Site to Site and Remote VPN on cisco Pix 515e v6.3 1

[jcook2k3]

Hello to all!!

i am in dire need of help, I have racked my brain and still can't figure out what the problem is. i have a Cisco Pix 515e v6.3 running and I'm trying to configure a site to site vpn and remote vpn and all I can manage is it's either one or the other. i have had other people look at my configs and they say there is no problem and others have gave me some advice, but nothing is working. My two questions are as follows:

1.) Is it even possible on v6.3 to run both the site to site and remote together?

2.) Can someone take a look at these configs and point me in the right direction?

Thanks in advance...

These are the configs that i'm having problems with, it seems that whichever crypto map **** interface outside i set is the one that works, but if i set it for our remote vpn, then it no longer asks for authentication, it just connects right through. We are using the cisco VPN client on the machines to connect with.

sysopt connection permit-ipsec
crypto ipsec transform-set trmset4 esp-3des esp-md5-hmac
crypto ipsec transform-set trmset2 esp-des esp-md5-hmac
crypto ipsec transform-set trmset1 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set trmset3 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map map2 10 set transform-set trmset1 trmset4 trmset2
crypto dynamic-map map2 10 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map2 client authentication RADIUS
crypto map companyb 30 ipsec-isakmp
crypto map companyb 30 match address 103
crypto map companyb 30 set peer xxx.xxx.xxx.xxx
crypto map companyb 30 set transform-set trmset3
crypto map companyb interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.196 netmask 255.255.255.248
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 2
isakmp policy 11 lifetime 86400
isakmp policy 12 authentication pre-share
isakmp policy 12 encryption 3des
isakmp policy 12 hash sha
isakmp policy 12 group 2
isakmp policy 12 lifetime 86400
vpngroup vpn-remote address-pool vpnpool1
vpngroup vpn-remote dns-server 192.168.x.xxx 192.168.x.xxx
vpngroup vpn-remote default-domain <domain>.com
vpngroup vpn-remote split-tunnel 102
vpngroup vpn-remote idle-time 1800
vpngroup vpn-remote password ********

Thanks again

 

[Supergrrover]

1 - yes!!
2 - only one map at a time so you have to include both parts in it (the number after the map name is like a sequence number)

crypto map companyb 65356 ipsec-isakmp dynamic map2


Take a loot at this -

http://www.cisco.com/en/US/products...s_configuration_example09186a00800948b8.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[jcook2k3]

ok, I see what you are saying. Thank you for that.

Can you answer one more for me?

The "crypto map companyb interface outside" I can change that to map1(the remotevpn) and then comapnyb(the site to site) will not be able to connect. As it is written now, the remote vpn can't connect.

How do I solve for that??

Thanks, again

 

[Supergrrover]

by adding the line above. it puts the dynamic remote access vpn into the crypto map. you can only have one map so the sequence number allows for multiple sites and an RA in the same map.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[jcook2k3]

Thanks Brent for all your help and I think I have a handle on it now, I added that line, but the remote vpn(map1) using the Cisco VPN client now connects, but does not require authentication. Does it matter which crypto map I designate the interface outside too? For example, does it matter if I use

crypto map map1 interface outside

or

crypto map companyb interface outside


I really appreciate all the help you have given me getting my head wrapped around this.

 

[Supergrrover]

Yes, those 3 maps are all different

try -
crypto map companyb client authentication RADIUS



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[jcook2k3]

I just saw a typo this "crypto map map2 client authentication RADIUS"

should be

crypto map map1 client authentication RADIUS

But adding companyb(which is my site to site) as a client RADIUS, would that not make them need to authenticate? I guess what I'm trying to ask is why does the map1(cisco vpn client) not authenticate anymore, when that is the one assigned to the authentication RADIUS

crypto map map1 client authentication RADIUS

Thanks

 

[Supergrrover]

I have not had that problem and I have most of my sites with both parts - L2L and RA vpns. The L2L is not considered a client (unless it's EasyVPN mode.)

If it BOKs try using this

isakmp key keystring address ip_address netmask mask no-xauth no-config-mode



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[jcook2k3]

Thanks Brent, I'll work on that, as long as it is working, they are not complaining. I really do appreciate all your help.

J