Cisco VPN Client PC conflict with existing PIX to PIX VPN 1

[Dublin73]

Hi, I had a Site to Site ipsec VPN set up between two PIX's. A 506e PIX in our main office and a PIX 501 in the small remote office. This has worked beautifully for months ( I've got Citrix client PCs in the remote office accessing Citrix servers in the main office ).

This week I made changes to the 506e to allow a remote client PC to connect using the "Cisco VPN Client" software. This client connects successfully, but I have now lost my Site to Site ipsec VPN connection to the PIX 501 in the remote office.

What I have added at the PIX 506e in the main office to allow the Cisco VPN Client access follows....

( note* I.P. addresses have been substituted to protect their identities! )

access-list 101 permit ip 111.222.33.0 255.255.255.0 196.0.0.0 255.255.255.0
access-list SplitTunnel permit ip 111.222.33.0 255.255.255.0 196.0.0.0 255.255.255.0
ip local pool VPNPool 196.0.0.1-196.0.0.25
crypto ipsec transform-set tango esp-3des esp-md5-hmac
crypto dynamic-map dynmap 90 set transform-set tango
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap client configuration address respond
crypto map newmap interface outside
isakmp identity address
isakmp nat-traversal 15
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup DeltaVPNGroup address-pool VPNPool
vpngroup DeltaVPNGroup dns-server 111.222.33.6
vpngroup DeltaVPNGroup default-domain domain.com
vpngroup DeltaVPNGroup split-tunnel SplitTunnel
vpngroup DeltaVPNGroup idle-time 28800
vpngroup DeltaVPNGroup max-time 28800
vpngroup DeltaVPNGroup password ********

The following is what I used to have on the PIX 506e before I made the changes. This is for the Site to Site ipsec VPN with the remote PIX 501......

access-list 101 permit ip 111.222.33.0 255.255.255.0 205.0.3.0 255.255.255.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
crypto ipsec transform-set apples esp-des esp-md5-hmac
crypto map oranges 1 ipsec-isakmp
crypto map oranges 1 match address 101
crypto map oranges 1 set peer 82.57.60.124
crypto map oranges 1 set transform-set apples
crypto map oranges interface outside
isakmp enable outside
isakmp key ******** address 82.57.60.124 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000

Since the changes were made on the 506e for the Cisco VPN Client access , I have lost the following, which I think is the root of my problem.....

crypto map oranges interface outside

Do I need to combine this somehow with....
crypto map newmap interface outside

Can there be only one "crypto map xxxx interface outside"? Do I need to combine the two?

any help would be much appreciated. I want to get the Site to Site VPN running again, as well as allowing the Cisco VPN client PC access.

thanks!

Dublin73

 

[NetworkGhost]

You can have only one crypto map applied to the interface. Instead of making 2 separate maps make 1 and use different seq-numbers

crypto map oranges 1 ipsec-isakmp
crypto map oranges 1 match address 101
crypto map oranges 1 set peer 82.57.60.124
crypto map oranges 1 set transform-set apples
crypto map oranges 20 ipsec-isakmp dynamic dynmap
.....

 

[Dublin73]

Thanks for that NetworkGhost! I've been using the PIX for around a year now and am still learning, slowly but surely.

I don't have hands on access to the PIX at the moment, but I think I follow what you mean. Am I correct in trying this at the PIX?.....

( deleting the "newmap" entries )
no crypto map newmap 20 ipsec-isakmp dynamic dynmap
no crypto map newmap client configuration address respond
no crypto map newmap interface outside

( recreating the deleted "newmap" entries using the already existing map called "oranges" )
crypto map oranges 20 ipsec-isakmp dynamic dynmap
crypto map oranges client configuration address respond

I'm not 100% clear on what you mean by different seq-numbers

thanks again, Dublin73

 

[Dublin73]

Forgot to add one line in my previous post......

crypto map oranges interface outside

 

[NetworkGhost]

The Sequence number is the number that follows after the crypto map mapname command. I believe it just signifies a new crypto map set entry not sure if it plays a role in priority though. Yes make those changes. Your tunnels should come back up. THen post back if you have any other issues.

 

[NetworkGhost]

The sequence number does play a role in priority. Especially when you are using a dynamic map that will be used in a staic map.

Make sure this is in there to:

crypto dynamic-map dynmap 90
crypto dynamic-map dynmap 90 set transform-set tango
crypto dynamic-map mydynamicmap 90 match address 101

Also I noticed your Client VPN pool is not in a private IP range. Is that on purpose?

 

[Dublin73]

Thanks again for responding NetworkGhost.

I'll have access to the PIX on Monday, and will let you know how I get on.

For the Client VPN pool, I wasn't really sure what I.P. range to use, so I picked something at random that differed from my internal I.P. network address.

Is this good practice, bad practice, indifferent?

 

[NetworkGhost]

I would use a private IP scheme. If you ever had to access something on the public net with that IP range traffic wouldnt be getting out -- Private IP Range:

10.0.0.0 - 10.255.255.255 /8

172.16.0.0 - 172.31.255.255 /12

192.168.0.0 - 192.168.255.255 /16

 

[Dublin73]

NetworkGhost are you still out there somewhere? please help!

O.K., I got my original Site to Site VPN running again, but unforunately my remote client PC with the Cisco VPN Client software has lost the ability to connect. The remote PC does successfully make the VPN connection, it receives an I.P. address and LAN DNS server I.P. address from the PIX, but...

the remote PC cannot ping anything on the internal LAN? Also to note, I did enter the following commands...

crypto dynamic-map dynmap 90
crypto dynamic-map dynmap 90 set transform-set tango
crypto dynamic-map mydynamicmap 90 match address 101

....at the PIX, but the PIX doesn't like this entry...

crypto dynamic-map dynmap 90

When trying to enter this the PIX is coming back with...

Result of firewall command: "crypto dynamic-map dynmap 90"

ERROR: incomplete command
usage: crypto dynamic-map <map-name> <seqno> {match|set} ...
Command failed

Here's the full config. to shed a bit more light on things. Can you see anything out of place in the config?

PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx encrypted
passwd xxxx encrypted
hostname PIX
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list mail permit tcp any host 88.99.157.10 eq https
access-list mail permit tcp 135.136.118.0 255.255.255.0 host 88.99.157.10 eq smtp
access-list mail permit tcp 221.98.191.0 255.255.255.0 host 88.99.157.10 eq smtp
access-list 101 permit ip 111.222.10.0 255.255.255.0 205.0.3.0 255.255.255.0
access-list 101 permit ip 111.222.10.0 255.255.255.0 196.0.0.0 255.255.255.0
access-list SplitTunnel permit ip 111.222.33.0 255.255.255.0 196.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 88.99.157.9 255.255.255.255 pppoe setroute
ip address inside 111.222.10.14 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 196.0.0.1-196.0.0.25
pdm location 111.222.10.4 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 88.99.157.10 111.222.10.5 netmask 255.255.255.255 0 0
access-group mail in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 111.222.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set apples esp-des esp-md5-hmac
crypto ipsec transform-set tango esp-3des esp-md5-hmac
crypto dynamic-map dynmap 90 set transform-set tango
crypto dynamic-map mydynamicmap 90 match address 101
crypto map oranges 1 ipsec-isakmp
crypto map oranges 1 match address 101
crypto map oranges 1 set peer 82.57.60.124
crypto map oranges 1 set transform-set apples
crypto map oranges 20 ipsec-isakmp dynamic dynmap
crypto map oranges client configuration address respond
crypto map oranges interface outside
isakmp enable outside
isakmp key ******** address 82.57.60.124 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 15
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup DeltaVPNGroup address-pool VPNPool
vpngroup DeltaVPNGroup dns-server 111.222.33.6
vpngroup DeltaVPNGroup default-domain domain.com
vpngroup DeltaVPNGroup split-tunnel SplitTunnel
vpngroup DeltaVPNGroup idle-time 28800
vpngroup DeltaVPNGroup max-time 28800
vpngroup DeltaVPNGroup password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname eircom
vpdn group pppoe_group ppp authentication chap
vpdn username eircom password *********
terminal width 80
Cryptochecksum:e0870faf144f284ace804b169578b9c8
: end

many thanks in advance, this has really got me baffled.

Also to note, I'm going to go with private I.P. addresses on the VPN clients. You make a good point that the clients would have trouble connecting to something on the net, if that something had the same network address as the clients. I hadn't foreseen that one, still in the baby steps stage!

 

[Dublin73]

Well... still chipping away at this, but still no success. My quest to get the VPN Client working as well as the site to site VPN continues. I've tried a lot of different configs. based on various postings, but none are working. I must be nearly there. Can any of you out there spot something that I have misconfigured?

I found out a bit more about the sequence number also. The VPN clients' DHCP sequence number has to be higher than the static PIX to PIX sequence number.

The Site-to-Site VPN is working fine, it's the Cisco VPN Clients that cannot connect.

( I.P. addresses identities are substituted! )

LAN network ID: 111.222.10.0/24
VPN Clients DHCP Pool: 196.0.0.1-196.0.0.25/24

Config is below....

PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx encrypted
passwd xxxx encrypted
hostname PIX
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list mail permit tcp any host 88.99.157.10 eq https
access-list mail permit tcp 135.136.118.0 255.255.255.0 host 88.99.157.10 eq smtp
access-list mail permit tcp 221.98.191.0 255.255.255.0 host 88.99.157.10 eq smtp
access-list 101 permit ip 111.222.10.0 255.255.255.0 205.0.3.0 255.255.255.0
access-list 101 permit ip 111.222.10.0 255.255.255.0 196.0.0.0 255.255.255.0
access-list SplitTunnel permit ip 111.222.33.0 255.255.255.0 196.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 88.99.157.9 255.255.255.255 pppoe setroute
ip address inside 111.222.10.14 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 196.0.0.1-196.0.0.25
pdm location 111.222.10.4 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 88.99.157.10 111.222.10.5 netmask 255.255.255.255 0 0
access-group mail in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 111.222.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set apples esp-des esp-md5-hmac
crypto ipsec transform-set tango esp-3des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set tango
crypto dynamic-map dynmap 1 match address 101
crypto map oranges 1 ipsec-isakmp
crypto map oranges 1 match address 101
crypto map oranges 1 set peer 82.57.60.124
crypto map oranges 1 set transform-set apples
crypto map oranges client configuration address respond
crypto map oranges interface outside
isakmp enable outside
isakmp key ******** address 82.57.60.124 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 15
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1 <<<<<<<< Should these be in the same group, or seperate groups?
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1 <<<<<<<< Should these be in the same group, or seperate groups?
isakmp policy 10 lifetime 86400
vpngroup DeltaVPNGroup address-pool VPNPool
vpngroup DeltaVPNGroup dns-server 111.222.33.6
vpngroup DeltaVPNGroup default-domain domain.com
vpngroup DeltaVPNGroup split-tunnel SplitTunnel
vpngroup DeltaVPNGroup idle-time 28800
vpngroup DeltaVPNGroup max-time 28800
vpngroup DeltaVPNGroup password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname eircom
vpdn group pppoe_group ppp authentication chap
vpdn username eircom password *********
terminal width 80
Cryptochecksum:e0870faf144f284ace804b169578b9c8
: end

thanks again in advance for anyone who will take the time to respond. I'm off for a pint of Carlsberg before I go bonkers!

 

[tschons]

Hi
I have at the moment the same problem. my pix501 to pix501 vpn work or the vpn from a client to the pix, but not together.
Have you found a solution for your problem? It would be very nice, if you could post our configuration.

Thanks!

tschons

 

[bryan148]

I have a very similiar config that is working. You have bound the oranges crypto map to the outside interface, It looks like you have not tied in the dynamic map to oranges. Try this command:
crypto map oranges 65535 ipsec-isakmp dynamic dynmap

I hope this helps.

 

[Dublin73]

bryan148 thanks for your response. I've actually erased all of my entries and have started from scratch ( before seeing your post! ). I haven't tested things yet, but here is what I'm using as an example.....

http://www.cisco.com/warp/public/110/pixpixvpn.html

I've posted this for anyone else with the same problem. Will post back and let you know if this works. If it does I'll post the configs of both PIXes.

 

[Dublin73]

OK.... sorted! I finally got this up and running and wanted to post the Config of my two PIXes for anyone else who may need this info.

Like I said in my last post ( just up above there ), I used the example on Cisco's site and this works beautifully! My Site-to-Site is functioning as it should AND remote PCs from anywhere ( with the Cisco VPN Client software installed ) can connect to my LAN. That website again is...

http://www.cisco.com/warp/public/110/pixpixvpn.html

So why post my 2 PIX configs. if I've just given you the link to Cisco's example? Easy! If you're a newbie, or relative newbie like me, the Cisco examples still leave a lot unanswered and can assume that you already have a solid working knowledge of the PIX.

What threw me off the most a year ago when I started using these things was....

On Cisco's site you'd see an example where there are access lists using numbers as labels. For example...

access-list 120 permit ip 192.168.1.0 255.255.255.0 193.0.3.0 255.255.255.0

In this case "120" is just a label. This could be substituted just as easily for mustard, television, 150.... doesn't matter, it's just a tag. I originally thought that this number served a purpose to the functionaity of the access list, rather than viewing it as just a tag. This access list could just as easily be created as...

access-list mustard permit ip 192.168.1.0 255.255.255.0 193.0.3.0 255.255.255.0

or...

access-list television permit ip 192.168.1.0 255.255.255.0 193.0.3.0 255.255.255.0

Anyways, you get the idea. Here's my 2 PIX Configs.. One PIX is in our main office and the other is 5 hours away. So the 2 PIXes aren't connected by a hub as they are in the Cisco example. The internet is what's between the 2 PIXes.

111.222.33.0 255.255.255.0 is my internal LAN network address and subnet mask at the main office.

203.0.5.0 255.255.255.0 is the remote office LAN network address and subnet mask.

55.66.777.0 is the "public" range of IP addresses alotted to us from our ISP. These are in use at the main office.

88.99.11.0 is a seperate "public" range of IP addresses alotted to us from our ISP. These are in use at the remote office.

192.168.1.1-192.168.1.25 is the range of I.P. Addresses that I have assigned to the incoming Cisco VPN Clients. The subnet mask is 255.255.255.0

PIX Main Office. This is my equivalent of the "PIX 1 Configuration" in the Cisco example....

Result of firewall command: "sho runn"

: Saved
:
PIX Version 6.3(4)
interface ethernet0 10full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password CCCCCCCC encrypted
passwd xxxxxxxxxx encrypted
hostname SUPERPIX
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list mail permit tcp any host 55.66.777.10 eq https
access-list mail permit tcp 135.136.118.0 255.255.255.0 host 55.66.777.10 eq smtp
access-list mail permit tcp 221.98.191.0 255.255.255.0 host 55.66.777.10 eq smtp
access-list 101 permit ip 111.222.33.0 255.255.255.0 203.0.5.0 255.255.255.0
access-list 101 permit ip 111.222.33.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 110 permit ip 111.222.33.0 255.255.255.0 203.0.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 55.66.777.9 255.255.255.255 pppoe setroute
ip address inside 111.222.33.14 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool CHOCOLATE 192.168.1.1-192.168.1.25
pdm location 111.222.33.4 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 55.66.777.10 111.222.33.5 netmask 255.255.255.255 0 0
access-group mail in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 111.222.33.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set PIZZA esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set PIZZA
crypto map CHEESEBURGER 10 ipsec-isakmp
crypto map CHEESEBURGER 10 match address 110
crypto map CHEESEBURGER 10 set peer 88.99.11.124
crypto map CHEESEBURGER 10 set transform-set PIZZA
crypto map CHEESEBURGER 20 ipsec-isakmp dynamic dynmap
crypto map CHEESEBURGER interface outside
isakmp enable outside
isakmp key ******** address 88.99.11.124 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 15
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPNClients address-pool CHOCOLATE
vpngroup VPNClients dns-server 111.222.33.6
vpngroup VPNClients default-domain domain.com
vpngroup VPNClients idle-time 1800
vpngroup VPNClients password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname eircom
vpdn group pppoe_group ppp authentication chap
vpdn username eircom password *********
terminal width 80
Cryptochecksum:c66f4aa031ea8fdbf5b9fbf596401e05
: end


============================================================

PIX Remote Office. This is my equivalent of the "PIX 2 Configuration" in the Cisco example....

Result of firewall command: "sho runn"

: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password qqqqqqqqqqq encrypted
passwd xxxxxxxxx encrypted
hostname SUPERDUPERPIX
domain-name mcr.ie
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 203.0.5.0 255.255.255.0 111.222.33.0 255.255.255.0
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 203.0.5.14 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 203.0.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set PIZZA esp-3des esp-md5-hmac
crypto map CHEESEBURGER 10 ipsec-isakmp
crypto map CHEESEBURGER 10 match address 101
crypto map CHEESEBURGER 10 set peer 55.66.777.9
crypto map CHEESEBURGER 10 set transform-set PIZZA
isakmp enable outside
isakmp key ******** address 55.66.777.9 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname eircom
vpdn group pppoe_group ppp authentication chap
vpdn username eircom password *********
dhcpd address 203.0.5.15-203.0.5.35 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:08f83b237779c0fa789bf471f05f2103
: end

Maybe this will help someone else out in the future. This was driving me bonkers, so when I finally got it I wanted to share!

Thumbs up to those of you who responded back to my posts.