CISCO 506e and 501 PIX VPN setup not working between two offices

Hi there and thanks for reading this! We have finished up with our inital VPN connection. This was for the remote users to remote to our network from the Interenet. Now our company has merged with another one. We want to keep everything the same on our network and the other companys also. All we want to do is the following.

Our orginal setup

VPN  (VPN tunnel 10.1.5.0 subnet)
  |
internet------PIX (506e)-----Inside (10.1.1.0 Subnet)

New setup

                                          VPN  (VPN tunnel 10.1.5.0 subnet)
New static VPN                      |
Home Office---PIX (501)----internet------PIX (506e)-----Inside (10.1.1.0 Subnet)
192.168.1.0


In trying to set this up seems that now our own VPN for our remote users is messed up. So need to get that back working. And at the same time figure out what we are missing on the static VPN connection between the two networks (192.168.1.0 and 10.1.1.0).

I am including the two configs. First one is mine and second is the new location. We have tried to put everything in as it should and we have a VPN connection but nothing is working as it should.



Dallas config


Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nope encrypted
passwd nope encrypted
hostname tx-fw
domain-name name.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 10.1.1.30 DFW
access-list inside_access_in permit ip any any
access-list outside_in permit tcp any host a.b.c.27 eq smtp
access-list outside_in permit tcp 10.1.5.0 255.255.255.0 a.b.c.0 255.255.255.0
access-list outside_in permit tcp any host a.b.c.28 eq https
access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list 170 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list split permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside a.b.c.26 255.255.255.248
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN-Pool 10.1.5.70-10.1.5.254
pdm location DFW 255.255.255.255 inside
pdm location 10.1.5.0 255.255.255.0 inside
pdm location 10.1.5.0 255.255.255.0 outside
pdm location 10.1.1.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 a.b.c.27
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp a.b.c.28 https DFW https netmask 255.255.255.255 0 0
static (inside,outside) tcp a.b.b.27 smtp DFW smtp netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 a.b.c.25 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host DFW BMLLCTX timeout 5
http server enable
http 10.1.1.0 255.255.255.0 inside
http 10.1.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set SummitSet esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set SummitSet
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map SummitMap 10 ipsec-isakmp
crypto map SummitMap 10 match address 170
crypto map SummitMap 10 set peer x.y.z.226
crypto map SummitMap 10 set transform-set SummitSet
crypto map SummitMap 60 ipsec-isakmp dynamic dynmap
crypto map SummitMap interface outside
isakmp enable outside
isakmp key ******** address x.y.z.226 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 10000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup TX-VPN address-pool VPN-Pool
vpngroup TX-VPN dns-server DFW DFW
vpngroup TX-VPN wins-server DFW DFW
vpngroup TX-VPN default-domain none.local
vpngroup TX-VPN split-tunnel split
vpngroup TX-VPN pfs
vpngroup TX-VPN idle-time 1800
vpngroup TX-VPN password ********
telnet 10.1.1.0 255.255.255.0 inside
telnet 10.1.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username user1 password nope encrypted privilege 15
username user2 password nope encrypted privilege 15
vpnclient server 10.1.1.1
vpnclient mode client-mode
vpnclient vpngroup TX-VPN password ********
terminal width 80
Cryptochecksum:84d77eced9fcc952a646b068b8f37368
: end
[OK]

And here is the configure for the new Home office router

PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nope encrypted
passwd nope encrypted
hostname nope
domain-name nope.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list split permit ip 192.168.1.0 255.255.255.0 192.168.254.0
255.255.255.0
access-list 130 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 140 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outbound deny tcp any any eq aol
access-list outbound deny tcp any any eq 5050
access-list outbound deny tcp any any eq 1863
access-list outbound permit ip any any
access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

------->>>> access-list 170 permit ip 192.168.1.0 255.255.255.0 10.1.1.0
255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside X.Y.Z.226 255.255.255.240
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool SummitPool 192.168.254.10-192.168.254.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 X.Y.Z.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.1.112 ./config/sac
floodguard enable
sysopt connection tcpmss 1000
sysopt connection permit-ipsec
crypto ipsec transform-set SummitSet esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set SummitSet
crypto map SummitMap 20 ipsec-isakmp
crypto map SummitMap 20 match address 120
crypto map SummitMap 20 set peer m.n.o.141
crypto map SummitMap 20 set transform-set SummitSet
crypto map SummitMap 30 ipsec-isakmp
crypto map SummitMap 30 match address 130
crypto map SummitMap 30 set peer m.n.o.57
crypto map SummitMap 30 set transform-set SummitSet
crypto map SummitMap 40 ipsec-isakmp
crypto map SummitMap 40 match address 140
crypto map SummitMap 40 set peer m.n.o.78
crypto map SummitMap 40 set transform-set SummitSet
crypto map SummitMap 50 ipsec-isakmp
crypto map SummitMap 50 match address 150
crypto map SummitMap 50 set peer m.n.o.106
crypto map SummitMap 50 set transform-set SummitSet
crypto map SummitMap 60 ipsec-isakmp dynamic dynmap

------->>>> crypto map SummitMap 70 ipsec-isakmp

------->>>> crypto map SummitMap 70 match address 170

------->>>> crypto map SummitMap 70 set peer a.b.c.26

------->>>> crypto map SummitMap 70 set transform-set SummitSet

crypto map SummitMap interface outside
isakmp enable outside
isakmp key ******** address m.n.o.57 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address m.n.o.141 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address m.n.o.78 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address m.n.o.106 netmask 255.255.255.255 no-xauth
no-config-mode

------->>>> isakmp key ******** address a.b.c.26 netmask 255.255.255.255
no-xauth no-config-mode

isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 10000
vpngroup SummitGroup address-pool SummitPool
vpngroup SummitGroup dns-server 192.168.1.10
vpngroup SummitGroup wins-server 192.168.1.10
vpngroup SummitGroup split-tunnel split
vpngroup SummitGroup idle-time 1800
vpngroup SummitGroup password ********
vpngroup SummitVPN address-pool SummitPool
vpngroup SummitVPN dns-server 192.168.1.10
vpngroup SummitVPN wins-server 192.168.1.10
vpngroup SummitVPN default-domain nope.int
vpngroup SummitVPN split-tunnel split
vpngroup SummitVPN idle-time 1800
vpngroup SummitVPN password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
username admin password nope encrypted privilege 15
terminal width 80
Cryptochecksum:fe938b8fea65b28e3171c4ec25ae7ac6


Let us know if we need to provide anything more.

Thanks

Doug
Douglas_HAsked:
Who is Participating?
 
stressedout2004Commented:
Im sorry but i dont know what you mean by the crypto map and vpnclient being used for the Dallas config.
On PIX you can only have one crypto map per interface, the Dallas PIX already has a crypto map which is called SummitMap and that's all that you really need regardless of how many VPN you decide to add. Now for the vpnclient
command at the very bottom of the config, those are for a different type of VPN called EZVPN which you don't need
as far as the vpnclient remote access and PIX to PIX is concern. The vpnclient server IP is also incorrectly configured, it is pointing to 10.1.1.1 which is the PIX inside interface.

It is really up to you if you want to keep those config, they are not really doing anything. I just thought you may want to do some spring cleaning that's why I added them. But all you need is the following:

For Dallas:

access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_outbount_nat0_acl
crypto map SummitMap client authentication LOCAL --> only if you want extended auth for remote access

On the new location
access-list 100 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
0
 
stressedout2004Commented:
Hi Doug,

Here are the changes you need to make:

For Dallas:

access-list inside_outbound_nat0_acl permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_outbount_nat0_acl
no crypto map outside_map 65535
no crypto map outside_map client authentication LOCAL
no crypto map mymap 10
no crypto map mymap client authentication partnerauth
no crypto ipsec transform-set myset esp-3des esp-md5-hmac
no vpnclient server 10.1.1.1
no vpnclient mode client-mode
no vpnclient vpngroup
crypto map SummitMap client authentication LOCAL --> only if you want extended auth for remote access


On the new location

access-list 100 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
0
 
lamontpsCommented:
the 'crypto map' and 'vpnclient' commands were originally added for our local vpn at Dallas, which will still be used, in addition to that local vpn accessing the 'pix-to-pix' vpn.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.