Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Remote Access VPN and Site to Site VPN

Status
Not open for further replies.
efector

efector

IS-IT--Management
Dec 10, 2003
234
US
Hello.....I currently have a Pix 506e doing a site to site vpn with a Checkpoint FW-1 v4.1/sp5 using shared secret. I want to be able to also have remote vpn access into the network that the pix is protecting. Can anyone help with this? any documentation ideas??? I want to have a radius server(which is currently installed on a DC) validate my users. I assume the cisco client will have to use the same shared secret as the site to site vpn??

Thanks in advance.
 
Sort by date Sort by votes
I'm having the same problem just in reverse. I have the client VPN setup with Radius and works great. I'm now trying to setup Site-to-Site between a Pix 506e and a Fortinet FG-60. As soon as I type in the line command
crypto map transam interface outside
I loose my client vpn. Any ideas? I'm refrencing this Cisco page.
 
Upvote 0 Downvote
jce001,

Have you solved your problem? I want to do the same between my PIX 515E and a partner's Nortel Contivity 100.

Right now I have client VPN working with no problem and I am trying to determine if I can also configure in the site-to-site VPN.

Any pointers to share?

TIA.
 
Upvote 0 Downvote
Yes. You can have as many site to sites as you need and client VPNs as well. Well, you can have as many as your PIX supports. You need to keep the crypto maps the same but increment the numbers to specify WHICH map it is and where it goes. The same is true of the ISAKMP policies.

The following config is a site to site with another PIX. A site to site with a Nortel and a client VPN as well.



crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400

Scott [pipe]
CCNA, CCSE, CCSP, ISS-CE
 
Upvote 0 Downvote
As shown in ststokes example, it´s important that the dynamic map has a higer number than the static map.
If PDM is used it´s automagicaly numbered correct, but if you do it manualy it´s important to have this in mind.

/Mathias
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
282
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
296
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
362
Shmid
Shmid
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
128
gkittelson
gkittelson
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
88
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top