Able to set up two VPNs on a Cisco PIX 506e?

    I am helping someone set up a vpn in a new office. They recently merged offices and are sharing the same IP network, but they are two completely different domains (one uses static addresses). They share the PIX as their gateway (
    I was told to set up a new VPN for the company that merged in, However, I just discovered that there is already a vpn in place for the company that was already in the office. This VPN is using RADIUS as the authentication server.

Is there a way to set up a parallel but separate VPN?

Relevant config below:
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list ACL-IN permit icmp any any echo
access-list ACL-IN permit icmp any any echo-reply
access-list ACL-IN permit tcp any host eq smtp
access-list ACL-IN permit tcp any host eq pop3
access-list ACL-IN permit tcp any host eq 3389
access-list ACL-IN permit tcp any host eq www
access-list ACL-IN permit tcp any host eq https
access-list ACL-IN deny ip any any log
access-list inside_outbound_nat0_acl permit ip any
access-list outside_cryptomap_dyn_20 permit ip any
pager lines 24
logging on
logging timestamp
logging console debugging
logging buffered informational
logging trap informational
logging history informational
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNUsers
pdm location inside
pdm location inside
pdm location inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
static (inside,outside) tcp smtp smtp netmask 255.255.25
5.255 0 0
static (inside,outside) tcp pop3 pop3 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 3389 3389 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp www www netmask 255.255.255.
255 0 0
static (inside,outside) tcp https https netmask 255.255.
255.255 0 0
access-group ACL-IN in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host ThxB2G0d timeout 5
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup EDPRemote address-pool VPNUsers
vpngroup EDPRemote dns-server
vpngroup EDPRemote wins-server
vpngroup EDPRemote default-domain pgh.anglican.local
vpngroup EDPRemote idle-time 1800
vpngroup EDPRemote password ********
telnet inside
telnet inside
telnet timeout 5
ssh outside
ssh timeout 5
management-access inside
console timeout 0

Who is Participating?
Pete LongConnect With a Mentor Technical ConsultantCommented:
Guys a 506e cannot be upgraded above 6.3 (5) (before the pedants shour at me the 506e can be hacked to go go higher but its not recommended to be used outsde a test environment)
Mike is correct simply add a further remote VPN group - I would also suggest a seperate VPN pool for remote clients from domain "B", you can even set up a seperate RADIUS group pointng to domainB if you wish.
>>I am new to working with PIX and ASA firewalls.
Fair enuff, use the PDM > Wizard > VPN Wizard > > Remote access VPN > Next > Next > New group name > New Group Password >  Next > Select your radius server of use the PIX for authentication if you select local you will add users on the next screen > Set up a vew DHCP pool (use a sepaerate IP range than you use on domain a, domain b or he other VPN pool > Next > Add DNS and domain server details for domain b > Next > Accept 3des/md5/group2 > Next > (tick enable split tunneling if you want  your clients to use it > Enter your internal domainb network {make sure inside interface is selected} > Finish
Configure the client software see the bottom of my page here {note how to set up a RADIUS servers on that page as well :)
Sit back light your pipe and admire your handiwork :)
JesusFreak42Author Commented:
OK... Here's an idea to bounce off of yall. Could I make another static NAT which takes the port for standard Windows VPN connections and directs it to the other server, letting that other server do all the authentication? Is this secure enough (this office situation will only last another 5 months).?

MikeKaneConnect With a Mentor Commented:
You can have multiple VPNs on the same firewall.... just create a new VPNgroup , crypto, and policy for the 2nd IP peer.   Was that the question?
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

By parallel, do you mean a second VPN to the same peer?

This is not possible on versions 6 and 7 of the PIX/ASA software. I assume it's also not possible on version 8. See
Oh, read your question :)

You're talking about Remote access. Ignore me. Listen to MikeKane.
JesusFreak42Author Commented:
    If we understand each other, yes, I am saying I need two VPNs, each pointing towards separate domain/authentication, etc.
    Ok. So it is possible. SO now all I have to do is pul out my PIX manual and figure out how to do it as you've described. I'm only a lowly CCNA working my way up :).

MikeKaneConnect With a Mentor Commented:
Just picture a 2nd Peer to peer vpn with another auth group in the policy.....

This might help, at the bottom of the list are a bunch of config examples for VPN with auth....
JesusFreak42Author Commented:
I am new to working with PIX and ASA firewalls. As I said, I am a lowly CCNA. Currently the PIX is running firmware version 6.3(4) and PDM 3.0(2). DO you recommend any upgrades to these first? Will they make it easier? Will the updates break anything? :) I say this because many of the samples on that page you linked have a firmware of at least 7.
There will be guides for version 6. However, I'd recommend upgrading to 7 or 8 if your hardware will allow it. I find the newer versions easier to work with.
JesusFreak42Author Commented:
Ugh. I just found out we do not have a service contract. I cannot get any of the updates. Not even the PDM 3.0(4) that will work with the newer releases of Java. I'll just have to do it the old fashioned way :)
JesusFreak42Author Commented:
I do wish I had a pipe :)
Pete LongTechnical ConsultantCommented:
indeed :)
JesusFreak42Author Commented:
I will need to download an old version of Java. This version of the PDM doesn't like newer versions, and my client doesn't have a support contract so I cannot download a newer version of 3.0. I think the one that works is 3.0(5) or 3.0(4). Is there any way of finding these other than getting them directly from Cisco?

Pete LongTechnical ConsultantCommented:
use old java theres a link on the download section of my website :) as for Software for the PIX you need a valid support agreement to get that
Pete LongTechnical ConsultantCommented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.