Cisco PIX hub and spoke VPN

I am trying to get a hub and spoke VPN config set-up with a central PIX515E talking to 2 remote 501's and also a couple of VPN client users.

My problem is that I think I am getting the configuration wrong somewhere - I have one VPN tunnel setup and working fine but every time I try to add in the other 501 VPN tunnel or VPN client, I lose the existing connection.

I'm assuming I need to add separate crypto map statements but if someone can help with a sample config, I can check against mine and see where I'm going wrong.

Thanks in advance!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You need only one crypto map, but multiple policies
Can you post your config?
hoinvipAuthor Commented:

Attached is the central PIX config.   I have sanitised it to remove certain info and replaced with generic strings (pix_outside).  Please let me know if you need any more info.



PIX Version 6.1(3)

nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxxxxxx encrypted
hostname pix01
domain-name xxxxxxxxxxxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no names
name xxx02
name xxx03
name xxx01
access-list external permit tcp any host outside_a eq smtp
access-list 10 permit ip

access-list nonat permit ip

pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside pix_outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside
failover ip address inside
pdm location inside
pdm location inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0 0
static (inside,outside) outside_a netmask 0 0

static (inside,outside) outside_b netmask 0 0

static (inside,outside) outside_c netmask 0 0

access-group external in interface outside
route outside outside_gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set setname esp-3des esp-md5-hmac
crypto map map1 10 ipsec-isakmp
crypto map map1 10 match address 10
crypto map map1 10 set peer peer_ip
crypto map map1 10 set transform-set setname
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp key ******** address peer_ip netmask

isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5

ssh timeout 5
terminal width 80
Here's an example from a working PIX with multiple site-site vpns and VPN clients, using one crypto map, but multiple policies, and multiple priority groups:

crypto ipsec transform-set LAB esp-des esp-md5-hmac
crypto ipsec transform-set Windows2k esp-des esp-md5-hmac
crypto dynamic-map dynmap 50 match address outside_cryptomap_dyn_50
crypto dynamic-map dynmap 50 set transform-set LAB
crypto map CRYMAP 5 ipsec-isakmp
crypto map CRYMAP 5 match address 105
crypto map CRYMAP 5 set peer
crypto map CRYMAP 5 set transform-set LAB
crypto map CRYMAP 10 ipsec-isakmp
crypto map CRYMAP 10 match address 110
crypto map CRYMAP 10 set peer
crypto map CRYMAP 10 set transform-set LAB
crypto map CRYMAP 65535 ipsec-isakmp dynamic dynmap
crypto map CRYMAP client configuration address initiate
crypto map CRYMAP interface outside

isakmp enable outside
isakmp key ******** address netmask
isakmp key ******** address netmask

isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 28800

isakmp policy 8 authentication rsa-sig
isakmp policy 8 encryption des
isakmp policy 8 hash sha
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash sha
isakmp policy 15 group 1
isakmp policy 15 lifetime 28800

vpngroup NEWTEST address-pool ippool
vpngroup NEWTEST dns-server
vpngroup NEWTEST wins-server
vpngroup NEWTEST default-domain
vpngroup NEWTEST split-tunnel NEWTEST_splitTunnelAcl
vpngroup NEWTEST idle-time 1800
vpngroup NEWTEST password ********
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

G'day, hoinvip, there has not been any activity on this question in 14 days.
Do you still need assistance, need more information, or have you solved your problem? Can you close
out this question?
No comment has been added lately (36 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Points awarded to: lrmoore

Experts, please leave any comments here within 7 days.



EE Cleanup Volunteer
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post
comments here
hoinvipAuthor Commented:
Hi there, sorry for the delays in responding to your suggestion... We are still looking at this and will respond more fully shortly.  Thanks for the help so far..
Any updates? We need to close out this question one way or another..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hoinvipAuthor Commented:
That's fine thanks - I haven't had a chance to fully test this but please close this one off as I'm fairly certain we've got it covered now.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.