Adding vpn client to Cisco 506 PIX messes up office to office tunnel

Discussion in 'Cisco' started by jsmith54@gmx.net, Aug 24, 2006.

  1. Guest

    Wow! Didn't realise that Google Groups is still alive an kicking!

    Anyway, I have this really annoying problem:

    Current situation is that I have 3 office to office vpn tunnels:
    HQ to office A (PIX 506 to PIX 501)
    HQ to office B (PIX 506 to PIX 506)
    HQ to office C (PIX 506 to Linksys)

    All offices (HQ, offices A, B, C) have vpn tunnels to each other (mesh
    connection), and everything work very well.

    However, I installed vpn client on my firewall (HQ) so that a user can
    connect to the office (which works pretty damn good - with split tunnel
    and all...), and the HQ to office C tunnel does not work anymore!

    Notes:
    1. Removing vpn client settings on HQ firewall brings back the
    connection to Office C, so it is definitely related to vpn client
    config
    2. Office A has vpn client working perfectly, and still has connections
    to Office C (so I dont think this is a problem with Linksys)

    So what am I doing wrong here?
     
    , Aug 24, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:

    >Current situation is that I have 3 office to office vpn tunnels:


    >All offices (HQ, offices A, B, C) have vpn tunnels to each other


    >However, I installed vpn client on my firewall (HQ) so that a user can
    >connect to the office (which works pretty damn good - with split tunnel
    >and all...), and the HQ to office C tunnel does not work anymore!


    >1. Removing vpn client settings on HQ firewall brings back the
    >connection to Office C, so it is definitely related to vpn client
    >config


    >So what am I doing wrong here?


    I think we'd need to see the config of the HQ firewall complete
    with the vpn client settings.
     
    Walter Roberson, Aug 24, 2006
    #2
    1. Advertising

  3. Guest

    > I think we'd need to see the config of the HQ firewall complete
    > with the vpn client settings.


    Hi Walter,

    Thanks for the reply. I have listed the configs below (encrypted
    passwords and
    internet IP addresses have been filtered out):

    1) config without vpn client settings (can connect with Office C)

    =============================================

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password <deleted> encrypted
    passwd <deleted> encrypted
    hostname <deleted>
    domain-name <deleted>
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.0.0
    255.255.255.0
    access-list nonat permit ip 192.168.1.0 255.255.255.0 10.2.50.0
    255.255.255.0
    access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.10.0
    255.255.255.0
    access-list 101 permit icmp any any
    access-list acl_in permit ip any any
    access-list 130 permit ip 192.168.1.0 255.255.255.0 192.168.0.0
    255.255.255.0
    access-list 140 permit ip 192.168.1.0 255.255.255.0 10.2.50.0
    255.255.255.0
    access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.10.0
    255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside <deleted> 255.255.255.248
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.1.10 255.255.255.255 inside
    pdm location 10.2.50.0 255.255.255.0 outside
    pdm location 192.168.0.0 255.255.255.0 outside
    pdm location 192.168.10.0 255.255.255.0 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 <deleted> netmask 255.255.255.240
    nat (inside) 0 access-list nonat
    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    access-group 101 in interface outside
    access-group acl_in in interface inside
    route outside 0.0.0.0 0.0.0.0 <deleted> 1
    timeout xlate 1:00:00
    timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa-server AuthInbound protocol radius
    aaa-server AuthInbound max-failed-attempts 3
    aaa-server AuthInbound deadtime 10
    aaa-server AuthInbound (inside) host 192.168.1.10 <deleted> timeout 10
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 192.168.1.10 pix.txt
    floodguard enable
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map extvpn 30 ipsec-isakmp
    crypto map extvpn 30 match address 130
    crypto map extvpn 30 set peer <Office A ip address>
    crypto map extvpn 30 set transform-set ESP-3DES-SHA
    crypto map extvpn 40 ipsec-isakmp
    crypto map extvpn 40 match address 140
    crypto map extvpn 40 set peer <Office B ip address>
    crypto map extvpn 40 set transform-set ESP-3DES-SHA
    crypto map extvpn 50 ipsec-isakmp
    crypto map extvpn 50 match address 150
    crypto map extvpn 50 set peer <Office C ip address>
    crypto map extvpn 50 set transform-set ESP-3DES-SHA
    crypto map extvpn interface outside
    isakmp enable outside
    isakmp key ******** address <Office A ip address> netmask
    255.255.255.255
    isakmp key ******** address <Office B ip address> netmask
    255.255.255.255
    isakmp key ******** address <Office C ip address> netmask
    255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 1000
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 750
    terminal width 80
    Cryptochecksum:28289529c6837a9f3e0479fb04d54013

    ==============================================

    2) config with vpn client settings (no more connection to Office C)

    ==============================================

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password <deleted> encrypted
    passwd <deleted> encrypted
    hostname <deleted>
    domain-name <deleted>
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.0.0
    255.255.255.0 ** subnet for Office A **
    access-list nonat permit ip 192.168.1.0 255.255.255.0 10.2.50.0
    255.255.255.0 ** subnet for Office B **
    access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.10.0
    255.255.255.0 ** subnet for Office C **
    access-list nonat permit ip 192.168.1.0 255.255.255.0 10.7.10.0
    255.255.255.0 ** subnet for vpn client **
    access-list 101 permit icmp any any
    access-list acl_in permit ip any any
    access-list 130 permit ip 192.168.1.0 255.255.255.0 192.168.0.0
    255.255.255.0
    access-list 140 permit ip 192.168.1.0 255.255.255.0 10.2.50.0
    255.255.255.0
    access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.10.0
    255.255.255.0
    access-list vpn-client-split permit ip 10.7.10.0 255.255.255.0 any
    access-list vpn-client-split permit ip 192.168.1.0 255.255.255.0 any
    pager lines 9999
    mtu outside 1500
    mtu inside 1500
    ip address outside <deleted> 255.255.255.248
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool my-addr-pool 10.7.10.1-10.7.10.20
    pdm location 192.168.1.10 255.255.255.255 inside
    pdm location 10.2.50.0 255.255.255.0 outside
    pdm location 192.168.0.0 255.255.255.0 outside
    pdm location 192.168.10.0 255.255.255.0 outside
    pdm history enable
    arp timeout 14400
    global (outside) 1 <deleted> netmask 255.255.255.240
    nat (inside) 0 access-list nonat
    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    access-group 101 in interface outside
    access-group acl_in in interface inside
    route outside 0.0.0.0 0.0.0.0 <deleted> 1
    timeout xlate 1:00:00
    timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa-server AuthInbound protocol radius
    aaa-server AuthInbound max-failed-attempts 3
    aaa-server AuthInbound deadtime 10
    aaa-server AuthInbound (inside) host 192.168.1.10 <deleted> timeout 10
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 192.168.1.10 pix.txt
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 10 set transform-set ESP-3DES-SHA
    crypto map extvpn 30 ipsec-isakmp
    crypto map extvpn 30 match address 130
    crypto map extvpn 30 set peer <Office A ip address>
    crypto map extvpn 30 set transform-set ESP-3DES-SHA
    crypto map extvpn 40 ipsec-isakmp
    crypto map extvpn 40 match address 140
    crypto map extvpn 40 set peer <Office B ip address>
    crypto map extvpn 40 set transform-set ESP-3DES-SHA
    crypto map extvpn 50 ipsec-isakmp
    crypto map extvpn 50 match address 150
    crypto map extvpn 50 set peer <Office C ip address>
    crypto map extvpn 50 set transform-set ESP-3DES-SHA
    crypto map extvpn 99 ipsec-isakmp dynamic dynmap
    crypto map extvpn client authentication LOCAL
    crypto map extvpn interface outside
    isakmp enable outside
    isakmp key ******** address <Office A ip address> netmask
    255.255.255.255
    isakmp key ******** address <Office B ip address> netmask
    255.255.255.255
    isakmp key ******** address <Office C ip address> netmask
    255.255.255.255
    isakmp identity address
    isakmp client configuration address-pool local my-addr-pool outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 1000
    vpngroup vpn3000 address-pool my-addr-pool
    vpngroup vpn3000 dns-server 192.168.1.10
    vpngroup vpn3000 default-domain <deleted>
    vpngroup vpn3000 split-tunnel vpn-client-split
    vpngroup vpn3000 idle-time 1800
    vpngroup vpn3000 password ********
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 10
    ssh timeout 5
    console timeout 0
    username <deleted> password <deleted> encrypted privilege 2
    terminal width 80
    Cryptochecksum:dd1e37f470309620ac5fed48ee132f96

    ==============================================
     
    , Aug 25, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Nowles
    Replies:
    0
    Views:
    1,062
    Martin Nowles
    Nov 10, 2003
  2. Bill F
    Replies:
    2
    Views:
    379
    Rik Bain
    Dec 9, 2003
  3. Bill F
    Replies:
    7
    Views:
    487
    Bill F
    Dec 16, 2003
  4. Comnet

    Cisco VPN Client to PIX 506

    Comnet, Apr 12, 2005, in forum: Cisco
    Replies:
    2
    Views:
    585
  5. LLFF
    Replies:
    3
    Views:
    597
    Walter Roberson
    May 11, 2005
Loading...

Share This Page