?
Solved

PIX 515e + multiple VPN/Crypto

Posted on 2003-03-12
9
Medium Priority
?
553 Views
Last Modified: 2011-10-03
I currently have a VPN tunnel for one of our remote office using their local ISP.  It is working fine.  Now I want to implement a VPN for home/remote users using their own ISP and the Cisco VPN client.  When I configured the crypto map, transform set and vpngroup it all appears ok.  However, when you do a show crypto map, my remote office is using the home user map.  My home user gets connected and authenticated but cannot get inside-I suspect this is a Win2K problem but at least they are in.

Is it possible to create more than one VPN group and keep them separate?

Here is the relevant config:

ip local pool ippool 172.16.0.220-172.16.0.239
no failover
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 172.16.0.70 ***** timeout 5
aaa-server partherauth protocol tacacs+

sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set remoteVPN esp-des esp-md5-hmac
crypto ipsec transform-set VPNSET esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map VPNMAP 20 set transform-set VPNSET
crypto map Penetang 10 ipsec-isakmp
crypto map Penetang 10 match address ipsec
crypto map Penetang 10 set peer xxx.xxx.xxx.xxx
crypto map Penetang 10 set transform-set remoteVPN
crypto map SOHO 20 ipsec-isakmp dynamic VPNMAP
crypto map SOHO client authentication partnerauth
crypto map SOHO interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local ippool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 172.16.0.70
vpngroup vpn3000 wins-server 172.16.0.61
vpngroup vpn3000 default-domain mydomain.com
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
 
0
Comment
Question by:lcufarl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8133522
You can only use one crypto map at a time. Here you are using SOHO
>crypto map SOHO interface outside

try:
crypto map Penetang 20 ipsec-isakmp dynamic VPNMAP
crypto map Penetang 20 client authentication parterauth
crypto map Penetang interface outside

>home user gets connected and authenticated but cannot get inside

Do you have nat 0 access-list?
What is your ip pool and inside interface network?
0
 

Author Comment

by:lcufarl
ID: 8135978
nat (inside) 0 access-list nonat
ip local pool ippool 172.16.0.220-172.16.0.239
(Cisco VPN client shows address received as 172.16.0.220 but on the Win2k server the authenticated user shows up with the inside address of the PIX-172.16.1.2)

The inside int is a point to point /30 to the inside switch using 172.16.1.2 and 1.1 --our inside ip's are 172.16.0.0, 2.0, 3.0

access-list nonat permit ip 172.16.0.0 255.255.255.0 172.16.2.0 255.255.255.240

access-list nonat permit ip 172.16.3.0 255.255.255.0 172.16.2.0 255.255.255.240

access-list nonat permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 172.16.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 172.16.4.0 255.255.255.0 172.16.2.0 255.255.255.240

access-list nonat permit ip 192.168.60.0 255.255.255.0 172.16.2.0 255.255.255.24
0
access-list nonat permit ip 172.16.5.0 255.255.255.0 172.16.2.0 255.255.255.240

access-list nonat permit ip 172.16.6.0 255.255.255.0 172.16.2.0 255.255.255.240

access-list nonat permit ip 172.16.0.0 255.255.255.0 172.16.6.0 255.255.255.0
access-list nonat permit ip 172.16.3.0 255.255.255.0 172.16.6.0 255.255.255.0
access-list nonat permit ip 172.16.2.0 255.255.255.240 172.16.6.0 255.255.255.0

access-list ipsec permit ip 172.16.0.0 255.255.255.0 172.16.6.0 255.255.255.0
access-list ipsec permit ip 172.16.2.0 255.255.255.240 172.16.6.0 255.255.255.0

access-list ipsec permit ip 172.16.3.0 255.255.255.0 172.16.6.0 255.255.255.0

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8136052
Suggest using a different subnet for the vpn client pool.
By using 172.16.0.x, you now have this subnet on both sides of your L3 switch.
client(172.16.0.220)--FWinside(172.16.1.2)--L3Switch(172.16.1.1)--InsideLAN(172.16.0.0 - 172.16.3.0)

Here's what I would do (something totally different than anywhere else on your net, and I don't like to use subnet zero unless I have to):
ip local pool ippool 172.17.17.220-172.17.17.239

access-list nonat permit 172.16.1.0 255.255.255.0 172.17.17.0 255.255.255.0
access-list nonat permit 172.16.0.0 255.255.255.0 172.17.17.0 255.255.255.0
access-list nonat permit 172.16.2.0 255.255.255.0 172.17.17.0 255.255.255.0
access-list nonat permit 172.16.3.0 255.255.255.0 172.17.17.0 255.255.255.0

route inside 172.16.0.0 255.255.0.0 172.16.1.1


Just make sure that you have a route on the inside L3 switch for the 172.17.17.x subnet:

ip route 172.17.17.0 255.255.255.0 172.16.1.2



0
Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

 
LVL 79

Expert Comment

by:lrmoore
ID: 8136063
You can simplify the nonat acl now:

access-list nonat permit ip 172.16.0.0 255.255.0.0 172.17.17.0 255.255.255.0

I left out the "ip" in the last post accidently...
0
 

Author Comment

by:lcufarl
ID: 8136175
OK, I will try it now and let you know.
0
 

Author Comment

by:lcufarl
ID: 8139137
Well, now I can find servers by name and ping by either name or ip.  But I can't browse the network or the internet and I don't get the logon scripts like the remote office does.  I can also ping from the network back to the vpn laptop.  I cannot ping the radius server at all.

I think that these issues are Win2k issues?  I will continue trying to tweak it on Monday.

Thanks for all your help it really made a difference with another pair of eyes looking at the problem.

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
ID: 8139331
> But I can't browse the network or the internet
You need to enable split-tunneling to browse the Internet while still connected to the VPN:

access-list split-tunnel_acl permit ip 172.16.0.0 255.255.0.0 172.17.17.0 255.255.255.0
vpngroup vpn3000 split-tunnel split-tunnel_acl


This document may help with using Radius athentication (Win2K) for the clients:
http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html

Browsing the network with XP client as opposed to Win98 client depends on the XP client having a machine account n the domain, and logging into the domain. You can use the VPN client to start before logon, and use XP's logon option to logon using dial up connection to log into the domain
0
 

Author Comment

by:lcufarl
ID: 8139350
Thanks, I will make these changes and keep you posted.
0
 

Author Comment

by:lcufarl
ID: 8159957
All is working now with the minor exception of browsing the net.neighbourhood.

Thanks for everything!
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month14 days, 12 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question