pix 501 - VPN site-to-Site

Discussion in 'Cisco' started by Robert, Feb 2, 2006.

  1. Robert

    Robert Guest

    Hello
    I have 2 pix firewalls
    i have vpn site to site

    i tried so many times do VPN server and nothing works

    this is my VPN config - what do i have to do ot be able connect to Office
    via Cisco VPN Client

    Office
    IP address Outside = 100.100.100.100
    IP address inside = 192.168.1.254

    access-list 90 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
    nat (inside) 0 access-list 90
    sysopt connection permit-ipsec
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto map toRemote 20 ipsec-isakmp
    crypto map toRemote 20 match address 90
    crypto map toRemote 20 set peer 90.90.90.90
    crypto map toRemote 20 set transform-set strong
    crypto map toRemote interface outside
    isakmp enable outside
    isakmp key ****** address 90.90.90.90 netmask 255.255.255.255
    isakmp policy 9 authentication pre-share
    isakmp policy 9 encryption 3des

    Remote office
    IP address Outside = 90.90.90.90
    IP address inside = 10.0.0.254

    access-list 80 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
    nat 0 access-list 80
    sysopt connection permit-ipsec
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto map toOffice 10 ipsec-isakmp
    crypto map toOffice 10 match address 80
    crypto map toOffice 10 set peer 100.100.100.100
    crypto map toOffice 10 set transform-set strong
    crypto map toOffice interface outside
    isakmp enable outside
    isakmp key ****** address 100.100.100.100 netmask 255.255.255.255
    isakmp policy 8 authentication pre-share
    isakmp policy 8 encryption 3des
     
    Robert, Feb 2, 2006
    #1
    1. Advertisements

  2. Robert

    Peter Guest

    I got the same problem.
    Anyone got a solution?
     
    Peter, Feb 2, 2006
    #2
    1. Advertisements

  3. Do not use the same access list name for two different purposes.
    Create different ACLs for use with nat 0 access-list and crypto map.
     
    Walter Roberson, Feb 4, 2006
    #3
  4. Robert

    Robert Guest


    It should be OK

    How can I create VPN server (PIX1) - i tried so many things - so i can not
    manage this




    access-list 90 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
    access-list ASCD permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
     
    Robert, Feb 8, 2006
    #4
  5. The portion of the configuration you provided looks okay.

    I would suggest explicitly putting in the (inside) on the remote office's
    nat 0 access-list statement, but it will assume the (inside) anyhow
    so it is just a matter of making it easier to read.

    Is that the complete policy? You didn't set the group, and you didn't
    set the hash? sha is the default, which should not be a problem,
    but it is best to specify these things explicitly.


    What do you get when you

    debug crypto ipsec 2
    debug crypto isakmp 2

    and try to make a connection ?
     
    Walter Roberson, Feb 8, 2006
    #5
  6. Robert

    Robert Guest

    Is that the complete policy?
    no
    it was basic config
    it is OK

    VPN Site to site works perfect - no problems

    I do not know how to access to 1 pix from home Via Cisco VPN client using
    vpngroup command

    i tried so many things and nothing

    Story is
    Before VPN site to site was VPN to office and VPN to Remote office - was OK
    tan workers said they do not want to enable VPN client to connect to remte
    office
    I created VPN site to site - but somehow i could not connect using VPN
    client

    I removed VPN server config and left Site to site

    Now users wants to connect to remote office (Site to site) and they want to
    work from home using VPN client and i can not to manage this

    I did even this
    http://www.cisco.com/en/US/products...s_configuration_example09186a00800948b8.shtml

    does not work

    i am hoples
    i do not know how to doit

    i do not have Cisco username and password (i am registered but i do not have
    access to looooot of stuff)


    Robert
     
    Robert, Feb 10, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.