Pix-to-Pix and Client-to-Pix VPN

Have got two working configs for a Pix that allow either a Pix-to-Pix
VPN, or remote users to connecting into a Pix using the Cisco client
(created these using two excellent documents on Cisco.com - #6211 and
#14091). Am trying to combine the two but am having a few problems.

Ideally, would like to find equiv document from Cisco but have had no
joy (is it just me or is Cisco web-site diabolical for searching?).
Current non-working config is as follows:

:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password utXGGJbasURbvYXQ encrypted
passwd utXGGJbasURbvYXQ encrypted
hostname hosthost
domain-name host.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name x.x.x.x router
name y.y.y.y WAN
name 10.0.0.4 Boardroom
name 192.168.0.0 remoteoffice-nw
name z.z.z.z remoteoffice
access-list 102 permit tcp any host a.a.a.a eq smtp
access-list 102 permit tcp any host a.a.a.a eq www
access-list 102 permit tcp any host a.a.a.a eq 3389
access-list 102 permit tcp any host b.b.b.b eq pcanywhere-data
access-list 102 permit udp any host b.b.b.b eq pcanywhere-status
access-list 102 permit tcp any host c.c.c.c eq 3389
access-list 101 permit ip 10.0.0.0 255.255.255.0 remoteoffice-nw
255.255.255.0
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.1.0
255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside WAN 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.0.1.1-10.0.1.254
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) a.a.a.a 10.0.0.3 netmask 255.255.255.255 0 0
static (inside,outside) b.b.b.b Boardroom netmask 255.255.255.255 0 0
static (inside,outside) c.c.c.c 10.0.0.2 netmask 255.255.255.255 0 0
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 router 1
route outside router 255.255.255.255 router 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn 30 match address 101
crypto dynamic-map outside_dyn 30 set transform-set myset
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 101
crypto map outside_map 20 set peer remoteoffice
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address remoteoffice netmask 255.255.255.255
no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup dialin address-pool ippool
vpngroup dialin dns-server 10.0.0.3 195.10.102.11
vpngroup dialin idle-time 1800
vpngroup dialin password ********
telnet timeout 5
ssh timeout 5
terminal width 80
: end
#

 

upgrade to 6.3.3
and add command isakmp nat-t

This will do it for you.

Regards
Martin Bilgrav

 

Everything's looking fine... but, I guess that you should remove:

PIX(config)#no crypto dynamic-map outside_dyn 30 match address 101

Also, I'm NOT sure whether you can setup the seq num 65535 or not. Can
you try 30 instead?

Be aware that you will only have access to your 10.0.0.0/24 network
and NOT to 192.168.0.0/24 network.

Thanks!
________________________________________________
Dominic Longpre, CCNA & CSPFA (PIX Certified)
IT Specialist

 

Hello

Could uou help me. I see that you are real professional.
My probem is:

|
| -- inside 10.0.1.1 /16 WEB Server 10.0.1.2
|
-------------
| PIX | -- dmz 172.16.1.1 /16 --DNS Server 172.16.1.2
-------------
|
|
| outside 20.20.20.3 /28
|
|
My perm. router
20.20.20.2

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet1 dmz security90
access-list ipsec permit ip 10.0.0.0 255.255.0.0 10.2.2.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.2.2.0 255.255.255.0
ip address outside 20.20.20.3 255.255.255.240
ip address inside 10.0.1.1 255.255.0.0
ip address dmz 172.16.1.1 255.255.0.0
global (outside) 1 20.20.20.1
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.1.0 255.255.0.0 0 0
nat (dmz) 1 172.16.0.0 255.255.0.0 0 0
static (inside,outside) 20.20.20.5 10.0.1.2 netmask 255.255.255.255 0 0
static (dmz, outside) 20.20.20.6 172.16.1.2 netmask 255.255.255.255 0 0
conduit permit ip 20.20.20.5 host any
conduit permit ip 20.20.20.6 host any
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 20.20.20.2 1
sysopt connection permit-ipsec
crypto ipsec transform-set lanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map forg 21 ipsec-isakmp
crypto map forg 21 match address ipsec
crypto map forg 21 set peer 30.30.30.1
crypto map forg 21 set transform-set lanche
crypto map forg interface outside
isakmp enable outside
isakmp key fin2000 address 30.30.30.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1

So. I have 3 problems, questions.
1st question: Is this configuration good, because my banch router from the
other side doesn't response. How to set up more the one
VPN tunnel to another Cisco router?

2nd, main question: I did static address translation, but with ip
address outside 20.20.20.3 255.255.255.240
hosts from protected networks inside are invisible for themselves. For
example: I can't not ping, or telnet to 20.20.20.5 from
20.20.20.6 using IP or hostsnames. Where I did a mistakes? Please help. With
ip address outside 20.20.20.3 255.255.255.255 everything goes
fine. But for me is a bad netmask? I can't ping (no response) to outside
interface from any host in inside and dmz? Is it correct?

3rd: Why my VPN doesn't work. What I did wrong?

Best regards
Mirek