[c-nsp] site to site and remote access on pix 506e

Michael K. Smith - Adhost mksmith at adhost.com
Thu Sep 11 18:43:26 EDT 2008


Hello Dalton:

Here are a couple of ideas.

1) Change:

isakmp key ******** address x.x.x.x netmask 255.255.255.255

to

isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

2) You might want to add:

isakmp nat-traversal 20

3) I'm assuming you have a LOCAL username specified?

Regards,

Mike

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of dalton
> Sent: Thursday, September 11, 2008 3:26 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] site to site and remote access on pix 506e
> 
> 
> Hi,
> 
> I'm wondering if anyone has a working config for a pix 506e running 6.3 or
> so, to do both site to site
> and remote access vpn. I assume this is possible?
> 
> I have a pix running a few site to sites, however when i added the remote
> access config, it caused
> the tunnels to fail leaving them in a state of Xauth config or something
> of the like (don't have the exact error).
> 
> Things fail when I add these 2 lines to the crypto map
> 
> crypto map toCLIENT client configuration address initiate
> crypto map toCLIENT  client authentication LOCAL
> 
> 
> config is below, thanks.
> 
> -dalton
> 
> PIX Version 6.3(4)
> interface ethernet0 auto
> interface ethernet1 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname client-pix
> domain-name client.logicworks.net
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> no fixup protocol sip 5060
> no fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list toCLIENT permit ip host 10.10.1.49 host 205.200.125.1
> access-list toCLIENT permit ip host 10.10.1.49 host 205.200.125.2
> access-list toCLIENT permit ip host 10.10.1.60 host 205.200.125.1
> access-list toCLIENT permit ip host 10.10.1.60 host 205.200.125.2
> access-list toCLIENT permit ip host 10.10.1.51 host 205.200.125.1
> access-list toCLIENT permit ip host 10.10.1.51 host 205.200.125.2
> access-list DENY-NAT permit ip 10.10.1.0 255.255.255.0 10.177.187.0
> 255.255.255.0
> access-list DENY-NAT permit ip host 10.10.1.49 host 205.200.125.1
> access-list DENY-NAT permit ip host 10.10.1.49 host 205.200.125.2
> access-list DENY-NAT permit ip host 10.10.1.60 host 205.200.125.1
> access-list DENY-NAT permit ip host 10.10.1.60 host 205.200.125.2
> access-list DENY-NAT permit ip host 10.10.1.51 host 205.200.125.1
> access-list DENY-NAT permit ip host 10.10.1.51 host 205.200.125.2
> access-list DENY-NAT permit ip 10.10.1.0 255.255.255.0 10.254.10.0
> 255.255.255.0
> access-list splittunnelACL permit ip 10.10.1.0 255.255.255.0 10.254.10.0
> 255.255.255.0
> pager lines 24
> logging on
> logging timestamp
> logging standby
> logging console alerts
> logging monitor alerts
> logging buffered debugging
> logging history alerts
> mtu outside 1500
> mtu inside 1500
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool REMOTEPOOL 10.254.10.10-10.254.10.20 mask 255.255.255.0
> pdm history enable
> arp timeout 14400
> nat (inside) 0 access-list DENY-NAT
> conduit permit ip any any
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> no snmp-server location
> no snmp-server contact
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set strong esp-3des esp-sha-hmac
> crypto ipsec transform-set mytrans esp-aes esp-sha-hmac
> crypto dynamic-map dynmap 10 set transform-set mytrans
> crypto map toCLIENT 20 ipsec-isakmp
> crypto map toCLIENT 20 match address toCLIENT
> crypto map toCLIENT 20 set peer x.x.x.x
> crypto map toCLIENT 20 set transform-set strong
> crypto map toCLIENT 999 ipsec-isakmp dynamic dynmap
> crypto map toCLIENT client configuration address initiate
> crypto map toCLIENT  client authentication LOCAL
> crypto map toCLIENT interface outside
> isakmp enable outside
> isakmp key ******** address x.x.x.x netmask 255.255.255.255
> isakmp identity address
> isakmp policy 8 authentication pre-share
> isakmp policy 8 encryption 3des
> isakmp policy 8 hash sha
> isakmp policy 8 group 2
> isakmp policy 8 lifetime 86400
> vpngroup client address-pool REMOTEPOOL
> vpngroup client dns-server x.x.x.x
> vpngroup client default-domain client.logicworks.net
> vpngroup client split-tunnel splittunnelACL
> vpngroup client split-dns logicworks.net
> vpngroup client idle-time 3600
> vpngroup client password ********
> vpngroup idle-time idle-time 1800
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 474 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080911/0c74aedb/attachment.bin>


More information about the cisco-nsp mailing list