Douglas_H
asked on
Remote user VPN connection to remote office via our HO VPN to that office not working. Cisco PIX equipement
We have set up our location with a PIX 506e as our firewall to the Internet. We used the 10.1.1.0 as our subnet in this location called Dallas. Our remote office uses a Cisco PIX 501 as well for their connection to the Internet. They used the 192.1.1.0 as their subnet. We went through all the correct actions to get a static VPN connection setup between the two. This has been going now for a week and seems to be doing just what we need. Now would like to finish this up to where my own VPN remote users can connect into our dallas site and then use that static VPN connection to do what they need. How would we go about setting that up for use? and is that the best way to occumplish this?
The dallas laptop users that connect in via the VPN will get a 10.1.5.0 subnet IP. i am including the PIX configs for both locations.
Thanks
Doug
--------------------
setup
VPN (VPN tunnel 10.1.5.0 subnet)
New static VPN |
Other Office---PIX (501)----internet------PIX
192.168.1.0
Dallas PIX config
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nope encrypted
passwd nope encrypted
hostname tx-fw
domain-name name.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 10.1.1.30 DFW
access-list inside_access_in permit ip any any
access-list outside_in permit tcp any host a.b.c.27 eq smtp
access-list outside_in permit tcp 10.1.5.0 255.255.255.0 a.b.c.0 255.255.255.0
access-list outside_in permit tcp any host a.b.c.28 eq https
access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 170 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list split permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list 100 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.1.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside a.b.c.26 255.255.255.248
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN-Pool 10.1.5.70-10.1.5.254
pdm location DFW 255.255.255.255 inside
pdm location 10.1.5.0 255.255.255.0 inside
pdm location 10.1.5.0 255.255.255.0 outside
pdm location 10.1.1.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 a.b.c.27
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp a.b.c.28 https DFW https netmask 255.255.255.255 0 0
static (inside,outside) tcp a.b.c.27 smtp DFW smtp netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 a.b.c.25 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host DFW BMLLCTX timeout 5
http server enable
http 10.1.1.0 255.255.255.0 inside
http 10.1.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set SummitSet esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map dynmap 10 set transform-set SummitSet
crypto dynamic-map dynmap 20 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map SummitMap 10 ipsec-isakmp
crypto map SummitMap 10 match address 170
crypto map SummitMap 10 set peer x.y.z.226
crypto map SummitMap 10 set transform-set SummitSet
crypto map SummitMap 60 ipsec-isakmp dynamic dynmap
crypto map SummitMap client authentication partnerauth
crypto map SummitMap interface outside
isakmp enable outside
isakmp key ******** address x.y.z.226 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 10000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup TX-VPN address-pool VPN-Pool
vpngroup TX-VPN dns-server DFW DFW
vpngroup TX-VPN wins-server DFW DFW
vpngroup TX-VPN default-domain name.local
vpngroup TX-VPN split-tunnel split
vpngroup TX-VPN pfs
vpngroup TX-VPN idle-time 1800
vpngroup TX-VPN password ********
telnet 10.1.1.0 255.255.255.0 inside
telnet 10.1.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username plamont password nope encrypted privilege 15
username dholcombe password nope encrypted privilege 15
vpnclient server 10.1.1.1
vpnclient mode client-mode
vpnclient vpngroup TX-VPN password ********
terminal width 80
Cryptochecksum:8658080ae8f
: end
[OK]
And here is the configure for the other office router
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nope encrypted
passwd nope encrypted
hostname nope
domain-name nope.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list split permit ip 192.168.1.0 255.255.255.0 192.168.254.0
255.255.255.0
access-list 130 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 140 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outbound deny tcp any any eq aol
access-list outbound deny tcp any any eq 5050
access-list outbound deny tcp any any eq 1863
access-list outbound permit ip any any
access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 170 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside X.Y.Z.226 255.255.255.240
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool SummitPool 192.168.254.10-192.168.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 X.Y.Z.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.1.112 ./config/sac
floodguard enable
sysopt connection tcpmss 1000
sysopt connection permit-ipsec
crypto ipsec transform-set SummitSet esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set SummitSet
crypto map SummitMap 20 ipsec-isakmp
crypto map SummitMap 20 match address 120
crypto map SummitMap 20 set peer m.n.o.141
crypto map SummitMap 20 set transform-set SummitSet
crypto map SummitMap 30 ipsec-isakmp
crypto map SummitMap 30 match address 130
crypto map SummitMap 30 set peer m.n.o.57
crypto map SummitMap 30 set transform-set SummitSet
crypto map SummitMap 40 ipsec-isakmp
crypto map SummitMap 40 match address 140
crypto map SummitMap 40 set peer m.n.o.78
crypto map SummitMap 40 set transform-set SummitSet
crypto map SummitMap 50 ipsec-isakmp
crypto map SummitMap 50 match address 150
crypto map SummitMap 50 set peer m.n.o.106
crypto map SummitMap 50 set transform-set SummitSet
crypto map SummitMap 60 ipsec-isakmp dynamic dynmap
crypto map SummitMap 70 ipsec-isakmp
crypto map SummitMap 70 match address 170
crypto map SummitMap 70 set peer a.b.c.26
crypto map SummitMap 70 set transform-set SummitSet
crypto map SummitMap interface outside
isakmp enable outside
isakmp key ******** address m.n.o.57 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address m.n.o.141 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address m.n.o.78 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address m.n.o.106 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address a.b.c.26 netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 10000
vpngroup SummitGroup address-pool SummitPool
vpngroup SummitGroup dns-server 192.168.1.10
vpngroup SummitGroup wins-server 192.168.1.10
vpngroup SummitGroup split-tunnel split
vpngroup SummitGroup idle-time 1800
vpngroup SummitGroup password ********
vpngroup SummitVPN address-pool SummitPool
vpngroup SummitVPN dns-server 192.168.1.10
vpngroup SummitVPN wins-server 192.168.1.10
vpngroup SummitVPN default-domain nope.int
vpngroup SummitVPN split-tunnel split
vpngroup SummitVPN idle-time 1800
vpngroup SummitVPN password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
username admin password nope encrypted privilege 15
terminal width 80
Cryptochecksum:fe938b8fea6
The dallas laptop users that connect in via the VPN will get a 10.1.5.0 subnet IP. i am including the PIX configs for both locations.
Thanks
Doug
--------------------
setup
VPN (VPN tunnel 10.1.5.0 subnet)
New static VPN |
Other Office---PIX (501)----internet------PIX
192.168.1.0
Dallas PIX config
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nope encrypted
passwd nope encrypted
hostname tx-fw
domain-name name.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 10.1.1.30 DFW
access-list inside_access_in permit ip any any
access-list outside_in permit tcp any host a.b.c.27 eq smtp
access-list outside_in permit tcp 10.1.5.0 255.255.255.0 a.b.c.0 255.255.255.0
access-list outside_in permit tcp any host a.b.c.28 eq https
access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 170 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list split permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list 100 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.1.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside a.b.c.26 255.255.255.248
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN-Pool 10.1.5.70-10.1.5.254
pdm location DFW 255.255.255.255 inside
pdm location 10.1.5.0 255.255.255.0 inside
pdm location 10.1.5.0 255.255.255.0 outside
pdm location 10.1.1.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 a.b.c.27
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp a.b.c.28 https DFW https netmask 255.255.255.255 0 0
static (inside,outside) tcp a.b.c.27 smtp DFW smtp netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 a.b.c.25 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host DFW BMLLCTX timeout 5
http server enable
http 10.1.1.0 255.255.255.0 inside
http 10.1.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set SummitSet esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map dynmap 10 set transform-set SummitSet
crypto dynamic-map dynmap 20 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map SummitMap 10 ipsec-isakmp
crypto map SummitMap 10 match address 170
crypto map SummitMap 10 set peer x.y.z.226
crypto map SummitMap 10 set transform-set SummitSet
crypto map SummitMap 60 ipsec-isakmp dynamic dynmap
crypto map SummitMap client authentication partnerauth
crypto map SummitMap interface outside
isakmp enable outside
isakmp key ******** address x.y.z.226 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 10000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup TX-VPN address-pool VPN-Pool
vpngroup TX-VPN dns-server DFW DFW
vpngroup TX-VPN wins-server DFW DFW
vpngroup TX-VPN default-domain name.local
vpngroup TX-VPN split-tunnel split
vpngroup TX-VPN pfs
vpngroup TX-VPN idle-time 1800
vpngroup TX-VPN password ********
telnet 10.1.1.0 255.255.255.0 inside
telnet 10.1.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username plamont password nope encrypted privilege 15
username dholcombe password nope encrypted privilege 15
vpnclient server 10.1.1.1
vpnclient mode client-mode
vpnclient vpngroup TX-VPN password ********
terminal width 80
Cryptochecksum:8658080ae8f
: end
[OK]
And here is the configure for the other office router
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nope encrypted
passwd nope encrypted
hostname nope
domain-name nope.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list split permit ip 192.168.1.0 255.255.255.0 192.168.254.0
255.255.255.0
access-list 130 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 140 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outbound deny tcp any any eq aol
access-list outbound deny tcp any any eq 5050
access-list outbound deny tcp any any eq 1863
access-list outbound permit ip any any
access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 170 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside X.Y.Z.226 255.255.255.240
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool SummitPool 192.168.254.10-192.168.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 X.Y.Z.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.1.112 ./config/sac
floodguard enable
sysopt connection tcpmss 1000
sysopt connection permit-ipsec
crypto ipsec transform-set SummitSet esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set SummitSet
crypto map SummitMap 20 ipsec-isakmp
crypto map SummitMap 20 match address 120
crypto map SummitMap 20 set peer m.n.o.141
crypto map SummitMap 20 set transform-set SummitSet
crypto map SummitMap 30 ipsec-isakmp
crypto map SummitMap 30 match address 130
crypto map SummitMap 30 set peer m.n.o.57
crypto map SummitMap 30 set transform-set SummitSet
crypto map SummitMap 40 ipsec-isakmp
crypto map SummitMap 40 match address 140
crypto map SummitMap 40 set peer m.n.o.78
crypto map SummitMap 40 set transform-set SummitSet
crypto map SummitMap 50 ipsec-isakmp
crypto map SummitMap 50 match address 150
crypto map SummitMap 50 set peer m.n.o.106
crypto map SummitMap 50 set transform-set SummitSet
crypto map SummitMap 60 ipsec-isakmp dynamic dynmap
crypto map SummitMap 70 ipsec-isakmp
crypto map SummitMap 70 match address 170
crypto map SummitMap 70 set peer a.b.c.26
crypto map SummitMap 70 set transform-set SummitSet
crypto map SummitMap interface outside
isakmp enable outside
isakmp key ******** address m.n.o.57 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address m.n.o.141 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address m.n.o.78 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address m.n.o.106 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address a.b.c.26 netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 10000
vpngroup SummitGroup address-pool SummitPool
vpngroup SummitGroup dns-server 192.168.1.10
vpngroup SummitGroup wins-server 192.168.1.10
vpngroup SummitGroup split-tunnel split
vpngroup SummitGroup idle-time 1800
vpngroup SummitGroup password ********
vpngroup SummitVPN address-pool SummitPool
vpngroup SummitVPN dns-server 192.168.1.10
vpngroup SummitVPN wins-server 192.168.1.10
vpngroup SummitVPN default-domain nope.int
vpngroup SummitVPN split-tunnel split
vpngroup SummitVPN idle-time 1800
vpngroup SummitVPN password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
username admin password nope encrypted privilege 15
terminal width 80
Cryptochecksum:fe938b8fea6
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
hi Douglas
PIX version 7 supports IPSec tunnel "U-turn" but it is only available on PIX models 515E and above so it will not help you. Your best bet would be to configure the second PIX for VPN client access also and create a second profile for your clients for when they need to reach this network. Not ideal, but workable.
hth
PIX version 7 supports IPSec tunnel "U-turn" but it is only available on PIX models 515E and above so it will not help you. Your best bet would be to configure the second PIX for VPN client access also and create a second profile for your clients for when they need to reach this network. Not ideal, but workable.
hth
ASKER
Thanks!