PIX 515e site to site and Cisco vpn client configuration.

Posted on 2006-05-13
Last Modified: 2008-01-09
Hi Guys

I have two PIX515e's in a datacentre (active/failover configuration. I have to configure the units for two seperate site to site vpn's and for the Cisco software client. The two sites also have PIX's one is a 515 and one is a 525. The Cisco software client I have is 4.0.5 and 4.6 (any recommendations on which is the less problematic would be good).

I will need the Cisco clients to be able to authenticate against a Windows 2003 AD server, which will be through IAS. Here is the config I have pulled together for the VPN client (which is probably very wrong, but there you go):

access-list 101 permit ip
access-list 101 permit ip
access-list 101 permit ip
access-list 101 permit ip

ip local pool VPNpool

nat (inside) 0 0 0
nat (inside) 1 access-list 101

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host  timeout 10

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set esp esp-des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication AuthInbound
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address netmask no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup xxxxxxxx address-pool VPNpool
vpngroup xxxxxxxxdns-server
vpngroup xxxxxxxx wins-server
vpngroup xxxxxxxx default-domain xxxxxxxx.local
vpngroup xxxxxxxx split-tunnel 101
vpngroup xxxxxxxxidle-time 1800
vpngroup xxxxxxxx password ********

Am I on the right track??? From what I understand you can only have one crypto map per interface so how would I configure the central PIX to add the two tunnels from the other two sites and what config needs to be on them??

I have not done this before and am getting a bit confused....

Any help will be much appreciated.


Question by:kjorviss

    Author Comment

    Forgot to say... All the 515's are running  6.3.5 and the 525 is running 6.3.4
    LVL 20

    Accepted Solution

     hi Kevin, please see the following example, which shows a site-to-site + VPN client config:

      Referring to the example above, you could specify a 2nd site VPN while you're configuring the first, eg:
    crypto map newmap 15 ipsec-isakmp
    crypto map newmap 15 match address 110
    crypto map newmap 15 set peer
    crypto map newmap 15 set transform-set myset

    isakmp key <key_for_site_2> address

       The above example assumes you want to use the same IPSec parameters as the 1st site, namely: 3DES, MD5, etc.  That way you only need the single isakmp policy ("isakmp policy 10") & a single transform set for both VPN peers.  Note that the you must reference the same crypto map ("newmap") for all VPN peers & the VPN clients, but you use a different sequence number for each site-to-site peer, & a separate number for the VPN client settings.  If for some reason you must use different encryption & hash parameters to one of the sites, then of course that's easily done also.

       Since you indicate you want split-tunneling enabled, you'll want to create a separate split-tunnel ACL, which will be identical to the ACL line that matches traffic to the VPN client pool.  Referring to the example URL above, you'd do this for split-tunneling *on PIX 1*:
       access-list split_acl permit ip
       vpngroup vpn3000 split-tunnel split_acl

       What isn't in the example URL, which I highly recommend, is to enable "NAT traversal" on all PIXes.  Add the following on all PIXes (running 6.3 series) when configuring the isakmp parameters:   isakmp nat-t
       Once you've finished configuring VPN on a PIX, be sure to run "clear xlate" afterwards.

       Important NOTE: the VPN client pool on a PIX must *not* overlap either the internal LANs behind the PIX, nor the internal LAN of the PIX on the other side of a site-to-site VPN or you'll hit a routing loop.  Also, the IP scheme for the local LAN where a VPN client PC resides must also not overlap those same IPs, or you'll again hit a routing loop.  And, the local LANs behind each of the PIXes that are IPSec peers shouldn't overlap either.

      If you're still having problems after going through the example & the notes above, please post a complete but "sanitized" config (passwords removed, public IPs masked like so: x.x.x.82, but leave all subnet masks intact, & don't mask out private IPs) for both your primary PIX at the datacentre & the remote peer PIX.

      As for the client software, don't use the older 4.0.5 (doesn't play nice w/ Windows XP SP2); if possible download the latest 4.8 version, otherwise try the 4.6.


    Author Comment

    Hi  calvinetter,

    Thanks for the quick reply...

    This client has had the 525 for a couple of years, and they have only ever had one site, but had travelling users using the Cisco Client, that PIX came with the 4.01 client!

    Now I am moving them into a data centre and then the two remote sites. I have just purchased the three 515's and set the two up in the datacentre already, and am setting up the third 515 next week (hence the question). These 515's have come with a VPN client disk that has 4.0.5 and 4.6 on it. Where can I download 4.8?? I have looked through the Cisco site and everytime I think I have found where to download it from the site wants a CCO login, which I don't have! Is there a place on the Cisco site for upgrades within the 90 day support period?

    So following the example in the URL, PIX1 would be my failover pair in the datacentre, and PIX2 and PIX3 would be my two remote sites. I have not come across the concept of split tunneling before, would you mine explaining that a bit? I configured a site to site VPN on their existing 525 to a Linksys BEFSX41 I have here for support and did not use split tunneling.

    I had seen the Cisco article, but dismissed it (shows how much I know) as both the outside interfaces on the PIX's were on the same subnet and thought it did not apply to my situation!

    I cannot try this until mid next week, but I will keep you informed...


    LVL 20

    Expert Comment

    >Where can I download 4.8?    And yes, unfortunately you can only download it with a CCO account.  Didn't you purchase SmartNet for your PIXes?  If so, then you can get a CCO login after registering your PIXes.  I strongly urge you to purchase SmartNet for them - this is normally yearly support, which completely covers the PIX - hardware & software, allows you to download new PIX OS software, as well as the VPN client app, plus you get free phone tech support.  

    >I have not come across the concept of split tunneling before
       Well, split tunneling allows your VPN client PC to access both the VPN resources via the encrypted IPSec tunnel, while simultaneously allowing the PC to also access the Internet normally.  Because of this, split tunneling is less secure, since normal unencrypted Internet access is allowed while you're tunneling through the PIX to the critical internal subnets; if the PC is compromised, there's the potential for remote control from the Internet, allowing an intruder or malware app to have full access to whatever internal network resources you're allowing your VPN clients to reach.
       With split tunneling disabled (the default), when the VPN client PC established a VPN tunnel to the PIX, the PC is cut off from accessing the Internet & vice versa, & from the local LAN as well, so that the only network resources it can access are those at the other end of the encrypted tunnel.
       The decision to enable or disable split tunneling is up to you, your company security policy, & what you're willing to risk.

       The article in the URL can certainly be misleading regarding the IPs on the outside interfaces - I wish Cisco hadn't created their example that way.  Not to worry, the IPs on the outside interfaces don't matter - virtually 100% of the time they're on 2 totally different subnets.


    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    Article by: IanTh
    Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
    Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now