Cisco VPN client access to PIX501's internal network

12-17-2007

Hi,

I have a PIX501 (PIX1) in front of some servers.
The servers are accessed thug some VPN tunnels (site to site) and it
works perfect. 8 site to site tunnels at the moment.

Now I also want to use a Cisco VPN Client, but I am a little unsure how
to do it whit out breaking any of the existing functionality.

I just want to be able connecting the 192.168.1.0 network with an VPN
client.

would this work, I think it maybe destroy the existing tunnels?:
----------------------------
access-list no-nat-vpn permit ip 192.168.1.0 255.255.255.0 172.16.31.0
255.255.255.0
access-list vpn-cryptomap permit ip any 172.16.31.0 255.255.255.0

access-list 199 permit ip 192.168.1.0 255.255.255.0 172.16.31.0
255.255.255.0

ip local pool vpn-pool 172.16.31.1-172.16.31.254
nat (inside) 0 access-list no-nat-vpn

sysopt connection permit-ipsec
crypto ipsec transform-set esp-aes-256 esp-3des esp-md5-hmac
crypto dynamic-map vpn-dynamic 188 match address vpn-cryptomap
crypto dynamic-map vpn-dynamic 188 set transform-set esp-aes-256
crypto map ipsec 65535 ipsec-isakmp dynamic vpn-dynamic
crypto map ipsec client authentication LOCAL
crypto map ipsec interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 188
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
vpngroup imxxx address-pool vpn-pool
vpngroup imxxx dns-server 195.xx.xx.2 2xx.xx.xx5.86
vpngroup imxxx idle-time 1800
vpngroup imxxx password imxxxaaaaaa
username image password 1A2b3c45 encrypted privilege 3

------------------------------

This is the PIX in front of the servers (pix1).

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password OEvzd.wyg6yKVTht encrypted
passwd mhn41xxXX3aWi6lD encrypted
hostname PIX1
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 2xx.xx.42.25 ipo
name 2xx.xx.42.1 ipg
name 87.xx.xx.186 emm-hq
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.3.0
255.255.255.0
access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.4.0
255.255.255.0
access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.5.0
255.255.255.0
access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.6.0
255.255.255.0
access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.7.0
255.255.255.0
access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.8.0
255.255.255.0
access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.9.0
255.255.255.0
access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.10.0
255.255.255.0
access-list allow_inbound permit tcp host 80.xx.xx.242 interface outside
eq 3389
access-list allow_inbound permit tcp host 2xx.xxx.42.2 interface outside
eq 3389
access-list allow_inbound permit tcp host 85.xx.xx.210 interface outside
eq 3389
access-list allow_inbound permit tcp host 2xx.xxx.42.2 interface outside
eq 3390
access-list allow_inbound permit tcp host 80.xx.xx.242 interface outside
eq 1433
access-list allow_inbound permit tcp host 85.xx.xx.210 interface outside
eq 1433
access-list allow_inbound permit tcp host 2xx.xx.42.2 interface outside
eq 1433
access-list allow_inbound permit tcp host 81.xx.xx.122 interface outside
eq 1433
access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.3.0
255.255.255.0
access-list 130 permit ip 192.168.1.0 255.255.255.0 192.168.4.0
255.255.255.0
access-list 140 permit ip 192.168.1.0 255.255.255.0 192.168.5.0
255.255.255.0
access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.6.0
255.255.255.0
access-list 150 permit icmp any any
access-list 160 permit ip 192.168.1.0 255.255.255.0 192.168.7.0
255.255.255.0
access-list 170 permit ip 192.168.1.0 255.255.255.0 192.168.8.0
255.255.255.0
access-list 180 permit ip 192.168.1.0 255.255.255.0 192.168.9.0
255.255.255.0
access-list 190 permit ip 192.168.1.0 255.255.255.0 192.168.10.0
255.255.255.0
pager lines 24
logging on
logging trap notifications
logging host inside 87.xx.xx.42
mtu outside 1500
mtu inside 1500
ip address outside ipo 255.255.255.192
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action drop
ip audit attack action drop
pdm location 192.168.2.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 199
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 3390 192.168.1.3 3389 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 1433 192.168.1.2 1433 netmask
255.255.255.255 0 0
access-group allow_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 ipg 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 2xx.xxx.42.2 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnlanset esp-aes-256 esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set peer emm-hq
crypto map mymap 10 set transform-set vpnlanset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address 120
crypto map mymap 20 set peer 87.xx.xxx.102
crypto map mymap 20 set transform-set vpnlanset
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address 130
crypto map mymap 30 set peer 80.xxx.xxx.250
crypto map mymap 30 set transform-set vpnlanset
crypto map mymap 40 ipsec-isakmp
crypto map mymap 40 match address 140
crypto map mymap 40 set peer 80.xxx.xxx.46
crypto map mymap 40 set transform-set vpnlanset
crypto map mymap 50 ipsec-isakmp
crypto map mymap 50 match address 150
crypto map mymap 50 set peer 80.xxx.xxx.194
crypto map mymap 50 set transform-set vpnlanset
crypto map mymap 60 ipsec-isakmp
crypto map mymap 60 match address 160
crypto map mymap 60 set peer 80.xxx.xxx.202
crypto map mymap 60 set transform-set vpnlanset
crypto map mymap 70 ipsec-isakmp
crypto map mymap 70 match address 170
crypto map mymap 70 set peer 80.xxx.xxx.102
crypto map mymap 70 set transform-set vpnlanset
crypto map mymap 80 ipsec-isakmp
crypto map mymap 80 match address 180
crypto map mymap 80 set peer 62.xxx.xxx.42
crypto map mymap 80 set transform-set vpnlanset
crypto map mymap 90 ipsec-isakmp
crypto map mymap 90 match address 190
crypto map mymap 90 set peer 2xxx.xxx.42.20
crypto map mymap 90 set transform-set vpnlanset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup gr74-emm-bu1 idle-time 1800
vpngroup image idle-time 1800
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 2xx.xxx.42.2 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.200-192.168.1.231 inside
dhcpd dns 195.xx.xx.2 2xx.xx.225.86
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username imxxx password Eos6Js0xxxL7XX7v encrypted privilege 2
terminal width 120
------------------------------

Best regards
Martin

12-18-2007

"Martin" <> wrote in message
news:4766ba7e$0$90274$...
> Hi,
>
> I have a PIX501 (PIX1) in front of some servers.
> The servers are accessed thug some VPN tunnels (site to site) and it works
> perfect. 8 site to site tunnels at the moment.
>
> Now I also want to use a Cisco VPN Client, but I am a little unsure how to
> do it whit out breaking any of the existing functionality.
>
> I just want to be able connecting the 192.168.1.0 network with an VPN
> client.
>
> would this work, I think it maybe destroy the existing tunnels?:
> ----------------------------
> access-list no-nat-vpn permit ip 192.168.1.0 255.255.255.0 172.16.31.0
> 255.255.255.0
> access-list vpn-cryptomap permit ip any 172.16.31.0 255.255.255.0
>
> access-list 199 permit ip 192.168.1.0 255.255.255.0 172.16.31.0
> 255.255.255.0
>
> ip local pool vpn-pool 172.16.31.1-172.16.31.254
> nat (inside) 0 access-list no-nat-vpn
>
> sysopt connection permit-ipsec
> crypto ipsec transform-set esp-aes-256 esp-3des esp-md5-hmac
> crypto dynamic-map vpn-dynamic 188 match address vpn-cryptomap
> crypto dynamic-map vpn-dynamic 188 set transform-set esp-aes-256
> crypto map ipsec 65535 ipsec-isakmp dynamic vpn-dynamic
> crypto map ipsec client authentication LOCAL
> crypto map ipsec interface outside
> isakmp enable outside
> isakmp identity address
> isakmp nat-traversal 188
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 1000
> vpngroup imxxx address-pool vpn-pool
> vpngroup imxxx dns-server 195.xx.xx.2 2xx.xx.xx5.86
> vpngroup imxxx idle-time 1800
> vpngroup imxxx password imxxxaaaaaa
> username image password 1A2b3c45 encrypted privilege 3
>
> ------------------------------
>
> This is the PIX in front of the servers (pix1).
>
> PIX Version 6.3(5)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password OEvzd.wyg6yKVTht encrypted
> passwd mhn41xxXX3aWi6lD encrypted
> hostname PIX1
> domain-name ciscopix.com
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> name 2xx.xx.42.25 ipo
> name 2xx.xx.42.1 ipg
> name 87.xx.xx.186 emm-hq
> access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> 255.255.255.0
> access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
> 255.255.255.0
> access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.3.0
> 255.255.255.0
> access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.4.0
> 255.255.255.0
> access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.5.0
> 255.255.255.0
> access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.6.0
> 255.255.255.0
> access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.7.0
> 255.255.255.0
> access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.8.0
> 255.255.255.0
> access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.9.0
> 255.255.255.0
> access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.10.0
> 255.255.255.0
> access-list allow_inbound permit tcp host 80.xx.xx.242 interface outside
> eq 3389
> access-list allow_inbound permit tcp host 2xx.xxx.42.2 interface outside
> eq 3389
> access-list allow_inbound permit tcp host 85.xx.xx.210 interface outside
> eq 3389
> access-list allow_inbound permit tcp host 2xx.xxx.42.2 interface outside
> eq 3390
> access-list allow_inbound permit tcp host 80.xx.xx.242 interface outside
> eq 1433
> access-list allow_inbound permit tcp host 85.xx.xx.210 interface outside
> eq 1433
> access-list allow_inbound permit tcp host 2xx.xx.42.2 interface outside
> eq 1433
> access-list allow_inbound permit tcp host 81.xx.xx.122 interface outside
> eq 1433
> access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.3.0
> 255.255.255.0
> access-list 130 permit ip 192.168.1.0 255.255.255.0 192.168.4.0
> 255.255.255.0
> access-list 140 permit ip 192.168.1.0 255.255.255.0 192.168.5.0
> 255.255.255.0
> access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.6.0
> 255.255.255.0
> access-list 150 permit icmp any any
> access-list 160 permit ip 192.168.1.0 255.255.255.0 192.168.7.0
> 255.255.255.0
> access-list 170 permit ip 192.168.1.0 255.255.255.0 192.168.8.0
> 255.255.255.0
> access-list 180 permit ip 192.168.1.0 255.255.255.0 192.168.9.0
> 255.255.255.0
> access-list 190 permit ip 192.168.1.0 255.255.255.0 192.168.10.0
> 255.255.255.0
> pager lines 24
> logging on
> logging trap notifications
> logging host inside 87.xx.xx.42
> mtu outside 1500
> mtu inside 1500
> ip address outside ipo 255.255.255.192
> ip address inside 192.168.1.1 255.255.255.0
> ip verify reverse-path interface outside
> ip audit info action drop
> ip audit attack action drop
> pdm location 192.168.2.0 255.255.255.0 outside
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list 199
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface 3390 192.168.1.3 3389 netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface 1433 192.168.1.2 1433 netmask
> 255.255.255.255 0 0
> access-group allow_inbound in interface outside
> route outside 0.0.0.0 0.0.0.0 ipg 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> http server enable
> http 2xx.xxx.42.2 255.255.255.255 outside
> http 192.168.1.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set vpnlanset esp-aes-256 esp-md5-hmac
> crypto map mymap 10 ipsec-isakmp
> crypto map mymap 10 match address 101
> crypto map mymap 10 set peer emm-hq
> crypto map mymap 10 set transform-set vpnlanset
> crypto map mymap 20 ipsec-isakmp
> crypto map mymap 20 match address 120
> crypto map mymap 20 set peer 87.xx.xxx.102
> crypto map mymap 20 set transform-set vpnlanset
> crypto map mymap 30 ipsec-isakmp
> crypto map mymap 30 match address 130
> crypto map mymap 30 set peer 80.xxx.xxx.250
> crypto map mymap 30 set transform-set vpnlanset
> crypto map mymap 40 ipsec-isakmp
> crypto map mymap 40 match address 140
> crypto map mymap 40 set peer 80.xxx.xxx.46
> crypto map mymap 40 set transform-set vpnlanset
> crypto map mymap 50 ipsec-isakmp
> crypto map mymap 50 match address 150
> crypto map mymap 50 set peer 80.xxx.xxx.194
> crypto map mymap 50 set transform-set vpnlanset
> crypto map mymap 60 ipsec-isakmp
> crypto map mymap 60 match address 160
> crypto map mymap 60 set peer 80.xxx.xxx.202
> crypto map mymap 60 set transform-set vpnlanset
> crypto map mymap 70 ipsec-isakmp
> crypto map mymap 70 match address 170
> crypto map mymap 70 set peer 80.xxx.xxx.102
> crypto map mymap 70 set transform-set vpnlanset
> crypto map mymap 80 ipsec-isakmp
> crypto map mymap 80 match address 180
> crypto map mymap 80 set peer 62.xxx.xxx.42
> crypto map mymap 80 set transform-set vpnlanset
> crypto map mymap 90 ipsec-isakmp
> crypto map mymap 90 match address 190
> crypto map mymap 90 set peer 2xxx.xxx.42.20
> crypto map mymap 90 set transform-set vpnlanset
> crypto map mymap interface outside
> isakmp enable outside
> isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> isakmp identity address
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption aes-256
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> vpngroup gr74-emm-bu1 idle-time 1800
> vpngroup image idle-time 1800
> telnet 192.168.1.0 255.255.255.0 inside
> telnet timeout 5
> ssh 2xx.xxx.42.2 255.255.255.255 outside
> ssh timeout 60
> console timeout 0
> dhcpd address 192.168.1.200-192.168.1.231 inside
> dhcpd dns 195.xx.xx.2 2xx.xx.225.86
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd auto_config outside
> dhcpd enable inside
> username imxxx password Eos6Js0xxxL7XX7v encrypted privilege 2
> terminal width 120
> ------------------------------
>
> Best regards
> Martin
>

Hey Martin,
I'm no PIX/ASA guru myself, but I recently configured an ASA using...

l2l
easyvpn
RA (standard VPN client)

What I did was create seperate group for each one of these. The RA and
easyvpn shared the same ip pool and split tunnel list.

BoBraxton · 12-19-2007

CeykoVer and Martin,
We have PIX ACS that was working fine until about two months ago and just today I learned that some small piece of software that had been on one of our Microsoft servers "disappeared" and without it the VPN client remote access will continue to fail "Authorization failed"
So I can be searching to make absolutely sure it has gone, what sort of folder name and file name would I be looking for on that server?
Also, for our PIX software that was set up several (six?) years ago, we are searching for the media (CD or set of them) and so far not finding.
Any way to get replacement?

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
ASA 5505 Remote Access VPN: client can not see internal network	johnz	Cisco	3	08-20-2009 02:14 PM
Trying to access the PDM of a Cisco pix over a Remote Access VPN withCisco VPN Client	BF	Cisco	2	09-07-2008 03:00 PM
Trying to access the PDM of a Cisco pix over a Remote Access VPN withCisco VPN Client	BF	Cisco	0	09-07-2008 02:57 PM
VPN site to site & Remote access VPN ( vpn client) over the same interface	pasatealinux	Cisco	1	12-17-2007 07:41 PM
VPN 3030 - VPN Client 4.x - loss of internal network access after 4 hours	nick.amido@gmail.com	Cisco	0	07-12-2005 12:03 AM