ps3cheats

I am looking to (quickly) expand my current site-to-site VPN to also allow remote users from dynamic IPs (without tacacs+/radius). Remote users will use Cisco's VPN Client software on WinXP (latest version available from CCO).

Central site has a PIX 515 @ 6.3(5), with a working site-to-site VPN between a satellite location and it.

names
name 1.2.3.rtr router
name 1.2.3.pix pix_ext
name 192.168.1.0 all_lan
name 192.168.1.254 pix_lan
name 192.168.0.0 all_dmz
name 192.168.0.2 ns1_dmz
name 192.168.0.3 ns2_dmz
name 192.168.0.254 pix_dmz
name 192.168.3.0 all_wha
name 9.8.7.whs wha_ext

access-list whvpn permit ip all_lan 255.255.255.0 all_wha 255.255.255.0
access-list nonat permit ip all_lan 255.255.255.0 all_wha 255.255.255.0

ip address outside pix_ext 255.255.255.248
ip address inside pix_lan 255.255.255.0
ip address dmz pix_dmz 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat
nat (inside) 1 all_lan 255.255.255.0 0 0
nat (dmz) 1 all_dmz 255.255.255.0 0 0

static (dmz,outside) ns1_ext ns1_dmz netmask 255.255.255.255 0 0
static (dmz,outside) ns2_ext ns2_dmz netmask 255.255.255.255 0 0
static (inside,dmz) all_dmz all_lan netmask 255.255.255.0 0 0

access-group out in interface outside
access-group dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 router 1

aaa-server LOCAL protocol local

sysopt connection permit-ipsec

crypto ipsec transform-set wha_lan esp-3des esp-sha-hmac
crypto map WhaLan 1 ipsec-isakmp
crypto map WhaLan 1 match address whvpn
crypto map WhaLan 1 set peer wha_ext
crypto map WhaLan 1 set transform-set wha_lan
crypto map WhaLan interface outside

isakmp enable outside
isakmp key * address wha_ext netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

Looking through many Cisco docs and Google pages I have come up with the following:

ip local pool mobilepool 192.168.1.10-192.168.1.20
username mobileuser password * encrypted privilege 1
crypto ipsec transform-set mobile esp-3des esp-sha-hmac
tunnel-group mobilegroup general-attributes
address pool mobilepool
tunnel-group mobilegroup ipsec-attributes
pre-shared-key KEY
crypto dynamic-map mobile1 1 set transform-set mobile
crypto dynamic-map mobile1 1 set reverse-route
crypto map mobilemap 65535 ipsec-isakmp dynamic mobile1
crypto map mobilemap client authentication LOCAL
crypto map mobilemap interface outside

Is this the correct method (I don't want to collapse the existing site-to-site tunnel)?

ps3cheats

The tunnel-group commands apply to v7, not 6.3(5)

This is what you need:

ip local pool mobilepool 192.168.1.10-192.168.1.20
username mobileuser password * encrypted privilege 1
crypto ipsec transform-set mobile esp-3des esp-sha-hmac
crypto dynamic-map mobile1 1 set transform-set mobile
crypto dynamic-map mobile1 1 set reverse-route (not sure if this is a PIX command but you can try)
crypto map WhaLan 65535 ipsec-isakmp dynamic mobile1
crypto map WhaLan client authentication LOCAL
crypto map WhaLan interface outside

vpngroup rasgroup address-pool vpnpool1
vpngroup rasgroup split-tunnel ras_split
vpngroup rasgroup idle-time 1800
vpngroup rasgroup password ********


You need to disable NAT for RAS VPN clients to corporate network
access-list nonat permit ip all_lan 255.255.255.0 192.168.1.0 255.255.255.0


This allows RAS clients to only send corporate network bound traffic to the VPN tunnel and Internet-bound traffic through their ISP
access-list ras_split permit ip all_lan 255.255.255.0 192.168.1.0 255.255.255.0