PIX 515 - can Use VPN300 Client and PIX-to-PIX VPN at the same time?

Discussion in 'Cisco' started by Stephen M, Nov 14, 2006.

  1. Stephen M

    Stephen M Guest

    I have a PIX 515 through which I currently have a hand full of users who use
    the V.4 Cisco VPN software client to connect to our network. We have one
    remote site for which we would like to install a hardware VPN using a PIX
    501 to connect yo our existing PIX 515.

    I successfully reconfigured the 501 and the 515 with a VPN tunnel.


    Unfortunately, this broke the software VPN.

    I have been able to reduce this down to a single configuration line:

    crypto map newmap interface outside

    crypto map Remote-Map interface outside

    (the rest of the relevant config is posted below)

    With the fist crypto map, the soft VPN works, with the second the hardware
    VPN works. With both, the second command overlays the first.

    1) Is it even possible to have both the hard and soft VPN's through the same
    2) If so, how do I syntactically merge the maps or the maps attach to maps
    to an interface?
    3) There is some admittedly elderly firmware on the 515 (6.1(4)) might that
    be a factor? The 501 is new.
    4) We will want to attach several hardware VPN's (buy a couple more 501's
    for different sites) to this interface, if this works. Is multiple hardware
    VPN's through a single interface a show-stopper?



    name ccc.ccc.ccc.ccc Remote-PIX

    name aaa.aaa.aaa.0 Main-Network

    name bbb.bbb.bbb.0 Remote-Network

    access-list dialvpn permit ip Main-Network

    access-list nonat permit ip Main-Network

    access-list nonat permit ip Main-Network Remote-Network

    access-list Remote-Tunnel permit ip Main-Network

    icmp permit any outside

    icmp permit any inside

    ip address outside zzz.zzz.zzz.158

    ip address inside aaa.aaa.aaa.5

    ip local pool dialvpn

    global (outside) 1 interface

    nat (inside) 0 access-list nonat

    nat (inside) 1 0 0

    route outside zzz.zzz.zzz.157 1

    sysopt connection permit-ipsec

    no sysopt route dnat

    crypto ipsec transform-set dialvpnset esp-des esp-md5-hmac

    crypto ipsec transform-set Tunnelset esp-des esp-md5-hmac

    crypto dynamic-map dynmap 10 set transform-set dialvpnset

    crypto map newmap 10 ipsec-isakmp dynamic dynmap

    crypto map newmap client configuration address respond

    crypto map newmap interface outside

    crypto map Remote-Map interface outside

    crypto map Remote-Map 1 ipsec-isakmp

    crypto map Remote-Map 1 match address Remote-Tunnel

    crypto map Remote-Map 1 set peer Remote-PIX

    crypto map Remote-Map 1 set transform-set Tunnelset

    isakmp enable outside

    isakmp key ******** address Remote-PIX netmask

    isakmp identity address

    isakmp policy 10 authentication pre-share

    isakmp policy 10 encryption des

    isakmp policy 10 hash md5

    isakmp policy 10 group 2

    isakmp policy 10 lifetime 86400

    vpngroup vpn3000-all address-pool dialvpn

    vpngroup vpn3000-all dns-server primaryDNS secondary DNS

    vpngroup vpn3000-all split-tunnel dialvpn

    vpngroup vpn3000-all idle-time 36000

    vpngroup vpn3000-all password ********

    vpngroup group idle-time 1800
    Stephen M, Nov 14, 2006
    1. Advertisements

  2. Stephen M

    mcaissie Guest

    You can only apply one crypto map to the outside interface but you can
    have more than one entry in a crypto map, with different sequence number.
    For example, you could replace "crypto map Remote-map 1" with
    "crypto map newmap 20".

    Note that i never used the command
    "crypto map newmap client configuration address respond"
    so i am not sure what impact it will have on your lan2lan VPN.
    mcaissie, Nov 14, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.