site-to-site and dynamic vpn

[lost4life]

I am trying to configure a dynamic vpn with a PIX 506 and Cisco VPN client 3.6. I am unable to get the dynamic vpn to work without breaking the site-to-site (PIX to PIX). I need to maintain the tunnel between two offices, and then allow vpn clients access to servers on the inside. below is the confiuration.

!Do not nat site-to-site vpn traffic
access-list 120 permit ip 192.168.100.0 255.255.255.0 192.168.6.0 255.255.255.0
!Do not nat dynamic vpn traffic
access-list dynamicvpn permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list acl_outside permit tcp any host xxx.xxx.xxx.xxx eq www
access-list acl_outside permit tcp any host xxx.xxx.xxx.xxx eq https
ip address outside xxx.xxx.xxx.xxx 255.255.255.192
ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool dynpool 192.168.200.1-192.168.200.30
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx
nat (inside) 0 access-list 120
nat (inside) 0 192.168.100.13 255.255.255.255 0 0
nat (inside) 0 192.168.100.20 255.255.255.255 0 0
!when this command is placed, it breaks our site-to-site vpn tunnel
nat (inside) 0 access-list dynamicvpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_outside in interface outside
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto ipsec transform-set dynset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 7600
crypto dynamic-map dynmap 20 set transform-set dynset
crypto map tampamap 10 ipsec-isakmp
crypto map tampamap 10 match address 120
crypto map tampamap 10 set peer xxx.xxx.xxx.xxx
crypto map tampamap 10 set transform-set vpnset
crypto map tampamap 100 ipsec-isakmp dynamic dynmap
crypto map tampamap interface outside
isakmp enable outside
!key for dynamic
isakmp key ****** address 0.0.0.0 netmask 0.0.0.0
!key for site-to-site
isakmp key ****** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 75000
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 1
isakmp policy 40 lifetime 1200
vpngroup homevpn address-pool dynpool
vpngroup homevpn dns-server xxx.xxx.xxx.xxx
vpngroup homevpn wins-server 192.168.100.8
vpngroup homevpn split-tunnel dynamicvpn
vpngroup homevpn idle-time 1200

Anyone see whats wrong or have any links to sample confiurations with both types of VPNs configured?

 

[themut]

It could be due to the fact that Remote VPN configuration uses Extended Authentication (XAUTH) and it also pushes configuration to the client which LAN-to-LAN configuration don't need. Try to modify your LAN-to-LAN preshare key statement, the new command would be:

isakmp key ****** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode

Another thing... Have you got configured the fixup protocol esp-ike? If you have this command disables the LAN-to-LAN session.
Be careful when you modify a VPN configuration, remove the crypto map from the interface first, then modify your configuration and finally reapply the crypto map to the interface. Failure to do so will lock you out of your PIX if you are configuring it through SSH or telnet.