Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 557
  • Last Modified:

PIX 515e + multiple VPN/Crypto

I currently have a VPN tunnel for one of our remote office using their local ISP.  It is working fine.  Now I want to implement a VPN for home/remote users using their own ISP and the Cisco VPN client.  When I configured the crypto map, transform set and vpngroup it all appears ok.  However, when you do a show crypto map, my remote office is using the home user map.  My home user gets connected and authenticated but cannot get inside-I suspect this is a Win2K problem but at least they are in.

Is it possible to create more than one VPN group and keep them separate?

Here is the relevant config:

ip local pool ippool 172.16.0.220-172.16.0.239
no failover
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 172.16.0.70 ***** timeout 5
aaa-server partherauth protocol tacacs+

sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set remoteVPN esp-des esp-md5-hmac
crypto ipsec transform-set VPNSET esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map VPNMAP 20 set transform-set VPNSET
crypto map Penetang 10 ipsec-isakmp
crypto map Penetang 10 match address ipsec
crypto map Penetang 10 set peer xxx.xxx.xxx.xxx
crypto map Penetang 10 set transform-set remoteVPN
crypto map SOHO 20 ipsec-isakmp dynamic VPNMAP
crypto map SOHO client authentication partnerauth
crypto map SOHO interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local ippool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 172.16.0.70
vpngroup vpn3000 wins-server 172.16.0.61
vpngroup vpn3000 default-domain mydomain.com
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
 
0
lcufarl
Asked:
lcufarl
  • 5
  • 4
1 Solution
 
lrmooreCommented:
You can only use one crypto map at a time. Here you are using SOHO
>crypto map SOHO interface outside

try:
crypto map Penetang 20 ipsec-isakmp dynamic VPNMAP
crypto map Penetang 20 client authentication parterauth
crypto map Penetang interface outside

>home user gets connected and authenticated but cannot get inside

Do you have nat 0 access-list?
What is your ip pool and inside interface network?
0
 
lcufarlAuthor Commented:
nat (inside) 0 access-list nonat
ip local pool ippool 172.16.0.220-172.16.0.239
(Cisco VPN client shows address received as 172.16.0.220 but on the Win2k server the authenticated user shows up with the inside address of the PIX-172.16.1.2)

The inside int is a point to point /30 to the inside switch using 172.16.1.2 and 1.1 --our inside ip's are 172.16.0.0, 2.0, 3.0

access-list nonat permit ip 172.16.0.0 255.255.255.0 172.16.2.0 255.255.255.240

access-list nonat permit ip 172.16.3.0 255.255.255.0 172.16.2.0 255.255.255.240

access-list nonat permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 172.16.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 172.16.4.0 255.255.255.0 172.16.2.0 255.255.255.240

access-list nonat permit ip 192.168.60.0 255.255.255.0 172.16.2.0 255.255.255.24
0
access-list nonat permit ip 172.16.5.0 255.255.255.0 172.16.2.0 255.255.255.240

access-list nonat permit ip 172.16.6.0 255.255.255.0 172.16.2.0 255.255.255.240

access-list nonat permit ip 172.16.0.0 255.255.255.0 172.16.6.0 255.255.255.0
access-list nonat permit ip 172.16.3.0 255.255.255.0 172.16.6.0 255.255.255.0
access-list nonat permit ip 172.16.2.0 255.255.255.240 172.16.6.0 255.255.255.0

access-list ipsec permit ip 172.16.0.0 255.255.255.0 172.16.6.0 255.255.255.0
access-list ipsec permit ip 172.16.2.0 255.255.255.240 172.16.6.0 255.255.255.0

access-list ipsec permit ip 172.16.3.0 255.255.255.0 172.16.6.0 255.255.255.0

0
 
lrmooreCommented:
Suggest using a different subnet for the vpn client pool.
By using 172.16.0.x, you now have this subnet on both sides of your L3 switch.
client(172.16.0.220)--FWinside(172.16.1.2)--L3Switch(172.16.1.1)--InsideLAN(172.16.0.0 - 172.16.3.0)

Here's what I would do (something totally different than anywhere else on your net, and I don't like to use subnet zero unless I have to):
ip local pool ippool 172.17.17.220-172.17.17.239

access-list nonat permit 172.16.1.0 255.255.255.0 172.17.17.0 255.255.255.0
access-list nonat permit 172.16.0.0 255.255.255.0 172.17.17.0 255.255.255.0
access-list nonat permit 172.16.2.0 255.255.255.0 172.17.17.0 255.255.255.0
access-list nonat permit 172.16.3.0 255.255.255.0 172.17.17.0 255.255.255.0

route inside 172.16.0.0 255.255.0.0 172.16.1.1


Just make sure that you have a route on the inside L3 switch for the 172.17.17.x subnet:

ip route 172.17.17.0 255.255.255.0 172.16.1.2



0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
lrmooreCommented:
You can simplify the nonat acl now:

access-list nonat permit ip 172.16.0.0 255.255.0.0 172.17.17.0 255.255.255.0

I left out the "ip" in the last post accidently...
0
 
lcufarlAuthor Commented:
OK, I will try it now and let you know.
0
 
lcufarlAuthor Commented:
Well, now I can find servers by name and ping by either name or ip.  But I can't browse the network or the internet and I don't get the logon scripts like the remote office does.  I can also ping from the network back to the vpn laptop.  I cannot ping the radius server at all.

I think that these issues are Win2k issues?  I will continue trying to tweak it on Monday.

Thanks for all your help it really made a difference with another pair of eyes looking at the problem.

0
 
lrmooreCommented:
> But I can't browse the network or the internet
You need to enable split-tunneling to browse the Internet while still connected to the VPN:

access-list split-tunnel_acl permit ip 172.16.0.0 255.255.0.0 172.17.17.0 255.255.255.0
vpngroup vpn3000 split-tunnel split-tunnel_acl


This document may help with using Radius athentication (Win2K) for the clients:
http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html

Browsing the network with XP client as opposed to Win98 client depends on the XP client having a machine account n the domain, and logging into the domain. You can use the VPN client to start before logon, and use XP's logon option to logon using dial up connection to log into the domain
0
 
lcufarlAuthor Commented:
Thanks, I will make these changes and keep you posted.
0
 
lcufarlAuthor Commented:
All is working now with the minor exception of browsing the net.neighbourhood.

Thanks for everything!
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now