515 site-2site and software VPN

[nloecke]

Hello all -
I have a PIX 515 that has many site-to-site tunnels configured and functional. Now I need to add software VPN client functionality to this PIX. I tried once a while back, but whatever I did ended up breaking the hardware VPNs so I took that out real quick. I will post what I hope are relevant pieces of the config.
Thanks ahead of time!

access-list NONAT permit ip 192.168.51.0 255.255.255.0 192.168.122.64 255.255.255.224
access-list NONAT permit ip 192.168.51.0 255.255.255.0 192.168.122.32 255.255.255.224
access-list IPTMONTI permit ip 192.168.51.0 255.255.255.0 192.168.122.64 255.255.255.224
access-list IPTCRAPIDS permit ip 192.168.51.0 255.255.255.0 192.168.122.32 255.255.255.224

nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec
crypto ipsec transform-set TEKTRANSFORM esp-des esp-sha-hmac
crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac

crypto map VPNCLIENT 1222 match address IPTCRAPIDS
crypto map VPNCLIENT 1222 set peer 71.x.x.33
crypto map VPNCLIENT 1222 set transform-set 3DESMD5
crypto map VPNCLIENT 1223 ipsec-isakmp
crypto map VPNCLIENT 1223 match address IPTMONTI
crypto map VPNCLIENT 1223 set peer 71.x.x.34
crypto map VPNCLIENT 1223 set transform-set 3DESMD5

crypto map VPNCLIENT interface outside
isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 28800

If anyone can help me add the settings for the software VPN without breaking the rest ofthem I will greatly appreciate it.
Thanks!!


<<Witty Signature>>

 

[nloecke]

bump
Anyone?

<<Witty Signature>>

 

[unclerico]

WWhat version of code are running?

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[joaott]

Software will come from a Fixed Ip address?!?!?

Wich software it is? Cisco VPN client?.You need to tell everything...

If no.....(fix IP address)

You need to create crypto dynamic maps for it.Crypto maps are just for fixed ip adresses.

I have a PIX 515E running it.Tomorrow i will try to get y the config.Now is 5.00am and i didnt sleep yep.


I dont forget you....

JoaoTT
Portugal

 

[nloecke]

PIX 515 is 6.3(2)
The IP addresses of the clients would not be consistent.
I have another PIX that has been successfully configured for software VPN with a dynamic crypto map, but it seems that if I configure the original PIX the same way it breaks all the static crypto maps.

Thanks

<<Witty Signature>>

 

[joaott]

Sorry for my late answer....my life is a mess right now,looking for new job.

So lets go...
my pix :
Cisco PIX Security Appliance Software Version 7.2(2)

My topology :

1- 3 lan2lan remote sites connected by ipsec vpn tunnel
2- multiple vpn remote users (using cisco vpn client)

so here is what y need to configure it :

step 1: access-list

access-list Vpn_Fastcall_splitTunnelAcl remark Rede Antiga VV
access-list Vpn_Fastcall_splitTunnelAcl standard permit 192.18.1.0 255.255.255.0

step 2: group-policy

group-policy Fastcall internal
group-policy Fastcall attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Vpn_Fastcall_splitTunnelAcl

step 3: creating a username for the group-policy

username joaott password cZQigAoExDYGaZms encrypted privilege 15
username joaott attributes
vpn-group-policy Fastcall

step 4: configuring transforme-set that will be used for this connection

crypto ipsec transform-set MySet2 esp-3des esp-sha-hmac

step 5 : configuring dynamic crypto map for remote users and assigning them to outside and inside interfaces :

crypto dynamic-map ciscovpnclient_dyn_map 40 set pfs
crypto dynamic-map ciscovpnclient_dyn_map 40 set transform-set MySet2
crypto dynamic-map REDELOCAL_dyn_map 20 set pfs
crypto dynamic-map REDELOCAL_dyn_map 20 set transform-set MySet2

(internet_map contains more entries to the romete lan2lan peers, but i wil not mention here cause y dont need)
crypto map Internet_map 65535 ipsec-isakmp dynamic ciscovpnclient_dyn_map

crypto map Micros_map 65535 ipsec-isakmp dynamic REDELOCAL_dyn_map
crypto map Micros_map interface REDE_LOCAL

crypto isakmp enable INTERNET
crypto isakmp enable REDE_LOCAL
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

step 6: configuring tunnel-group

tunnel-group VPN_FastCall type ipsec-ra
tunnel-group VPN_FastCall ipsec-attributes
pre-shared-key *

One thing i realized is that y need to enable isakmp in the inside interface, otherwise it doesn´t work .You also need to assign a crypto map with a dynamic map also to the inside interface,as y can check in my config.I tought it wasn´t necessary, but it is.The reason...i dont no why.


Try it and feedback us if it solved your problem
Good luck!