFFERENT. BECAUSE AT ONE TIME YOU CAN APPLY ONE MAP ONLY. SO CHOOSING 2 MAPS WOULD NOT WORK. USE ONE MAP NAME WITH 2 DIFFERENT PRIORITY NUMBERS. AS I DID ABOVE.

WAITING FOR YOUR RESPONSE. MUST LEAVE MESSAGE IF IT DOES NOT WORK. I CAN HELP YOU FURTHER MORE.

PEACE

Go to solution
gda
Level 1
Level 1
In response to nauman.shahid

‎08-30-2007 05:41 AM

Thanks, Nauman I have already tried what acomisky suggested and it works now. Thanks for your response though.

0 Helpful
Customers Also Viewed These Support Documents