Able to set up two VPNs on a Cisco PIX 506e?

Posted on 2009-02-13
Last Modified: 2012-05-06
    I am helping someone set up a vpn in a new office. They recently merged offices and are sharing the same IP network, but they are two completely different domains (one uses static addresses). They share the PIX as their gateway (
    I was told to set up a new VPN for the company that merged in, However, I just discovered that there is already a vpn in place for the company that was already in the office. This VPN is using RADIUS as the authentication server.

Is there a way to set up a parallel but separate VPN?

Relevant config below:
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list ACL-IN permit icmp any any echo
access-list ACL-IN permit icmp any any echo-reply
access-list ACL-IN permit tcp any host eq smtp
access-list ACL-IN permit tcp any host eq pop3
access-list ACL-IN permit tcp any host eq 3389
access-list ACL-IN permit tcp any host eq www
access-list ACL-IN permit tcp any host eq https
access-list ACL-IN deny ip any any log
access-list inside_outbound_nat0_acl permit ip any
access-list outside_cryptomap_dyn_20 permit ip any
pager lines 24
logging on
logging timestamp
logging console debugging
logging buffered informational
logging trap informational
logging history informational
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNUsers
pdm location inside
pdm location inside
pdm location inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
static (inside,outside) tcp smtp smtp netmask 255.255.25
5.255 0 0
static (inside,outside) tcp pop3 pop3 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 3389 3389 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp www www netmask 255.255.255.
255 0 0
static (inside,outside) tcp https https netmask 255.255.
255.255 0 0
access-group ACL-IN in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host ThxB2G0d timeout 5
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup EDPRemote address-pool VPNUsers
vpngroup EDPRemote dns-server
vpngroup EDPRemote wins-server
vpngroup EDPRemote default-domain pgh.anglican.local
vpngroup EDPRemote idle-time 1800
vpngroup EDPRemote password ********
telnet inside
telnet inside
telnet timeout 5
ssh outside
ssh timeout 5
management-access inside
console timeout 0

Question by:JesusFreak42

    Author Comment

    OK... Here's an idea to bounce off of yall. Could I make another static NAT which takes the port for standard Windows VPN connections and directs it to the other server, letting that other server do all the authentication? Is this secure enough (this office situation will only last another 5 months).?

    LVL 33

    Assisted Solution

    You can have multiple VPNs on the same firewall.... just create a new VPNgroup , crypto, and policy for the 2nd IP peer.   Was that the question?
    LVL 4

    Expert Comment

    By parallel, do you mean a second VPN to the same peer?

    This is not possible on versions 6 and 7 of the PIX/ASA software. I assume it's also not possible on version 8. See
    LVL 4

    Expert Comment

    Oh, read your question :)

    You're talking about Remote access. Ignore me. Listen to MikeKane.

    Author Comment

        If we understand each other, yes, I am saying I need two VPNs, each pointing towards separate domain/authentication, etc.
        Ok. So it is possible. SO now all I have to do is pul out my PIX manual and figure out how to do it as you've described. I'm only a lowly CCNA working my way up :).

    LVL 33

    Assisted Solution

    Just picture a 2nd Peer to peer vpn with another auth group in the policy.....

    This might help, at the bottom of the list are a bunch of config examples for VPN with auth....

    Author Comment

    I am new to working with PIX and ASA firewalls. As I said, I am a lowly CCNA. Currently the PIX is running firmware version 6.3(4) and PDM 3.0(2). DO you recommend any upgrades to these first? Will they make it easier? Will the updates break anything? :) I say this because many of the samples on that page you linked have a firmware of at least 7.
    LVL 4

    Expert Comment

    There will be guides for version 6. However, I'd recommend upgrading to 7 or 8 if your hardware will allow it. I find the newer versions easier to work with.

    Author Comment

    Ugh. I just found out we do not have a service contract. I cannot get any of the updates. Not even the PDM 3.0(4) that will work with the newer releases of Java. I'll just have to do it the old fashioned way :)
    LVL 57

    Accepted Solution

    Guys a 506e cannot be upgraded above 6.3 (5) (before the pedants shour at me the 506e can be hacked to go go higher but its not recommended to be used outsde a test environment)
    Mike is correct simply add a further remote VPN group - I would also suggest a seperate VPN pool for remote clients from domain "B", you can even set up a seperate RADIUS group pointng to domainB if you wish.
    >>I am new to working with PIX and ASA firewalls.
    Fair enuff, use the PDM > Wizard > VPN Wizard > > Remote access VPN > Next > Next > New group name > New Group Password >  Next > Select your radius server of use the PIX for authentication if you select local you will add users on the next screen > Set up a vew DHCP pool (use a sepaerate IP range than you use on domain a, domain b or he other VPN pool > Next > Add DNS and domain server details for domain b > Next > Accept 3des/md5/group2 > Next > (tick enable split tunneling if you want  your clients to use it > Enter your internal domainb network {make sure inside interface is selected} > Finish
    Configure the client software see the bottom of my page here {note how to set up a RADIUS servers on that page as well :)
    Sit back light your pipe and admire your handiwork :)

    Author Comment

    I do wish I had a pipe :)
    LVL 57

    Expert Comment

    by:Pete Long
    indeed :)

    Author Comment

    I will need to download an old version of Java. This version of the PDM doesn't like newer versions, and my client doesn't have a support contract so I cannot download a newer version of 3.0. I think the one that works is 3.0(5) or 3.0(4). Is there any way of finding these other than getting them directly from Cisco?

    LVL 57

    Expert Comment

    by:Pete Long
    use old java theres a link on the download section of my website :) as for Software for the PIX you need a valid support agreement to get that
    LVL 57

    Expert Comment

    by:Pete Long

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Suggested Solutions

    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now