Hi, I had a Site to Site ipsec VPN set up between two PIX's. A 506e PIX in our main office and a PIX 501 in the small remote office. This has worked beautifully for months ( I've got Citrix client PCs in the remote office accessing Citrix servers in the main office ).
This week I made changes to the 506e to allow a remote client PC to connect using the "Cisco VPN Client" software. This client connects successfully, but I have now lost my Site to Site ipsec VPN connection to the PIX 501 in the remote office.
What I have added at the PIX 506e in the main office to allow the Cisco VPN Client access follows....
( note* I.P. addresses have been substituted to protect their identities! )
access-list 101 permit ip 111.222.33.0 255.255.255.0 196.0.0.0 255.255.255.0
access-list SplitTunnel permit ip 111.222.33.0 255.255.255.0 196.0.0.0 255.255.255.0
ip local pool VPNPool 196.0.0.1-196.0.0.25
crypto ipsec transform-set tango esp-3des esp-md5-hmac
crypto dynamic-map dynmap 90 set transform-set tango
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap client configuration address respond
crypto map newmap interface outside
isakmp identity address
isakmp nat-traversal 15
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup DeltaVPNGroup address-pool VPNPool
vpngroup DeltaVPNGroup dns-server 111.222.33.6
vpngroup DeltaVPNGroup default-domain domain.com
vpngroup DeltaVPNGroup split-tunnel SplitTunnel
vpngroup DeltaVPNGroup idle-time 28800
vpngroup DeltaVPNGroup max-time 28800
vpngroup DeltaVPNGroup password ********
The following is what I used to have on the PIX 506e before I made the changes. This is for the Site to Site ipsec VPN with the remote PIX 501......
access-list 101 permit ip 111.222.33.0 255.255.255.0 205.0.3.0 255.255.255.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
crypto ipsec transform-set apples esp-des esp-md5-hmac
crypto map oranges 1 ipsec-isakmp
crypto map oranges 1 match address 101
crypto map oranges 1 set peer 82.57.60.124
crypto map oranges 1 set transform-set apples
crypto map oranges interface outside
isakmp enable outside
isakmp key ******** address 82.57.60.124 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
Since the changes were made on the 506e for the Cisco VPN Client access , I have lost the following, which I think is the root of my problem.....
crypto map oranges interface outside
Do I need to combine this somehow with....
crypto map newmap interface outside
Can there be only one "crypto map xxxx interface outside"? Do I need to combine the two?
any help would be much appreciated. I want to get the Site to Site VPN running again, as well as allowing the Cisco VPN client PC access.
thanks!
Dublin73
This week I made changes to the 506e to allow a remote client PC to connect using the "Cisco VPN Client" software. This client connects successfully, but I have now lost my Site to Site ipsec VPN connection to the PIX 501 in the remote office.
What I have added at the PIX 506e in the main office to allow the Cisco VPN Client access follows....
( note* I.P. addresses have been substituted to protect their identities! )
access-list 101 permit ip 111.222.33.0 255.255.255.0 196.0.0.0 255.255.255.0
access-list SplitTunnel permit ip 111.222.33.0 255.255.255.0 196.0.0.0 255.255.255.0
ip local pool VPNPool 196.0.0.1-196.0.0.25
crypto ipsec transform-set tango esp-3des esp-md5-hmac
crypto dynamic-map dynmap 90 set transform-set tango
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap client configuration address respond
crypto map newmap interface outside
isakmp identity address
isakmp nat-traversal 15
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup DeltaVPNGroup address-pool VPNPool
vpngroup DeltaVPNGroup dns-server 111.222.33.6
vpngroup DeltaVPNGroup default-domain domain.com
vpngroup DeltaVPNGroup split-tunnel SplitTunnel
vpngroup DeltaVPNGroup idle-time 28800
vpngroup DeltaVPNGroup max-time 28800
vpngroup DeltaVPNGroup password ********
The following is what I used to have on the PIX 506e before I made the changes. This is for the Site to Site ipsec VPN with the remote PIX 501......
access-list 101 permit ip 111.222.33.0 255.255.255.0 205.0.3.0 255.255.255.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
crypto ipsec transform-set apples esp-des esp-md5-hmac
crypto map oranges 1 ipsec-isakmp
crypto map oranges 1 match address 101
crypto map oranges 1 set peer 82.57.60.124
crypto map oranges 1 set transform-set apples
crypto map oranges interface outside
isakmp enable outside
isakmp key ******** address 82.57.60.124 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
Since the changes were made on the 506e for the Cisco VPN Client access , I have lost the following, which I think is the root of my problem.....
crypto map oranges interface outside
Do I need to combine this somehow with....
crypto map newmap interface outside
Can there be only one "crypto map xxxx interface outside"? Do I need to combine the two?
any help would be much appreciated. I want to get the Site to Site VPN running again, as well as allowing the Cisco VPN client PC access.
thanks!
Dublin73