PIX 515 - can Use VPN300 Client and PIX-to-PIX VPN at the same time?

Discussion in 'Cisco' started by Stephen M, Nov 14, 2006.

  1. Stephen M

    Stephen M Guest

    I have a PIX 515 through which I currently have a hand full of users who use
    the V.4 Cisco VPN software client to connect to our network. We have one
    remote site for which we would like to install a hardware VPN using a PIX
    501 to connect yo our existing PIX 515.

    I successfully reconfigured the 501 and the 515 with a VPN tunnel.

    http://www.cisco.com/en/US/products...s_configuration_example09186a0080094761.shtml

    Unfortunately, this broke the software VPN.

    I have been able to reduce this down to a single configuration line:

    crypto map newmap interface outside

    crypto map Remote-Map interface outside

    (the rest of the relevant config is posted below)

    With the fist crypto map, the soft VPN works, with the second the hardware
    VPN works. With both, the second command overlays the first.

    1) Is it even possible to have both the hard and soft VPN's through the same
    interface?
    2) If so, how do I syntactically merge the maps or the maps attach to maps
    to an interface?
    3) There is some admittedly elderly firmware on the 515 (6.1(4)) might that
    be a factor? The 501 is new.
    4) We will want to attach several hardware VPN's (buy a couple more 501's
    for different sites) to this interface, if this works. Is multiple hardware
    VPN's through a single interface a show-stopper?

    Thanks,

    Steve


    name ccc.ccc.ccc.ccc Remote-PIX

    name aaa.aaa.aaa.0 Main-Network

    name bbb.bbb.bbb.0 Remote-Network

    access-list dialvpn permit ip Main-Network 255.255.255.0 192.168.51.0
    255.255.255.0

    access-list nonat permit ip Main-Network 255.255.255.0 192.168.51.0
    255.255.255.0

    access-list nonat permit ip Main-Network 255.255.255.0 Remote-Network
    255.255.255.0

    access-list Remote-Tunnel permit ip Main-Network 255.255.255.0
    Remote-Network 255.255.255.0

    icmp permit any outside

    icmp permit any inside

    ip address outside zzz.zzz.zzz.158 255.255.255.252

    ip address inside aaa.aaa.aaa.5 255.255.255.0

    ip local pool dialvpn 192.168.51.1-192.168.51.254

    global (outside) 1 interface

    nat (inside) 0 access-list nonat

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    route outside 0.0.0.0 0.0.0.0 zzz.zzz.zzz.157 1

    sysopt connection permit-ipsec

    no sysopt route dnat

    crypto ipsec transform-set dialvpnset esp-des esp-md5-hmac

    crypto ipsec transform-set Tunnelset esp-des esp-md5-hmac

    crypto dynamic-map dynmap 10 set transform-set dialvpnset

    crypto map newmap 10 ipsec-isakmp dynamic dynmap

    crypto map newmap client configuration address respond





    crypto map newmap interface outside

    crypto map Remote-Map interface outside





    crypto map Remote-Map 1 ipsec-isakmp

    crypto map Remote-Map 1 match address Remote-Tunnel

    crypto map Remote-Map 1 set peer Remote-PIX

    crypto map Remote-Map 1 set transform-set Tunnelset

    isakmp enable outside

    isakmp key ******** address Remote-PIX netmask 255.255.255.255

    isakmp identity address

    isakmp policy 10 authentication pre-share

    isakmp policy 10 encryption des

    isakmp policy 10 hash md5

    isakmp policy 10 group 2

    isakmp policy 10 lifetime 86400

    vpngroup vpn3000-all address-pool dialvpn

    vpngroup vpn3000-all dns-server primaryDNS secondary DNS

    vpngroup vpn3000-all split-tunnel dialvpn

    vpngroup vpn3000-all idle-time 36000

    vpngroup vpn3000-all password ********

    vpngroup group idle-time 1800
     
    Stephen M, Nov 14, 2006
    #1
    1. Advertising

  2. Stephen M

    mcaissie Guest

    "Stephen M" <> wrote in message
    news:...
    >I have a PIX 515 through which I currently have a hand full of users who
    >use the V.4 Cisco VPN software client to connect to our network. We have
    >one remote site for which we would like to install a hardware VPN using a
    >PIX 501 to connect yo our existing PIX 515.
    >
    > I successfully reconfigured the 501 and the 515 with a VPN tunnel.
    >
    > http://www.cisco.com/en/US/products...s_configuration_example09186a0080094761.shtml
    >
    > Unfortunately, this broke the software VPN.
    >
    > I have been able to reduce this down to a single configuration line:
    >
    > crypto map newmap interface outside
    >
    > crypto map Remote-Map interface outside
    >
    > (the rest of the relevant config is posted below)
    >
    > With the fist crypto map, the soft VPN works, with the second the hardware
    > VPN works. With both, the second command overlays the first.
    >
    > 1) Is it even possible to have both the hard and soft VPN's through the
    > same interface?
    > 2) If so, how do I syntactically merge the maps or the maps attach to maps
    > to an interface?
    > 3) There is some admittedly elderly firmware on the 515 (6.1(4)) might
    > that be a factor? The 501 is new.
    > 4) We will want to attach several hardware VPN's (buy a couple more 501's
    > for different sites) to this interface, if this works. Is multiple
    > hardware VPN's through a single interface a show-stopper?
    >
    > Thanks,
    >
    > Steve
    >
    >
    > name ccc.ccc.ccc.ccc Remote-PIX
    >
    > name aaa.aaa.aaa.0 Main-Network
    >
    > name bbb.bbb.bbb.0 Remote-Network
    >
    > access-list dialvpn permit ip Main-Network 255.255.255.0 192.168.51.0
    > 255.255.255.0
    >
    > access-list nonat permit ip Main-Network 255.255.255.0 192.168.51.0
    > 255.255.255.0
    >
    > access-list nonat permit ip Main-Network 255.255.255.0 Remote-Network
    > 255.255.255.0
    >
    > access-list Remote-Tunnel permit ip Main-Network 255.255.255.0
    > Remote-Network 255.255.255.0
    >
    > icmp permit any outside
    >
    > icmp permit any inside
    >
    > ip address outside zzz.zzz.zzz.158 255.255.255.252
    >
    > ip address inside aaa.aaa.aaa.5 255.255.255.0
    >
    > ip local pool dialvpn 192.168.51.1-192.168.51.254
    >
    > global (outside) 1 interface
    >
    > nat (inside) 0 access-list nonat
    >
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >
    > route outside 0.0.0.0 0.0.0.0 zzz.zzz.zzz.157 1
    >
    > sysopt connection permit-ipsec
    >
    > no sysopt route dnat
    >
    > crypto ipsec transform-set dialvpnset esp-des esp-md5-hmac
    >
    > crypto ipsec transform-set Tunnelset esp-des esp-md5-hmac
    >
    > crypto dynamic-map dynmap 10 set transform-set dialvpnset
    >
    > crypto map newmap 10 ipsec-isakmp dynamic dynmap
    >
    > crypto map newmap client configuration address respond
    >
    >
    >
    >
    >
    > crypto map newmap interface outside
    >
    > crypto map Remote-Map interface outside
    >
    >
    >
    >
    >
    > crypto map Remote-Map 1 ipsec-isakmp
    >
    > crypto map Remote-Map 1 match address Remote-Tunnel
    >
    > crypto map Remote-Map 1 set peer Remote-PIX
    >
    > crypto map Remote-Map 1 set transform-set Tunnelset
    >
    > isakmp enable outside
    >
    > isakmp key ******** address Remote-PIX netmask 255.255.255.255
    >
    > isakmp identity address
    >
    > isakmp policy 10 authentication pre-share
    >
    > isakmp policy 10 encryption des
    >
    > isakmp policy 10 hash md5
    >
    > isakmp policy 10 group 2
    >
    > isakmp policy 10 lifetime 86400
    >
    > vpngroup vpn3000-all address-pool dialvpn
    >
    > vpngroup vpn3000-all dns-server primaryDNS secondary DNS
    >
    > vpngroup vpn3000-all split-tunnel dialvpn
    >
    > vpngroup vpn3000-all idle-time 36000
    >
    > vpngroup vpn3000-all password ********
    >
    > vpngroup group idle-time 1800
    >


    You can only apply one crypto map to the outside interface but you can
    have more than one entry in a crypto map, with different sequence number.
    For example, you could replace "crypto map Remote-map 1" with
    "crypto map newmap 20".

    Note that i never used the command
    "crypto map newmap client configuration address respond"
    so i am not sure what impact it will have on your lan2lan VPN.
     
    mcaissie, Nov 14, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. hk
    Replies:
    0
    Views:
    1,990
  2. Al
    Replies:
    0
    Views:
    5,277
  3. pasatealinux
    Replies:
    1
    Views:
    2,121
    pasatealinux
    Dec 17, 2007
  4. Igor Mamuziæ aka Pseto
    Replies:
    0
    Views:
    1,147
    Igor Mamuziæ aka Pseto
    Jan 6, 2010
  5. Igor Mamuziæ aka Pseto
    Replies:
    0
    Views:
    1,166
    Igor Mamuziæ aka Pseto
    Jan 6, 2010
Loading...

Share This Page