Cisco VPN client access to PIX501's internal network

Discussion in 'Cisco' started by Martin, Dec 17, 2007.

  1. Martin

    Martin Guest

    Hi,

    I have a PIX501 (PIX1) in front of some servers.
    The servers are accessed thug some VPN tunnels (site to site) and it
    works perfect. 8 site to site tunnels at the moment.

    Now I also want to use a Cisco VPN Client, but I am a little unsure how
    to do it whit out breaking any of the existing functionality.

    I just want to be able connecting the 192.168.1.0 network with an VPN
    client.

    would this work, I think it maybe destroy the existing tunnels?:
    ----------------------------
    access-list no-nat-vpn permit ip 192.168.1.0 255.255.255.0 172.16.31.0
    255.255.255.0
    access-list vpn-cryptomap permit ip any 172.16.31.0 255.255.255.0

    access-list 199 permit ip 192.168.1.0 255.255.255.0 172.16.31.0
    255.255.255.0

    ip local pool vpn-pool 172.16.31.1-172.16.31.254
    nat (inside) 0 access-list no-nat-vpn

    sysopt connection permit-ipsec
    crypto ipsec transform-set esp-aes-256 esp-3des esp-md5-hmac
    crypto dynamic-map vpn-dynamic 188 match address vpn-cryptomap
    crypto dynamic-map vpn-dynamic 188 set transform-set esp-aes-256
    crypto map ipsec 65535 ipsec-isakmp dynamic vpn-dynamic
    crypto map ipsec client authentication LOCAL
    crypto map ipsec interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 188
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 1000
    vpngroup imxxx address-pool vpn-pool
    vpngroup imxxx dns-server 195.xx.xx.2 2xx.xx.xx5.86
    vpngroup imxxx idle-time 1800
    vpngroup imxxx password imxxxaaaaaa
    username image password 1A2b3c45 encrypted privilege 3

    ------------------------------

    This is the PIX in front of the servers (pix1).

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password OEvzd.wyg6yKVTht encrypted
    passwd mhn41xxXX3aWi6lD encrypted
    hostname PIX1
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 2xx.xx.42.25 ipo
    name 2xx.xx.42.1 ipg
    name 87.xx.xx.186 emm-hq
    access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.3.0
    255.255.255.0
    access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.4.0
    255.255.255.0
    access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.5.0
    255.255.255.0
    access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.6.0
    255.255.255.0
    access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.7.0
    255.255.255.0
    access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.8.0
    255.255.255.0
    access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.9.0
    255.255.255.0
    access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.10.0
    255.255.255.0
    access-list allow_inbound permit tcp host 80.xx.xx.242 interface outside
    eq 3389
    access-list allow_inbound permit tcp host 2xx.xxx.42.2 interface outside
    eq 3389
    access-list allow_inbound permit tcp host 85.xx.xx.210 interface outside
    eq 3389
    access-list allow_inbound permit tcp host 2xx.xxx.42.2 interface outside
    eq 3390
    access-list allow_inbound permit tcp host 80.xx.xx.242 interface outside
    eq 1433
    access-list allow_inbound permit tcp host 85.xx.xx.210 interface outside
    eq 1433
    access-list allow_inbound permit tcp host 2xx.xx.42.2 interface outside
    eq 1433
    access-list allow_inbound permit tcp host 81.xx.xx.122 interface outside
    eq 1433
    access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.3.0
    255.255.255.0
    access-list 130 permit ip 192.168.1.0 255.255.255.0 192.168.4.0
    255.255.255.0
    access-list 140 permit ip 192.168.1.0 255.255.255.0 192.168.5.0
    255.255.255.0
    access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.6.0
    255.255.255.0
    access-list 150 permit icmp any any
    access-list 160 permit ip 192.168.1.0 255.255.255.0 192.168.7.0
    255.255.255.0
    access-list 170 permit ip 192.168.1.0 255.255.255.0 192.168.8.0
    255.255.255.0
    access-list 180 permit ip 192.168.1.0 255.255.255.0 192.168.9.0
    255.255.255.0
    access-list 190 permit ip 192.168.1.0 255.255.255.0 192.168.10.0
    255.255.255.0
    pager lines 24
    logging on
    logging trap notifications
    logging host inside 87.xx.xx.42
    mtu outside 1500
    mtu inside 1500
    ip address outside ipo 255.255.255.192
    ip address inside 192.168.1.1 255.255.255.0
    ip verify reverse-path interface outside
    ip audit info action drop
    ip audit attack action drop
    pdm location 192.168.2.0 255.255.255.0 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 199
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 3390 192.168.1.3 3389 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 1433 192.168.1.2 1433 netmask
    255.255.255.255 0 0
    access-group allow_inbound in interface outside
    route outside 0.0.0.0 0.0.0.0 ipg 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 2xx.xxx.42.2 255.255.255.255 outside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set vpnlanset esp-aes-256 esp-md5-hmac
    crypto map mymap 10 ipsec-isakmp
    crypto map mymap 10 match address 101
    crypto map mymap 10 set peer emm-hq
    crypto map mymap 10 set transform-set vpnlanset
    crypto map mymap 20 ipsec-isakmp
    crypto map mymap 20 match address 120
    crypto map mymap 20 set peer 87.xx.xxx.102
    crypto map mymap 20 set transform-set vpnlanset
    crypto map mymap 30 ipsec-isakmp
    crypto map mymap 30 match address 130
    crypto map mymap 30 set peer 80.xxx.xxx.250
    crypto map mymap 30 set transform-set vpnlanset
    crypto map mymap 40 ipsec-isakmp
    crypto map mymap 40 match address 140
    crypto map mymap 40 set peer 80.xxx.xxx.46
    crypto map mymap 40 set transform-set vpnlanset
    crypto map mymap 50 ipsec-isakmp
    crypto map mymap 50 match address 150
    crypto map mymap 50 set peer 80.xxx.xxx.194
    crypto map mymap 50 set transform-set vpnlanset
    crypto map mymap 60 ipsec-isakmp
    crypto map mymap 60 match address 160
    crypto map mymap 60 set peer 80.xxx.xxx.202
    crypto map mymap 60 set transform-set vpnlanset
    crypto map mymap 70 ipsec-isakmp
    crypto map mymap 70 match address 170
    crypto map mymap 70 set peer 80.xxx.xxx.102
    crypto map mymap 70 set transform-set vpnlanset
    crypto map mymap 80 ipsec-isakmp
    crypto map mymap 80 match address 180
    crypto map mymap 80 set peer 62.xxx.xxx.42
    crypto map mymap 80 set transform-set vpnlanset
    crypto map mymap 90 ipsec-isakmp
    crypto map mymap 90 match address 190
    crypto map mymap 90 set peer 2xxx.xxx.42.20
    crypto map mymap 90 set transform-set vpnlanset
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes-256
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup gr74-emm-bu1 idle-time 1800
    vpngroup image idle-time 1800
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh 2xx.xxx.42.2 255.255.255.255 outside
    ssh timeout 60
    console timeout 0
    dhcpd address 192.168.1.200-192.168.1.231 inside
    dhcpd dns 195.xx.xx.2 2xx.xx.225.86
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    username imxxx password Eos6Js0xxxL7XX7v encrypted privilege 2
    terminal width 120
    ------------------------------

    Best regards
    Martin
     
    Martin, Dec 17, 2007
    #1
    1. Advertising

  2. Martin

    CeykoVer Guest

    "Martin" <> wrote in message
    news:4766ba7e$0$90274$...
    > Hi,
    >
    > I have a PIX501 (PIX1) in front of some servers.
    > The servers are accessed thug some VPN tunnels (site to site) and it works
    > perfect. 8 site to site tunnels at the moment.
    >
    > Now I also want to use a Cisco VPN Client, but I am a little unsure how to
    > do it whit out breaking any of the existing functionality.
    >
    > I just want to be able connecting the 192.168.1.0 network with an VPN
    > client.
    >
    > would this work, I think it maybe destroy the existing tunnels?:
    > ----------------------------
    > access-list no-nat-vpn permit ip 192.168.1.0 255.255.255.0 172.16.31.0
    > 255.255.255.0
    > access-list vpn-cryptomap permit ip any 172.16.31.0 255.255.255.0
    >
    > access-list 199 permit ip 192.168.1.0 255.255.255.0 172.16.31.0
    > 255.255.255.0
    >
    > ip local pool vpn-pool 172.16.31.1-172.16.31.254
    > nat (inside) 0 access-list no-nat-vpn
    >
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set esp-aes-256 esp-3des esp-md5-hmac
    > crypto dynamic-map vpn-dynamic 188 match address vpn-cryptomap
    > crypto dynamic-map vpn-dynamic 188 set transform-set esp-aes-256
    > crypto map ipsec 65535 ipsec-isakmp dynamic vpn-dynamic
    > crypto map ipsec client authentication LOCAL
    > crypto map ipsec interface outside
    > isakmp enable outside
    > isakmp identity address
    > isakmp nat-traversal 188
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption 3des
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 1000
    > vpngroup imxxx address-pool vpn-pool
    > vpngroup imxxx dns-server 195.xx.xx.2 2xx.xx.xx5.86
    > vpngroup imxxx idle-time 1800
    > vpngroup imxxx password imxxxaaaaaa
    > username image password 1A2b3c45 encrypted privilege 3
    >
    > ------------------------------
    >
    > This is the PIX in front of the servers (pix1).
    >
    > PIX Version 6.3(5)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password OEvzd.wyg6yKVTht encrypted
    > passwd mhn41xxXX3aWi6lD encrypted
    > hostname PIX1
    > domain-name ciscopix.com
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > name 2xx.xx.42.25 ipo
    > name 2xx.xx.42.1 ipg
    > name 87.xx.xx.186 emm-hq
    > access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > 255.255.255.0
    > access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > 255.255.255.0
    > access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.3.0
    > 255.255.255.0
    > access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.4.0
    > 255.255.255.0
    > access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.5.0
    > 255.255.255.0
    > access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.6.0
    > 255.255.255.0
    > access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.7.0
    > 255.255.255.0
    > access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.8.0
    > 255.255.255.0
    > access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.9.0
    > 255.255.255.0
    > access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.10.0
    > 255.255.255.0
    > access-list allow_inbound permit tcp host 80.xx.xx.242 interface outside
    > eq 3389
    > access-list allow_inbound permit tcp host 2xx.xxx.42.2 interface outside
    > eq 3389
    > access-list allow_inbound permit tcp host 85.xx.xx.210 interface outside
    > eq 3389
    > access-list allow_inbound permit tcp host 2xx.xxx.42.2 interface outside
    > eq 3390
    > access-list allow_inbound permit tcp host 80.xx.xx.242 interface outside
    > eq 1433
    > access-list allow_inbound permit tcp host 85.xx.xx.210 interface outside
    > eq 1433
    > access-list allow_inbound permit tcp host 2xx.xx.42.2 interface outside
    > eq 1433
    > access-list allow_inbound permit tcp host 81.xx.xx.122 interface outside
    > eq 1433
    > access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.3.0
    > 255.255.255.0
    > access-list 130 permit ip 192.168.1.0 255.255.255.0 192.168.4.0
    > 255.255.255.0
    > access-list 140 permit ip 192.168.1.0 255.255.255.0 192.168.5.0
    > 255.255.255.0
    > access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.6.0
    > 255.255.255.0
    > access-list 150 permit icmp any any
    > access-list 160 permit ip 192.168.1.0 255.255.255.0 192.168.7.0
    > 255.255.255.0
    > access-list 170 permit ip 192.168.1.0 255.255.255.0 192.168.8.0
    > 255.255.255.0
    > access-list 180 permit ip 192.168.1.0 255.255.255.0 192.168.9.0
    > 255.255.255.0
    > access-list 190 permit ip 192.168.1.0 255.255.255.0 192.168.10.0
    > 255.255.255.0
    > pager lines 24
    > logging on
    > logging trap notifications
    > logging host inside 87.xx.xx.42
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside ipo 255.255.255.192
    > ip address inside 192.168.1.1 255.255.255.0
    > ip verify reverse-path interface outside
    > ip audit info action drop
    > ip audit attack action drop
    > pdm location 192.168.2.0 255.255.255.0 outside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list 199
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 3390 192.168.1.3 3389 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 1433 192.168.1.2 1433 netmask
    > 255.255.255.255 0 0
    > access-group allow_inbound in interface outside
    > route outside 0.0.0.0 0.0.0.0 ipg 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    > http server enable
    > http 2xx.xxx.42.2 255.255.255.255 outside
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set vpnlanset esp-aes-256 esp-md5-hmac
    > crypto map mymap 10 ipsec-isakmp
    > crypto map mymap 10 match address 101
    > crypto map mymap 10 set peer emm-hq
    > crypto map mymap 10 set transform-set vpnlanset
    > crypto map mymap 20 ipsec-isakmp
    > crypto map mymap 20 match address 120
    > crypto map mymap 20 set peer 87.xx.xxx.102
    > crypto map mymap 20 set transform-set vpnlanset
    > crypto map mymap 30 ipsec-isakmp
    > crypto map mymap 30 match address 130
    > crypto map mymap 30 set peer 80.xxx.xxx.250
    > crypto map mymap 30 set transform-set vpnlanset
    > crypto map mymap 40 ipsec-isakmp
    > crypto map mymap 40 match address 140
    > crypto map mymap 40 set peer 80.xxx.xxx.46
    > crypto map mymap 40 set transform-set vpnlanset
    > crypto map mymap 50 ipsec-isakmp
    > crypto map mymap 50 match address 150
    > crypto map mymap 50 set peer 80.xxx.xxx.194
    > crypto map mymap 50 set transform-set vpnlanset
    > crypto map mymap 60 ipsec-isakmp
    > crypto map mymap 60 match address 160
    > crypto map mymap 60 set peer 80.xxx.xxx.202
    > crypto map mymap 60 set transform-set vpnlanset
    > crypto map mymap 70 ipsec-isakmp
    > crypto map mymap 70 match address 170
    > crypto map mymap 70 set peer 80.xxx.xxx.102
    > crypto map mymap 70 set transform-set vpnlanset
    > crypto map mymap 80 ipsec-isakmp
    > crypto map mymap 80 match address 180
    > crypto map mymap 80 set peer 62.xxx.xxx.42
    > crypto map mymap 80 set transform-set vpnlanset
    > crypto map mymap 90 ipsec-isakmp
    > crypto map mymap 90 match address 190
    > crypto map mymap 90 set peer 2xxx.xxx.42.20
    > crypto map mymap 90 set transform-set vpnlanset
    > crypto map mymap interface outside
    > isakmp enable outside
    > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > isakmp identity address
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption aes-256
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    > vpngroup gr74-emm-bu1 idle-time 1800
    > vpngroup image idle-time 1800
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet timeout 5
    > ssh 2xx.xxx.42.2 255.255.255.255 outside
    > ssh timeout 60
    > console timeout 0
    > dhcpd address 192.168.1.200-192.168.1.231 inside
    > dhcpd dns 195.xx.xx.2 2xx.xx.225.86
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > dhcpd enable inside
    > username imxxx password Eos6Js0xxxL7XX7v encrypted privilege 2
    > terminal width 120
    > ------------------------------
    >
    > Best regards
    > Martin
    >


    Hey Martin,
    I'm no PIX/ASA guru myself, but I recently configured an ASA using...

    l2l
    easyvpn
    RA (standard VPN client)

    What I did was create seperate group for each one of these. The RA and
    easyvpn shared the same ip pool and split tunnel list.
     
    CeykoVer, Dec 18, 2007
    #2
    1. Advertising

  3. Martin

    BoBraxton

    Joined:
    Jul 6, 2006
    Messages:
    11
    CeykoVer and Martin,
    We have PIX ACS that was working fine until about two months ago and just today I learned that some small piece of software that had been on one of our Microsoft servers "disappeared" and without it the VPN client remote access will continue to fail "Authorization failed"
    So I can be searching to make absolutely sure it has gone, what sort of folder name and file name would I be looking for on that server?
    Also, for our PIX software that was set up several (six?) years ago, we are searching for the media (CD or set of them) and so far not finding.
    Any way to get replacement?
     
    BoBraxton, Dec 19, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jens Meyer
    Replies:
    4
    Views:
    1,671
    Rik Bain
    Dec 22, 2003
  2. GeekMarine1972
    Replies:
    1
    Views:
    1,276
    Walter Roberson
    Jan 15, 2005
  3. Replies:
    0
    Views:
    868
  4. BF
    Replies:
    2
    Views:
    766
  5. johnz
    Replies:
    3
    Views:
    1,533
Loading...

Share This Page