PIX 515e: Remote Access and Site to Site VPN at the same time

**ps3cheats** · 25-Mar-2007, 10:38 PM

I am fighting with my PIX 515e ver 7.0(1) asdm 5.0 attemping to get remote access and site to site vpn running at the same time. Site to site works great but I just can't get the remote access working. I have read many posts here about this and all over the internet and gone through books. I just can't get it to work and about to start losing my hair. I am sure that it is something really dumb but I just can't get. I would say I am a novice level with the PIX which is why I do all the programming with the ASDM. Below is the current config, I have xxx out the ext IPs and changed the int IPs so that I can follow what is going on here and made other changes for security reasons. Thanks all!

Result of the command: "show run"

: Saved
:
PIX Version 7.0(1)
names
!
interface Ethernet0
nameif 2055_WAN
security-level 0
ip address xxx.xxx.xxx.69 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 11.1.13.2 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
enable password xxx encrypted
passwd xxx encrypted
hostname pix2055
domain-name corporation.com
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list inside_nat0_outbound extended permit ip 11.1.13.0 255.255.255.0 11.1.13.200 255.255.255.248
access-list inside_nat0_outbound extended permit ip 11.1.13.0 255.255.255.0 11.1.13.208 255.255.255.248
access-list inside_nat0_outbound extended permit ip 11.1.13.0 255.255.255.0 11.1.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 11.1.13.0 255.255.255.0 11.1.13.192 255.255.255.224
access-list 2055_WAN_cryptomap_20 extended permit ip 11.1.13.0 255.255.255.0 11.1.12.0 255.255.255.0
access-list 2055_WAN_cryptomap_20_1 extended permit ip 11.1.13.0 255.255.255.0 11.1.12.0 255.255.255.0
access-list icsra_splitTunnelAcl standard permit 11.1.13.0 255.255.255.0
access-list 2055_WAN_cryptomap_dyn_20 extended permit ip any 11.1.13.192 255.255.255.224
pager lines 24
logging asdm informational
mtu 2055_WAN 1500
mtu inside 1500
ip local pool ravpn 11.1.13.200-11.1.13.210 mask 255.255.255.0
no failover
monitor-interface 2055_WAN
monitor-interface inside
asdm image flash:/asdm-501.bin
no asdm history enable
arp timeout 14400
global (2055_WAN) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
route 2055_WAN 0.0.0.0 0.0.0.0 xxx.xxx.xxx.66 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server AD protocol nt
aaa-server AD host 11.1.13.3
nt-auth-domain-controller server
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy icsra internal
group-policy icsra attributes
dns-server value 11.1.13.3
split-tunnel-policy tunnelspecified
split-tunnel-network-list value icsra_splitTunnelAcl
default-domain value corporation.com
http server enable
http 11.1.13.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map 2055_WAN_dyn_map 20 match address 2055_WAN_cryptomap_dyn_20
crypto dynamic-map 2055_WAN_dyn_map 20 set transform-set ESP-DES-SHA
crypto map 2055_WAN_map 20 match address 2055_WAN_cryptomap_20
crypto map 2055_WAN_map 20 set peer xxx.xxx.xxx.22
crypto map 2055_WAN_map 20 set transform-set ESP-DES-SHA
crypto map 2055_WAN_map_1 20 match address 2055_WAN_cryptomap_20_1
crypto map 2055_WAN_map_1 20 set peer xxx.xxx.xxx.22
crypto map 2055_WAN_map_1 20 set transform-set ESP-DES-SHA
crypto map 2055_WAN_map_1 65535 ipsec-isakmp dynamic 2055_WAN_dyn_map
crypto map 2055_WAN_map_1 interface 2055_WAN
isakmp identity auto
isakmp enable 2055_WAN
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp am-disable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 11.1.13.3-11.1.13.254 inside
dhcpd lease 3600
dhcpd ping_timeout 50
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup general-attributes
authentication-server-group AD
tunnel-group xxx.xxx.xxx.22 type ipsec-l2l
tunnel-group xxx.xxx.xxx.22 ipsec-attributes
pre-shared-key *
tunnel-group icsra type ipsec-ra
tunnel-group icsra general-attributes
address-pool ravpn
authentication-server-group AD
default-group-policy icsra
tunnel-group icsra ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server xxx.xxx.xxx.11
Cryptochecksum:xxx
: end

**ps3cheats** · 25-Mar-2007, 10:38 PM

Did you use the ASDM Wizard to configure it? If not, try creating a new client policy using the wizard..
Do you even get a login prompt? Have you tried enabling logging on the client?
What symptoms do you see at the client end?

For some reason, I have found that the VPN client does not particularly like DES encryption, but works well with 3DES or AES.
If you don't have 3DES license key, you can get a free upgrade key from Cisco...

This is from my working 7.0(2) PIX515e, using AES for both VPN clients and L-2-L
I use VPN client 4.8.02.0010

ip local pool VPNCLIENTS 192.168.123.2-192.168.123.128 mask 255.255.255.0

access-list inside_nat0_outbound extended permit ip 255.255.252.0 192.168.123.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 255.255.252.0 255.255.255.0
access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.123.0 255.255.255.0
access-list outside_cryptomap_40 extended permit ip 255.255.252.0 255.255.255.0
access-list VPNUSERS_splitTunnelAcl standard permit 255.255.252.0
!
nat (inside) 0 access-list inside_nat0_outbound
!
group-policy VPNUSERS internal
group-policy VPNUSERS attributes
banner value This is a secure network for the exclusive use of authorized personnel only.
wins-server value 192.168.124.11
dns-server value 192.168.124.11
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNUSERS_splitTunnelAcl
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer xx.xx.xx.xx
crypto map outside_map 40 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
!
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp nat-traversal 20
!
tunnel-group VPNUSERS type ipsec-ra
tunnel-group VPNUSERS general-attributes
address-pool VPNCLIENTS
authentication-server-group RADIUS LOCAL
default-group-policy VPNUSERS
tunnel-group VPNUSERS ipsec-attributes
pre-shared-key *
!
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
pre-shared-key *

25-Mar-2007, 10:38 PM	#1 (permalink)
ps3cheats Fixed Error! Posts: 1,497 Join Date: Mar 2007 Rep Power: 3 IM:	PIX 515e: Remote Access and Site to Site VPN at the same time I am fighting with my PIX 515e ver 7.0(1) asdm 5.0 attemping to get remote access and site to site vpn running at the same time. Site to site works great but I just can't get the remote access working. I have read many posts here about this and all over the internet and gone through books. I just can't get it to work and about to start losing my hair. I am sure that it is something really dumb but I just can't get. I would say I am a novice level with the PIX which is why I do all the programming with the ASDM. Below is the current config, I have xxx out the ext IPs and changed the int IPs so that I can follow what is going on here and made other changes for security reasons. Thanks all! Result of the command: "show run" : Saved : PIX Version 7.0(1) names ! interface Ethernet0 nameif 2055_WAN security-level 0 ip address xxx.xxx.xxx.69 255.255.255.248 ! interface Ethernet1 nameif inside security-level 100 ip address 11.1.13.2 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! enable password xxx encrypted passwd xxx encrypted hostname pix2055 domain-name corporation.com ftp mode passive clock timezone EST -5 clock summer-time EDT recurring access-list inside_nat0_outbound extended permit ip 11.1.13.0 255.255.255.0 11.1.13.200 255.255.255.248 access-list inside_nat0_outbound extended permit ip 11.1.13.0 255.255.255.0 11.1.13.208 255.255.255.248 access-list inside_nat0_outbound extended permit ip 11.1.13.0 255.255.255.0 11.1.12.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 11.1.13.0 255.255.255.0 11.1.13.192 255.255.255.224 access-list 2055_WAN_cryptomap_20 extended permit ip 11.1.13.0 255.255.255.0 11.1.12.0 255.255.255.0 access-list 2055_WAN_cryptomap_20_1 extended permit ip 11.1.13.0 255.255.255.0 11.1.12.0 255.255.255.0 access-list icsra_splitTunnelAcl standard permit 11.1.13.0 255.255.255.0 access-list 2055_WAN_cryptomap_dyn_20 extended permit ip any 11.1.13.192 255.255.255.224 pager lines 24 logging asdm informational mtu 2055_WAN 1500 mtu inside 1500 ip local pool ravpn 11.1.13.200-11.1.13.210 mask 255.255.255.0 no failover monitor-interface 2055_WAN monitor-interface inside asdm image flash:/asdm-501.bin no asdm history enable arp timeout 14400 global (2055_WAN) 10 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 10 0.0.0.0 0.0.0.0 route 2055_WAN 0.0.0.0 0.0.0.0 xxx.xxx.xxx.66 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server AD protocol nt aaa-server AD host 11.1.13.3 nt-auth-domain-controller server group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none group-policy icsra internal group-policy icsra attributes dns-server value 11.1.13.3 split-tunnel-policy tunnelspecified split-tunnel-network-list value icsra_splitTunnelAcl default-domain value corporation.com http server enable http 11.1.13.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map 2055_WAN_dyn_map 20 match address 2055_WAN_cryptomap_dyn_20 crypto dynamic-map 2055_WAN_dyn_map 20 set transform-set ESP-DES-SHA crypto map 2055_WAN_map 20 match address 2055_WAN_cryptomap_20 crypto map 2055_WAN_map 20 set peer xxx.xxx.xxx.22 crypto map 2055_WAN_map 20 set transform-set ESP-DES-SHA crypto map 2055_WAN_map_1 20 match address 2055_WAN_cryptomap_20_1 crypto map 2055_WAN_map_1 20 set peer xxx.xxx.xxx.22 crypto map 2055_WAN_map_1 20 set transform-set ESP-DES-SHA crypto map 2055_WAN_map_1 65535 ipsec-isakmp dynamic 2055_WAN_dyn_map crypto map 2055_WAN_map_1 interface 2055_WAN isakmp identity auto isakmp enable 2055_WAN isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp am-disable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 11.1.13.3-11.1.13.254 inside dhcpd lease 3600 dhcpd ping_timeout 50 tunnel-group DefaultRAGroup type ipsec-ra tunnel-group DefaultRAGroup general-attributes authentication-server-group AD tunnel-group xxx.xxx.xxx.22 type ipsec-l2l tunnel-group xxx.xxx.xxx.22 ipsec-attributes pre-shared-key * tunnel-group icsra type ipsec-ra tunnel-group icsra general-attributes address-pool ravpn authentication-server-group AD default-group-policy icsra tunnel-group icsra ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global smtp-server xxx.xxx.xxx.11 Cryptochecksum:xxx : end

25-Mar-2007, 10:38 PM	#2 (permalink)
ps3cheats Fixed Error! Posts: 1,497 Join Date: Mar 2007 Rep Power: 3 IM:	Re: PIX 515e: Remote Access and Site to Site VPN at the same time Did you use the ASDM Wizard to configure it? If not, try creating a new client policy using the wizard.. Do you even get a login prompt? Have you tried enabling logging on the client? What symptoms do you see at the client end? For some reason, I have found that the VPN client does not particularly like DES encryption, but works well with 3DES or AES. If you don't have 3DES license key, you can get a free upgrade key from Cisco... This is from my working 7.0(2) PIX515e, using AES for both VPN clients and L-2-L I use VPN client 4.8.02.0010 ip local pool VPNCLIENTS 192.168.123.2-192.168.123.128 mask 255.255.255.0 access-list inside_nat0_outbound extended permit ip 255.255.252.0 192.168.123.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 255.255.252.0 255.255.255.0 access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.123.0 255.255.255.0 access-list outside_cryptomap_40 extended permit ip 255.255.252.0 255.255.255.0 access-list VPNUSERS_splitTunnelAcl standard permit 255.255.252.0 ! nat (inside) 0 access-list inside_nat0_outbound ! group-policy VPNUSERS internal group-policy VPNUSERS attributes banner value This is a secure network for the exclusive use of authorized personnel only. wins-server value 192.168.124.11 dns-server value 192.168.124.11 split-tunnel-policy tunnelspecified split-tunnel-network-list value VPNUSERS_splitTunnelAcl ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA crypto map outside_map 40 match address outside_cryptomap_40 crypto map outside_map 40 set peer xx.xx.xx.xx crypto map outside_map 40 set transform-set ESP-AES-128-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside ! isakmp identity address isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 isakmp nat-traversal 20 ! tunnel-group VPNUSERS type ipsec-ra tunnel-group VPNUSERS general-attributes address-pool VPNCLIENTS authentication-server-group RADIUS LOCAL default-group-policy VPNUSERS tunnel-group VPNUSERS ipsec-attributes pre-shared-key * ! tunnel-group xx.xx.xx.xx type ipsec-l2l tunnel-group xx.xx.xx.xx ipsec-attributes pre-shared-key *

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)