Need help with Pix515 VPN

Discussion in 'Cisco' started by Andrea, Jan 12, 2004.

  1. Andrea

    Andrea Guest

    I've been working on this problem for a month and I've hit a wall.
    I've got some users who need to start working from home and I have to
    get VPN up on our PIX515 ASAP. We have an inside,dmz,&outside zones
    setup currently. I have an IPSEC tunnel setup already on the pix to
    access ANX network. I also have group of users that use a Nortel
    Client to access another companies VPN. Everytime I try to setup ipsec
    for my remote users, I take down either my ANX tunnel or my Nortel VPN
    users.

    I need my external users to be able to get to all inside network
    resources.

    If someone is located in Southeastern Michigan, I will contract out
    for help since I'm desperate.

    Here's my Pix config...

    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password LTPL3EG2CAB2Dllq encrypted
    passwd LTPL3EG2CAB2Dllq encrypted
    hostname fwpartech1
    domain-name partechgss.com
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    name 209.196.42.201 IsuzuONE
    name 192.168.1.25 WebServer1
    name 144.228.79.182 ITR_TAL_Server
    name 64.118.139.52 secondary_dns
    name 64.118.139.51 primary_dns
    name 192.168.0.205 TAL_Gheald
    name 192.168.0.204 TAL_MRuiz
    name 192.168.0.203 TAL_GBriolat
    name 192.168.0.202 TAL_GKolb
    name 192.168.0.201 TAL_MWedge
    name 192.168.0.206 eSI_PNair
    name 192.85.5.49 GMeSI_dbserver
    name 192.168.0.98 ACasadei
    object-group service isuzuvpntcp tcp
    port-object eq h323
    port-object eq 17
    port-object eq 50
    object-group service isuzuvpn udp
    port-object eq secureid-udp
    port-object range isakmp 600
    object-group network TAL_ref
    network-object 64.118.150.213 255.255.255.255
    network-object 64.118.150.214 255.255.255.255
    network-object 64.118.150.215 255.255.255.255
    network-object 64.118.150.217 255.255.255.255
    network-object 64.118.150.216 255.255.255.255
    object-group network TAL
    network-object TAL_MWedge 255.255.255.255
    network-object TAL_GKolb 255.255.255.255
    network-object TAL_GBriolat 255.255.255.255
    network-object TAL_MRuiz 255.255.255.255
    network-object TAL_Gheald 255.255.255.255
    object-group network TAL_ref_1
    network-object 64.118.150.213 255.255.255.255
    network-object 64.118.150.214 255.255.255.255
    network-object 64.118.150.217 255.255.255.255
    network-object 64.118.150.216 255.255.255.255
    network-object 64.118.150.215 255.255.255.255
    object-group network GM_eSI
    network-object eSI_PNair 255.255.255.255
    object-group network GM_eSI_ref
    network-object 64.118.150.220 255.255.255.255
    access-list outside_access_in permit tcp any host 64.118.150.212 eq
    www
    access-list outside_access_in permit tcp any host 64.118.150.212 eq
    ftp
    access-list outside_access_in permit tcp any host 64.118.150.212 eq
    ftp-data
    access-list outside_access_in permit tcp any host 64.118.150.212 eq
    smtp
    access-list outside_access_in permit icmp host 64.118.150.210
    64.118.150.208 25
    ..255.255.240 echo-reply
    access-list outside_access_in permit udp host ITR_TAL_Server eq isakmp
    object-g
    oup TAL_ref_1
    access-list outside_access_in permit esp host ITR_TAL_Server
    object-group TAL_r
    f_1
    access-list outside_access_in permit ip host GMeSI_dbserver
    object-group GM_eSI
    ref
    access-list outside_access_in permit icmp host GMeSI_dbserver
    object-group GM_e
    I_ref
    access-list outside_access_in permit udp host GMeSI_dbserver
    object-group GM_eS
    _ref
    access-list dmz_access_in permit icmp 192.168.1.0 255.255.255.0
    192.168.0.0 255
    255.255.0 echo-reply
    access-list dmz_access_in permit tcp host WebServer1 host primary_dns
    access-list dmz_access_in deny ip 192.168.1.0 255.255.255.0
    192.168.0.0 255.255
    255.0
    access-list dmz_access_in permit ip any any
    access-list inside_access_in permit ip any any
    access-list 110 permit ip host 64.118.150.210 host GMeSI_dbserver
    access-list 110 permit ip host 64.118.150.220 host GMeSI_dbserver
    pager lines 24
    logging on
    logging timestamp
    logging trap notifications
    logging history notifications
    logging host inside 192.168.0.1
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside 64.118.150.210 255.255.255.248
    ip address inside 192.168.0.10 255.255.255.0
    ip address dmz 192.168.1.10 255.255.255.0
    ip verify reverse-path interface inside
    ip verify reverse-path interface dmz
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.0.2 255.255.255.255 inside
    pdm location 192.168.0.99 255.255.255.255 inside
    pdm location 0.0.0.0 255.255.255.0 inside
    pdm location 0.0.0.0 255.255.255.0 outside
    pdm location 192.168.0.97 255.255.255.255 inside
    pdm location WebServer1 255.255.255.255 dmz
    pdm location IsuzuONE 255.255.255.255 outside
    pdm location 192.168.0.1 255.255.255.255 inside
    pdm location ITR_TAL_Server 255.255.255.255 outside
    pdm location 206.126.161.15 255.255.255.255 outside
    pdm location 64.118.150.212 255.255.255.255 outside
    pdm location primary_dns 255.255.255.255 outside
    pdm location secondary_dns 255.255.255.255 outside
    pdm location TAL_MWedge 255.255.255.255 inside
    pdm location TAL_GKolb 255.255.255.255 inside
    pdm location TAL_GBriolat 255.255.255.255 inside
    pdm location TAL_MRuiz 255.255.255.255 inside
    pdm location TAL_Gheald 255.255.255.255 inside
    pdm location 192.168.1.16 255.255.255.240 dmz
    pdm location GMeSI_dbserver 255.255.255.255 outside
    pdm location 192.168.0.192 255.255.255.192 inside
    pdm location eSI_PNair 255.255.255.255 inside
    pdm location ACasadei 255.255.255.255 inside
    pdm group TAL inside
    pdm group TAL_ref_1 outside reference TAL
    pdm group GM_eSI inside
    pdm group GM_eSI_ref outside reference GM_eSI
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.0.0 255.255.255.0 0 0
    static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
    static (dmz,outside) 64.118.150.212 WebServer1 dns netmask
    255.255.255.255 0 0
    static (inside,outside) 64.118.150.213 TAL_MWedge netmask
    255.255.255.255 0 0
    static (inside,outside) 64.118.150.214 TAL_GKolb netmask
    255.255.255.255 0 0
    static (inside,outside) 64.118.150.215 TAL_Gheald netmask
    255.255.255.255 0 0
    static (inside,outside) 64.118.150.217 TAL_GBriolat netmask
    255.255.255.255 0 0
    static (inside,outside) 64.118.150.216 TAL_MRuiz netmask
    255.255.255.255 0 0
    static (inside,outside) 64.118.150.220 eSI_PNair netmask
    255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group dmz_access_in in interface dmz
    route outside 0.0.0.0 0.0.0.0 64.118.150.209 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 s
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http ACasadei 255.255.255.255 inside
    http 192.168.0.99 255.255.255.255 inside
    http 192.168.0.1 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    no sysopt route dnat
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set anx esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
    crypto dynamic-map inside_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
    crypto map inside_map interface inside
    crypto map ipsec 30 ipsec-isakmp
    crypto map ipsec 30 match address 110
    crypto map ipsec 30 set peer 198.208.7.2
    crypto map ipsec 30 set transform-set anx
    crypto map ipsec interface outside
    isakmp enable outside
    isakmp enable inside
    isakmp key ******** address 198.208.7.2 netmask 255.255.255.255
    isakmp peer ip 144.228.79.182 no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption des
    isakmp policy 30 hash md5
    isakmp policy 30 group 1
    isakmp policy 30 lifetime 86400
    isakmp policy 40 authentication rsa-sig
    isakmp policy 40 encryption des
    isakmp policy 40 hash sha
    isakmp policy 40 group 2
    isakmp policy 40 lifetime 86400
    isakmp policy 60 authentication pre-share
    isakmp policy 60 encryption 3des
    isakmp policy 60 hash sha
    isakmp policy 60 group 2
    isakmp policy 60 lifetime 86400
    telnet 192.168.0.99 255.255.255.255 inside
    telnet 192.168.0.1 255.255.255.255 inside
    telnet ACasadei 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    vpdn username acasadei password ********
    vpdn enable outside
    vpdn enable inside
    vpdn enable dmz
    terminal width 80
     
    Andrea, Jan 12, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eldridge
    Replies:
    1
    Views:
    425
    Walter Roberson
    Feb 2, 2004
  2. jif
    Replies:
    2
    Views:
    1,650
    Steve Birchfield
    Apr 1, 2004
  3. Ueli

    PPTP VPN through PIX515

    Ueli, Jan 25, 2006, in forum: Cisco
    Replies:
    0
    Views:
    695
  4. AJ
    Replies:
    1
    Views:
    577
    Walter Roberson
    Apr 11, 2006
  5. dominsz
    Replies:
    0
    Views:
    1,643
    dominsz
    Jun 21, 2006
Loading...

Share This Page