Vpn site to site + vpn cisco client access list problem.

Discussion in 'Cisco' started by Vigarv, Aug 7, 2006.

  1. Vigarv

    Vigarv Guest

    Hi

    I have problem to get vpn site to site tunnel and the vpn client tunnel
    to work at the same time.
    How can I join access list 80 and 100 so i can add them to nat
    "(inside) 0 access-list 80"

    I got a pix 501 and 2620 and on the pix 501 It's accessible thugh Cisco
    VPN client.

    The config on the pix 501:

    : Written by admin at 15:32:22.817 CEDT Mon Aug 7 2006
    PIX Version 6.3(5)
    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password g4JAhKwvQDnczMDZ encrypted
    passwd g4JAhKwvQDnczMDZ encrypted
    hostname gotfw01
    domain-name veprox.int
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.99.0 VPN
    access-list 80 permit ip 172.16.100.0 255.255.255.0 172.16.101.0
    255.255.255.0
    access-list 100 permit ip 172.16.100.0 255.255.255.0 VPN 255.255.255.0
    pager lines 24
    mtu outside 1420
    mtu inside 1500
    ip address outside 192.168.0.10 255.255.254.0
    ip address inside 172.16.100.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn_client_pool 192.168.99.50-192.168.99.60 mask
    255.255.255.0
    pdm location 172.16.0.0 255.255.0.0 inside
    pdm location VPN 255.255.255.0 outside
    pdm location 172.16.0.0 255.255.0.0 outside
    pdm location 172.16.0.0 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 80
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication enable console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 172.16.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set esp3dessha1 esp-3des esp-sha-hmac
    crypto dynamic-map vpnclient 10 set transform-set esp3dessha1
    crypto map vpnmap 9 ipsec-isakmp
    crypto map vpnmap 9 match address 80
    crypto map vpnmap 9 set peer 192.168.0.11
    crypto map vpnmap 9 set transform-set esp3dessha1
    crypto map vpnmap 10 ipsec-isakmp dynamic vpnclient
    crypto map vpnmap client configuration address initiate
    crypto map vpnmap interface outside
    isakmp enable outside
    isakmp key ******** address 192.168.0.11 netmask 255.255.255.255
    isakmp identity address
    isakmp nat-traversal 10
    isakmp policy 9 authentication pre-share
    isakmp policy 9 encryption 3des
    isakmp policy 9 hash sha
    isakmp policy 9 group 2
    isakmp policy 9 lifetime 86400
    vpngroup vpncli address-pool vpn_client_pool
    vpngroup vpncli dns-server 172.16.100.10
    vpngroup vpncli wins-server 172.16.100.10
    vpngroup vpncli default-domain mycompany.int
    vpngroup vpncli split-tunnel 100
    vpngroup vpncli idle-time 1800
    vpngroup vpncli secure-unit-authentication
    vpngroup vpncli password ********
    telnet 172.16.0.0 255.255.0.0 inside
    telnet timeout 5
    ssh 172.16.0.0 255.255.0.0 inside
    ssh timeout 5
    management-access inside
    console timeout 60
    dhcpd address 172.16.100.32-172.16.100.62 inside
    dhcpd dns 195.67.199.27
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain company.int
    dhcpd enable inside
    username admin password Vs.JwYvvku50bpmp encrypted privilege 15
    privilege show level 0 command version
    privilege show level 0 command curpriv
    privilege show level 3 command pdm
    privilege show level 3 command blocks
    privilege show level 3 command ssh
    privilege configure level 3 command who
    privilege show level 3 command isakmp
    privilege show level 3 command ipsec
    privilege show level 3 command vpdn
    privilege show level 3 command local-host
    privilege show level 3 command interface
    privilege show level 3 command ip
    privilege configure level 3 command ping
    privilege show level 3 command uauth
    privilege configure level 5 mode enable command configure
    privilege show level 5 command running-config
    privilege show level 5 command privilege
    privilege show level 5 command clock
    privilege show level 5 command ntp
    privilege show level 5 mode configure command logging
    privilege show level 5 command fragment
    terminal width 80
    banner exec
    banner exec ***************************************
    banner exec * You made It into the intranet core! *
    banner exec ***************************************
    banner exec
    banner login You are trying to access a local network!


    And on the 2620:

    Using 1110 out of 29688 bytes
    !
    version 12.1
    no service single-slot-reload-enable
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname Router
    !
    !
    !
    !
    !
    !
    memory-size iomem 15
    ip subnet-zero
    !
    ip dhcp pool local
    network 172.16.101.0 255.255.255.0
    default-router 172.16.101.1
    lease 15
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key 123qwe address 192.168.0.10
    !
    !
    crypto ipsec transform-set esp3dessha1 esp-3des esp-sha-hmac
    !
    crypto map vpnmap 1 ipsec-isakmp
    set peer 192.168.0.10
    set transform-set esp3dessha1
    match address 101
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    ip address 172.16.101.1 255.255.255.0
    duplex auto
    speed auto
    !
    interface Serial0/0
    no ip address
    shutdown
    !
    interface Ethernet1/0
    description To internet (outside)
    ip address 192.168.0.11 255.255.254.0
    ip nat outside
    crypto map vpnmap
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.0.1
    ip http server
    !
    access-list 1 permit 172.16.101.0 0.0.0.255
    access-list 101 permit ip 172.16.101.0 0.0.0.255 any
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    !
    end

    Hope that It´s easy to fix
    Best regards

    Robert
     
    Vigarv, Aug 7, 2006
    #1
    1. Advertising

  2. In article <>,
    Vigarv <> wrote:
    >I have problem to get vpn site to site tunnel and the vpn client tunnel
    >to work at the same time.
    >How can I join access list 80 and 100 so i can add them to nat
    >"(inside) 0 access-list 80"


    The only way is to copy the contents. Create a new access list
    that has the content of both access lists, and use that new access
    list *only* for the nat 0 access-list . You currently use the same
    access list for nat 0 access-list and for crypto map match address;
    using the same access-list for both purposes will often cause problems.
     
    Walter Roberson, Aug 7, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rick Stromberg
    Replies:
    7
    Views:
    9,993
    luisjimher
    Jun 3, 2011
  2. Surbjeet

    Site-to-Site VPN and VPN Client access

    Surbjeet, Jul 16, 2007, in forum: Case Modding
    Replies:
    1
    Views:
    4,290
    ivan@netvision
    Aug 21, 2007
  3. pasatealinux
    Replies:
    1
    Views:
    2,105
    pasatealinux
    Dec 17, 2007
  4. Igor Mamuziæ aka Pseto
    Replies:
    0
    Views:
    1,138
    Igor Mamuziæ aka Pseto
    Jan 6, 2010
  5. Igor Mamuziæ aka Pseto
    Replies:
    0
    Views:
    1,146
    Igor Mamuziæ aka Pseto
    Jan 6, 2010
Loading...

Share This Page