Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 515 - can Use VPN300 Client and PIX-to-PIX VPN at the same time?

Reply
Thread Tools

PIX 515 - can Use VPN300 Client and PIX-to-PIX VPN at the same time?

 
 
Stephen M
Guest
Posts: n/a
 
      11-14-2006
I have a PIX 515 through which I currently have a hand full of users who use
the V.4 Cisco VPN software client to connect to our network. We have one
remote site for which we would like to install a hardware VPN using a PIX
501 to connect yo our existing PIX 515.

I successfully reconfigured the 501 and the 515 with a VPN tunnel.

http://www.cisco.com/en/US/products/...80094761.shtml

Unfortunately, this broke the software VPN.

I have been able to reduce this down to a single configuration line:

crypto map newmap interface outside

crypto map Remote-Map interface outside

(the rest of the relevant config is posted below)

With the fist crypto map, the soft VPN works, with the second the hardware
VPN works. With both, the second command overlays the first.

1) Is it even possible to have both the hard and soft VPN's through the same
interface?
2) If so, how do I syntactically merge the maps or the maps attach to maps
to an interface?
3) There is some admittedly elderly firmware on the 515 (6.1(4)) might that
be a factor? The 501 is new.
4) We will want to attach several hardware VPN's (buy a couple more 501's
for different sites) to this interface, if this works. Is multiple hardware
VPN's through a single interface a show-stopper?

Thanks,

Steve


name ccc.ccc.ccc.ccc Remote-PIX

name aaa.aaa.aaa.0 Main-Network

name bbb.bbb.bbb.0 Remote-Network

access-list dialvpn permit ip Main-Network 255.255.255.0 192.168.51.0
255.255.255.0

access-list nonat permit ip Main-Network 255.255.255.0 192.168.51.0
255.255.255.0

access-list nonat permit ip Main-Network 255.255.255.0 Remote-Network
255.255.255.0

access-list Remote-Tunnel permit ip Main-Network 255.255.255.0
Remote-Network 255.255.255.0

icmp permit any outside

icmp permit any inside

ip address outside zzz.zzz.zzz.158 255.255.255.252

ip address inside aaa.aaa.aaa.5 255.255.255.0

ip local pool dialvpn 192.168.51.1-192.168.51.254

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 zzz.zzz.zzz.157 1

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set dialvpnset esp-des esp-md5-hmac

crypto ipsec transform-set Tunnelset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set dialvpnset

crypto map newmap 10 ipsec-isakmp dynamic dynmap

crypto map newmap client configuration address respond





crypto map newmap interface outside

crypto map Remote-Map interface outside





crypto map Remote-Map 1 ipsec-isakmp

crypto map Remote-Map 1 match address Remote-Tunnel

crypto map Remote-Map 1 set peer Remote-PIX

crypto map Remote-Map 1 set transform-set Tunnelset

isakmp enable outside

isakmp key ******** address Remote-PIX netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000-all address-pool dialvpn

vpngroup vpn3000-all dns-server primaryDNS secondary DNS

vpngroup vpn3000-all split-tunnel dialvpn

vpngroup vpn3000-all idle-time 36000

vpngroup vpn3000-all password ********

vpngroup group idle-time 1800


 
Reply With Quote
 
 
 
 
mcaissie
Guest
Posts: n/a
 
      11-14-2006

"Stephen M" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a PIX 515 through which I currently have a hand full of users who
>use the V.4 Cisco VPN software client to connect to our network. We have
>one remote site for which we would like to install a hardware VPN using a
>PIX 501 to connect yo our existing PIX 515.
>
> I successfully reconfigured the 501 and the 515 with a VPN tunnel.
>
> http://www.cisco.com/en/US/products/...80094761.shtml
>
> Unfortunately, this broke the software VPN.
>
> I have been able to reduce this down to a single configuration line:
>
> crypto map newmap interface outside
>
> crypto map Remote-Map interface outside
>
> (the rest of the relevant config is posted below)
>
> With the fist crypto map, the soft VPN works, with the second the hardware
> VPN works. With both, the second command overlays the first.
>
> 1) Is it even possible to have both the hard and soft VPN's through the
> same interface?
> 2) If so, how do I syntactically merge the maps or the maps attach to maps
> to an interface?
> 3) There is some admittedly elderly firmware on the 515 (6.1(4)) might
> that be a factor? The 501 is new.
> 4) We will want to attach several hardware VPN's (buy a couple more 501's
> for different sites) to this interface, if this works. Is multiple
> hardware VPN's through a single interface a show-stopper?
>
> Thanks,
>
> Steve
>
>
> name ccc.ccc.ccc.ccc Remote-PIX
>
> name aaa.aaa.aaa.0 Main-Network
>
> name bbb.bbb.bbb.0 Remote-Network
>
> access-list dialvpn permit ip Main-Network 255.255.255.0 192.168.51.0
> 255.255.255.0
>
> access-list nonat permit ip Main-Network 255.255.255.0 192.168.51.0
> 255.255.255.0
>
> access-list nonat permit ip Main-Network 255.255.255.0 Remote-Network
> 255.255.255.0
>
> access-list Remote-Tunnel permit ip Main-Network 255.255.255.0
> Remote-Network 255.255.255.0
>
> icmp permit any outside
>
> icmp permit any inside
>
> ip address outside zzz.zzz.zzz.158 255.255.255.252
>
> ip address inside aaa.aaa.aaa.5 255.255.255.0
>
> ip local pool dialvpn 192.168.51.1-192.168.51.254
>
> global (outside) 1 interface
>
> nat (inside) 0 access-list nonat
>
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>
> route outside 0.0.0.0 0.0.0.0 zzz.zzz.zzz.157 1
>
> sysopt connection permit-ipsec
>
> no sysopt route dnat
>
> crypto ipsec transform-set dialvpnset esp-des esp-md5-hmac
>
> crypto ipsec transform-set Tunnelset esp-des esp-md5-hmac
>
> crypto dynamic-map dynmap 10 set transform-set dialvpnset
>
> crypto map newmap 10 ipsec-isakmp dynamic dynmap
>
> crypto map newmap client configuration address respond
>
>
>
>
>
> crypto map newmap interface outside
>
> crypto map Remote-Map interface outside
>
>
>
>
>
> crypto map Remote-Map 1 ipsec-isakmp
>
> crypto map Remote-Map 1 match address Remote-Tunnel
>
> crypto map Remote-Map 1 set peer Remote-PIX
>
> crypto map Remote-Map 1 set transform-set Tunnelset
>
> isakmp enable outside
>
> isakmp key ******** address Remote-PIX netmask 255.255.255.255
>
> isakmp identity address
>
> isakmp policy 10 authentication pre-share
>
> isakmp policy 10 encryption des
>
> isakmp policy 10 hash md5
>
> isakmp policy 10 group 2
>
> isakmp policy 10 lifetime 86400
>
> vpngroup vpn3000-all address-pool dialvpn
>
> vpngroup vpn3000-all dns-server primaryDNS secondary DNS
>
> vpngroup vpn3000-all split-tunnel dialvpn
>
> vpngroup vpn3000-all idle-time 36000
>
> vpngroup vpn3000-all password ********
>
> vpngroup group idle-time 1800
>


You can only apply one crypto map to the outside interface but you can
have more than one entry in a crypto map, with different sequence number.
For example, you could replace "crypto map Remote-map 1" with
"crypto map newmap 20".

Note that i never used the command
"crypto map newmap client configuration address respond"
so i am not sure what impact it will have on your lan2lan VPN.




 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Site to Site VPN problems between PIX 501 and PIX 515 Jeff Cisco 5 01-04-2007 02:18 AM
VPN PIX-_static PIX ; PIX-dynamic_PIX ; VPN Client Svenn Cisco 3 03-13-2006 09:25 AM
PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC? Scott Townsend Cisco 8 02-22-2006 09:59 PM
VPN - Easy VPN Server (PIX 515) and Hardware Client (831 Router) Al Cisco 0 02-16-2005 08:15 PM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM



Advertisments