PIX-to-PIX vpn + remote Access VPN not working

Discussion in 'Cisco' started by Marko Uusitalo, Apr 11, 2005.

  1. Hi!

    I have to site A and B connected by Site to Site VPN and they are
    working OK. When I try to add remote access VPN for Site A so that
    users at home could use Both site A´s ja Site B´s services and also
    connect to net through site A, I can't get this to work. I have tried
    doing this both with PDM and commandline. I have quite a lot experiece
    with routers, but PIXes are still somewhat mystery to me. Does anyone
    have any similar working configurations to share with me?

    Any help would be greatly apreciated

    Best regards

    Marko Uusitalo
    Marko Uusitalo, Apr 11, 2005
    1. Advertisements

  2. Marko Uusitalo

    Frank Durham Guest


    Here is what i used to set to remote access-vpn with the Cisco VPN client.

    access-list nonat permit ip (Access-list defining what traffic to not use NAT on)
    access-list 102 permit ip
    (Access-list defining which traffic to use split-tunneling on)
    nat (interface) 0 access-list nonat (Command issued to not use NAT
    translation through whichever interface the VPN traffic will flow.)

    sysopt connection permit-ipsec (Permits IPSEC communictation through the

    crypto ipsec transform-set vpnsei esp-3des esp-md5-hmac (Setting up what
    type of encryption to use, there are many choices)
    crypto dynamic-map dynmapsei 10 set transform-set vpnsei

    crypto map vpnsei 10 ipsec-isakmp dynamic dynmapsei
    crypto map vpnsei client configuration address initiate
    crypto map vpnsei client configuration address respond

    isakmp client configuration address-pool local sei-1 internet

    vpngroup misvpn address-pool <name-of-pool> (The vpngroup command sets up
    your configuration for the vpn. Your first line tells which ip pool to use)
    vpngroup misvpn dns-server <xxx.xxx.xxx.xxx> (DNS server IP)
    vpngroup misvpn wins-server <xxx.xxx.xxx.xxx> (WINS server ip)
    vpngroup misvpn default-domain <whatever.com> (your internal domain name)
    vpngroup misvpn split-tunnel <access-list> (This command allows your vpn
    users to surf the web through their ISP and only use the VPN to connect to
    your internal servers or services)
    vpngroup misvpn split-dns <whatever.com> (your internal domain-name. Also
    used in conjunction with command above)
    vpngroup misvpn idle-time 7200 (time in seconds you want the the Pix to
    allow a connection to sit idle)
    vpngroup misvpn password ******** (VPN group password)

    ip local pool sei-1 (This is the ip addresses
    that are assigned to the VPN Clients)

    If you have any problems or more questions, send me an email at

    Frank Durham, Apr 11, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.