Need help with Pix515 VPN

Discussion in 'Cisco' started by Andrea, Jan 12, 2004.

  1. Andrea

    Andrea Guest

    I've been working on this problem for a month and I've hit a wall.
    I've got some users who need to start working from home and I have to
    get VPN up on our PIX515 ASAP. We have an inside,dmz,&outside zones
    setup currently. I have an IPSEC tunnel setup already on the pix to
    access ANX network. I also have group of users that use a Nortel
    Client to access another companies VPN. Everytime I try to setup ipsec
    for my remote users, I take down either my ANX tunnel or my Nortel VPN

    I need my external users to be able to get to all inside network

    If someone is located in Southeastern Michigan, I will contract out
    for help since I'm desperate.

    Here's my Pix config...

    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password LTPL3EG2CAB2Dllq encrypted
    passwd LTPL3EG2CAB2Dllq encrypted
    hostname fwpartech1
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    name IsuzuONE
    name WebServer1
    name ITR_TAL_Server
    name secondary_dns
    name primary_dns
    name TAL_Gheald
    name TAL_MRuiz
    name TAL_GBriolat
    name TAL_GKolb
    name TAL_MWedge
    name eSI_PNair
    name GMeSI_dbserver
    name ACasadei
    object-group service isuzuvpntcp tcp
    port-object eq h323
    port-object eq 17
    port-object eq 50
    object-group service isuzuvpn udp
    port-object eq secureid-udp
    port-object range isakmp 600
    object-group network TAL_ref
    object-group network TAL
    network-object TAL_MWedge
    network-object TAL_GKolb
    network-object TAL_GBriolat
    network-object TAL_MRuiz
    network-object TAL_Gheald
    object-group network TAL_ref_1
    object-group network GM_eSI
    network-object eSI_PNair
    object-group network GM_eSI_ref
    access-list outside_access_in permit tcp any host eq
    access-list outside_access_in permit tcp any host eq
    access-list outside_access_in permit tcp any host eq
    access-list outside_access_in permit tcp any host eq
    access-list outside_access_in permit icmp host 25
    ..255.255.240 echo-reply
    access-list outside_access_in permit udp host ITR_TAL_Server eq isakmp
    oup TAL_ref_1
    access-list outside_access_in permit esp host ITR_TAL_Server
    object-group TAL_r
    access-list outside_access_in permit ip host GMeSI_dbserver
    object-group GM_eSI
    access-list outside_access_in permit icmp host GMeSI_dbserver
    object-group GM_e
    access-list outside_access_in permit udp host GMeSI_dbserver
    object-group GM_eS
    access-list dmz_access_in permit icmp 255
    255.255.0 echo-reply
    access-list dmz_access_in permit tcp host WebServer1 host primary_dns
    access-list dmz_access_in deny ip 255.255
    access-list dmz_access_in permit ip any any
    access-list inside_access_in permit ip any any
    access-list 110 permit ip host host GMeSI_dbserver
    access-list 110 permit ip host host GMeSI_dbserver
    pager lines 24
    logging on
    logging timestamp
    logging trap notifications
    logging history notifications
    logging host inside
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside
    ip address inside
    ip address dmz
    ip verify reverse-path interface inside
    ip verify reverse-path interface dmz
    ip audit info action alarm
    ip audit attack action alarm
    pdm location inside
    pdm location inside
    pdm location inside
    pdm location outside
    pdm location inside
    pdm location WebServer1 dmz
    pdm location IsuzuONE outside
    pdm location inside
    pdm location ITR_TAL_Server outside
    pdm location outside
    pdm location outside
    pdm location primary_dns outside
    pdm location secondary_dns outside
    pdm location TAL_MWedge inside
    pdm location TAL_GKolb inside
    pdm location TAL_GBriolat inside
    pdm location TAL_MRuiz inside
    pdm location TAL_Gheald inside
    pdm location dmz
    pdm location GMeSI_dbserver outside
    pdm location inside
    pdm location eSI_PNair inside
    pdm location ACasadei inside
    pdm group TAL inside
    pdm group TAL_ref_1 outside reference TAL
    pdm group GM_eSI inside
    pdm group GM_eSI_ref outside reference GM_eSI
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0 0
    static (inside,dmz) netmask 0 0
    static (dmz,outside) WebServer1 dns netmask 0 0
    static (inside,outside) TAL_MWedge netmask 0 0
    static (inside,outside) TAL_GKolb netmask 0 0
    static (inside,outside) TAL_Gheald netmask 0 0
    static (inside,outside) TAL_GBriolat netmask 0 0
    static (inside,outside) TAL_MRuiz netmask 0 0
    static (inside,outside) eSI_PNair netmask 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group dmz_access_in in interface dmz
    route outside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 s
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http ACasadei inside
    http inside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    no sysopt route dnat
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set anx esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
    crypto dynamic-map inside_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
    crypto map inside_map interface inside
    crypto map ipsec 30 ipsec-isakmp
    crypto map ipsec 30 match address 110
    crypto map ipsec 30 set peer
    crypto map ipsec 30 set transform-set anx
    crypto map ipsec interface outside
    isakmp enable outside
    isakmp enable inside
    isakmp key ******** address netmask
    isakmp peer ip no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption des
    isakmp policy 30 hash md5
    isakmp policy 30 group 1
    isakmp policy 30 lifetime 86400
    isakmp policy 40 authentication rsa-sig
    isakmp policy 40 encryption des
    isakmp policy 40 hash sha
    isakmp policy 40 group 2
    isakmp policy 40 lifetime 86400
    isakmp policy 60 authentication pre-share
    isakmp policy 60 encryption 3des
    isakmp policy 60 hash sha
    isakmp policy 60 group 2
    isakmp policy 60 lifetime 86400
    telnet inside
    telnet inside
    telnet ACasadei inside
    telnet timeout 5
    ssh timeout 5
    vpdn username acasadei password ********
    vpdn enable outside
    vpdn enable inside
    vpdn enable dmz
    terminal width 80
    Andrea, Jan 12, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.