Strange PIX VPN problem

[FLWPG]

Hello,

I am still earning the CISCO pix and am having a problem that doesn't make sense based on what I can figure out.

I have xxx out my ip due to paranoia, I hope that doesn't cause problems with anyone helping.

You can see in the access-list there is an item called "VPN" allowing anything from my internal lan access to a 150.100 ip. This is a remnant from an old VPN connection we had with an ex-client. Later on in the config you can see the crypto map setting with the match address set to the "VPN" access-list and a peer at a 141. ip address. When I remove the access-list item "VPN", I can no longer access the internet from any host inside the firewall. I don't understand why. I did notice then once I remove the access-list item, it also removes the match address in the crypto map settings. The only wy I can get back on the net is to recreate the access-list item and set the match address for the crypto map again.

Can anyone tell me why this is happening and point me in the right direction to fix it?


PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 193.100.100.0 LAN
name 193.100.100.9 CONSOLE
access-list outside_in permit tcp any host 139.xxx.xxx.xxx eq 5631
access-list outside_in permit udp any host 139.xxx.xxx.xxx eq 5632
access-list outside_in permit tcp any host 139.xxx.xxx.xxx eq ftp
access-list outside_in permit tcp any host 139.xxx.xxx.xxx eq www
access-list outside_in permit tcp any host 139.xxx.xxx.xxx eq 1024
access-list outside_in permit tcp any host 139.xxx.xxx.xxx eq 2222
access-list outside_in permit udp any host 139.xxx.xxx.xxx eq 2222
access-list outside_in permit udp any host 139.xxx.xxx.xxx eq 1024
access-list outside_in permit icmp any any
access-list VPN permit ip LAN 255.255.255.0 150.100.0.0 255.255.0.0
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
icmp deny any echo outside
icmp permit any echo inside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
ip address outside 139.xxx.xxx.xxx 255.255.255.240
ip address inside 193.100.100.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 193.100.100.100 255.255.255.255 inside
pdm location 255.255.255.0 255.255.255.0 inside
pdm location 141.154.96.130 255.255.255.255 outside
pdm location 193.100.100.96 255.255.255.255 inside
pdm location 193.100.100.149 255.255.255.255 inside
pdm location CONSOLE 255.255.255.255 inside
pdm location 193.100.100.111 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 LAN 255.255.255.0 0 0
static (inside,outside) tcp interface 5631 193.100.100.149 5631 netmask 255.255.
255.255 0 0
static (inside,outside) tcp interface ftp 193.100.100.96 ftp netmask 255.255.255
.255 0 0
static (inside,outside) tcp interface

http://www 193.100.100.96

http://www netmask

255.255.255
.255 0 0
static (inside,outside) tcp interface 1024 193.100.100.96 1024 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp interface 2222 193.100.100.96 2222 netmask 255.255.2
55.255 0 0
static (inside,outside) udp interface 1024 193.100.100.96 1024 netmask 255.255.2
55.255 0 0
static (inside,outside) udp interface 2222 193.100.100.96 2222 netmask 255.255.2
55.255 0 0
static (inside,outside) udp interface 5632 193.100.100.149 5632 netmask 255.255.
255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 139.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http CONSOLE 255.255.255.255 inside
http 193.100.100.111 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
no sysopt route dnat
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto map Boston 10 ipsec-isakmp
crypto map Boston 10 match address VPN
crypto map Boston 10 set peer 141.154.96.130
crypto map Boston 10 set transform-set strong
crypto map Boston interface outside
isakmp enable outside
isakmp key ******** address 141.154.96.130 netmask 255.255.255.255
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
telnet CONSOLE 255.255.255.255 inside
telnet 193.100.100.111 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
dhcpd ping_timeout 750
dhcpd domain fineline.ca
dhcpd auto_config outside
terminal width 80
Cryptochecksum:af7364bfe958ae00042ad5b395168232
: end
[OK]

 

[themut]

If you have an uncomplete crypto map configuration then the PIX will encrypt ALL traffic therefore you loose connectivity with everything. If you want to disable the VPN connection then you should get rid of all your crypo and isakmp commands and then proceed to remove the access list VPN.

 

[FLWPG]

I can't try it now since I am still learning, if I cause any issues during work hours my IT manager will have my head, but that sounds like it should work, so I thank you, and I will try it later tonight or in the morning.