Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco PIX501 and VPN Client to PIX515E

Status
Not open for further replies.
hoinvip

hoinvip

MIS
Nov 16, 2001
156
GB
Hello,

I have a PIX515E in a central site with a VPN connection to a PIX501 at a remote site. This is working fine.

However, I now want to add another PIX501 at a different remote site and also give remote access to 2 salesmen by installing the VPN client software on their laptops.

I am having trouble in making this work as every time I try to add another peer the first site drops out. Also, I did get the VPN client "almost" working (it connected and authenticated but wouldn't let me access the systems behind the 515E).

Can anyone offer me some advice please? I've read all the Cisco technotes but I'm still learning this and I'm probably missing something very simple.

TIA,

Peter
 
Sort by date Sort by votes
Sure, Sorry!

Here is the config for the central PIX - please note that failed attempts at other VPN clients have been removed!

PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix
domain-name xxxxxxxxxxxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no names
name 192.168.1.11 abc02
name 192.168.1.13 abc03
name 192.168.1.10 abc01
name 192.168.1.14 abc04
access-list external permit tcp any host 9.9.9.162 eq smtp
access-list 10 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 9.9.9.190 255.255.255.224
ip address inside 192.168.1.211 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm location 192.168.1.11 255.255.255.255 inside
pdm location 192.168.1.210 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 9.9.9.164 192.168.1.10 netmask 255.255.255.255 0 0
static (inside,outside) 9.9.9.166 192.168.1.13 netmask 255.255.255.255 0 0
static (inside,outside) 9.9.9.167 192.168.1.14 netmask 255.255.255.255 0 0
static (inside,outside) 9.9.9.162 192.168.1.11 netmask 255.255.255.255 0 0
access-group external in interface outside
route outside 0.0.0.0 0.0.0.0 9.9.9.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.210 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set tset esp-3des esp-md5-hmac
crypto map barney 10 ipsec-isakmp
crypto map barney 10 match address 10
crypto map barney 10 set peer 88.88.88.106
crypto map barney 10 set transform-set tset
crypto map barney interface outside
isakmp enable outside
isakmp key ******** address 88.88.88.106 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5
ssh timeout 5
terminal width 80
 
Upvote 0 Downvote
HI.

For adding another VPN peer:

* Make sure that the internal subnet of the remote network does not overlap with existing networks (192.168.1.0, 192.168.10.0, etc).

* Create additional access-list 11 (similar to access-list 10) that will be used for interesting traffic of new vpn tunnel.

* Add statements to access-list nonat (another statement in the same acl).

* Add another crypto map entry.
Note that you should use the same name "barney", but with a different number.

* Add an "isakmp key" statement.

Here are few links to help you:

And the pixcript tool can generate a sample config, that you can use as a reference comparing it to yours:

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
775
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
641
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
175
WhosYourDiffie
WhosYourDiffie
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
642
Johnkite
Johnkite
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
522
MottoK
MottoK

Part and Inventory Search

Sponsor

Back
Top