cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
795
Views
4
Helpful
9
Replies

Site to Site VPN with VPN client access

gda
Level 1
Level 1

I have a pix 500 series configured with VPN client access. When I configure a site-to-site vpn to a remote location, the client access no longer works. If I remove the site-to-site vpn, the client vpn works again. I have tried the PDM and the CLI. Could someone look at my config and let me know what I am missing. See the two attached configs.

Thanks,

Lost in VPN

1 Accepted Solution

Accepted Solutions

Ah, I missed that. You can change the crypto map statements for the vpns to be on the same crypto map like this...

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 match address ipsecvpn

crypto map mymap 20 set peer xxx.xxx.100.180

crypto map mymap 20 set transform-set sha-set

crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

or

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address ipsecvpn

crypto map outside_map 20 set peer xxx.xxx.100.180

crypto map outside_map 20 set transform-set sha-set

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication RADIUS

crypto map outside_map interface outside

View solution in original post

9 Replies 9

acomiskey
Level 10
Level 10

Try adding...

isakmp nat-traversal

Is that all of the command? Also, there is a CyberGaurd SnapGear firewall at the other end of the site-to-site. Will it work with nat-traversal?

Thanks,

Yes, in pix 6 that is the entire command. Actually it will add "20" on the end by default so you could also enter

pix(config)#isakmp nat-traversal 20

Nat-traversal is for your vpn clients, this should not affect your tunnel to the cybergaurd firewall. This allows your vpn clients to connect over udp 4500.

Also, in your Orig_clientworking.txt config. You would also have problems connecting more than 1 remote access vpn client at a time without the nat-traversal command.

Hope this helps.

Thanks for the response. I will give that a try and let you know what I find. Thanks again.

acomiskey,

I think that we are getting closer. I can flip-flop between the VPN's working by entering the following commands:

crypto map outside_map interface outside

and

crypto map mymap interface outside

Is there a way to enable both crypto map's on the outside interface at the same time?

Thanks,

Ah, I missed that. You can change the crypto map statements for the vpns to be on the same crypto map like this...

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 match address ipsecvpn

crypto map mymap 20 set peer xxx.xxx.100.180

crypto map mymap 20 set transform-set sha-set

crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map mymap client authentication RADIUS

crypto map mymap interface outside

or

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address ipsecvpn

crypto map outside_map 20 set peer xxx.xxx.100.180

crypto map outside_map 20 set transform-set sha-set

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication RADIUS

crypto map outside_map interface outside

Thanks acomiskey, that was the direction I was thinking about heading. Your quick responses and knowledgeble answers were extremely helpful. Thanks again!!!

hi guys was trying to find out something and saw ur issue. well i can help in this scenario. acomiskey is trying his best to help. but the config he suggested has little bit errors. i have done it before. so do as following it will work.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set sha-set esp-des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication RADIUS

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address ipsecvpn

crypto map outside_map 20 set peer xxx.xxx.100.180

crypto map outside_map 20 set transform-set sha-set

crypto map outside_map interface outside

MAP NAME WOULD BE SAME FOR BOTH SITE TO SITE AND CLIENT IPSEC CONFIG. ONLY PRIORITY WOULD BE DIFFERENT. BECAUSE AT ONE TIME YOU CAN APPLY ONE MAP ONLY. SO CHOOSING 2 MAPS WOULD NOT WORK. USE ONE MAP NAME WITH 2 DIFFERENT PRIORITY NUMBERS. AS I DID ABOVE.

WAITING FOR YOUR RESPONSE. MUST LEAVE MESSAGE IF IT DOES NOT WORK. I CAN HELP YOU FURTHER MORE.

PEACE

Thanks, Nauman I have already tried what acomisky suggested and it works now. Thanks for your response though.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: