VPN CONFIG PIX515

[kees7]

I've the following VPN ipsec 3des config in our pix 515. The VPN connection PIX-2-PIX and Client-2-PIX seems to work ok but since i've put these config in our PIX we have problems witch our internet/e-mail access. Can anyone please tell me what is wrong in my VPN config?

access-list 101 permit ip 92.0.0.0 255.0.0.0 192.168.49.0 255.255.255.0
access-list 101 permit ip 92.0.0.0 255.255.255.0 80.0.0.0 255.0.0.0
access-list nonat permit ip 92.0.0.0 255.0.0.0 192.168.49.0 255.255.255.0
access-list nonat permit ip 92.0.0.0 255.255.255.0 80.0.0.0 255.0.0.0
ip local pool bigpool 92.0.3.1-92.0.3.150
nat (inside) 0 access-list nonat
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthIn protocol tacacs+
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set peer YYY.YYY.YYY.149
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication AuthIn
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address YYY.YYY.YYY.149 netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool bigpool
vpngroup vpn3000 idle-time 1800

 

[Guest_imported]

The only thing that stands out at first glance is the fact that you are using the addresses from the same subnet as the internal network for the ip local pool. Personally,
I haven't tried that before. I always use (and Cisco recommends using) a seperate subnet range for the pool of address for vpn clients. Also, you've got me at a loss to what the 80.0.0.0 network is for. I don't see that on your previous post either.

 

[yizhar]

HI.

**
Instead of this command:
>> isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
You can use the command:
vpngroup vpn3000 password ...

**
Like Puta for Cisco wrote - more info about ip addressing is needed to understand your scenario, and do not use overlap subnets of the vpn "ip local pool" and internal hosts.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[kees7]

Hello Puto for Cisco and Yizhar,

First of all thanks for your help.

We are using the 92.0.0.0 subnet on our LAN. We have a PIX 515 (IP 92.0.0.90)between our LAN and the internet. We have a cisco 2620 router at 92.0.0.254. The cisco 2620 connects our other locations who are using the 93.0.0.0, 95.0.0.0, 99.0.0.0, 128.1.0.0, 128.2.0.0, 192.168.49.0 etc... We are using frame relay and ISDN connections. We want a VPN ipsec 3des connection between our LAN and the 192.168.49.0 network, where we are using a PIX 501. Further we want our outside employees to connect using VPN with our office. We are using Cisco VPN secure client 1.1 for this. Both the VPN clients and the 192.168.49.0 network must have access to the 92.0.0.0 and the 93.0.0.0 network. Our VPN clients don't have a fixed IP address. I've added the 80.0.0.0 network to give the VPN clients access to our network. How can I prevent to use the VPN clients IP address and still give them access to our LAN?

With kind regards,

Kees