Able to set up two VPNs on a Cisco PIX 506e?

Posted on 2009-02-13
Medium Priority
Last Modified: 2012-05-06
    I am helping someone set up a vpn in a new office. They recently merged offices and are sharing the same IP network, but they are two completely different domains (one uses static addresses). They share the PIX as their gateway (
    I was told to set up a new VPN for the company that merged in, However, I just discovered that there is already a vpn in place for the company that was already in the office. This VPN is using RADIUS as the authentication server.

Is there a way to set up a parallel but separate VPN?

Relevant config below:
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list ACL-IN permit icmp any any echo
access-list ACL-IN permit icmp any any echo-reply
access-list ACL-IN permit tcp any host eq smtp
access-list ACL-IN permit tcp any host eq pop3
access-list ACL-IN permit tcp any host eq 3389
access-list ACL-IN permit tcp any host eq www
access-list ACL-IN permit tcp any host eq https
access-list ACL-IN deny ip any any log
access-list inside_outbound_nat0_acl permit ip any
access-list outside_cryptomap_dyn_20 permit ip any
pager lines 24
logging on
logging timestamp
logging console debugging
logging buffered informational
logging trap informational
logging history informational
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNUsers
pdm location inside
pdm location inside
pdm location inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
static (inside,outside) tcp smtp smtp netmask 255.255.25
5.255 0 0
static (inside,outside) tcp pop3 pop3 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 3389 3389 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp www www netmask 255.255.255.
255 0 0
static (inside,outside) tcp https https netmask 255.255.
255.255 0 0
access-group ACL-IN in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host ThxB2G0d timeout 5
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup EDPRemote address-pool VPNUsers
vpngroup EDPRemote dns-server
vpngroup EDPRemote wins-server
vpngroup EDPRemote default-domain pgh.anglican.local
vpngroup EDPRemote idle-time 1800
vpngroup EDPRemote password ********
telnet inside
telnet inside
telnet timeout 5
ssh outside
ssh timeout 5
management-access inside
console timeout 0

Question by:JesusFreak42
  • 6
  • 4
  • 3
  • +1

Author Comment

ID: 23637192
OK... Here's an idea to bounce off of yall. Could I make another static NAT which takes the port for standard Windows VPN connections and directs it to the other server, letting that other server do all the authentication? Is this secure enough (this office situation will only last another 5 months).?

LVL 33

Assisted Solution

MikeKane earned 400 total points
ID: 23637294
You can have multiple VPNs on the same firewall.... just create a new VPNgroup , crypto, and policy for the 2nd IP peer.   Was that the question?

Expert Comment

ID: 23637518
By parallel, do you mean a second VPN to the same peer?

This is not possible on versions 6 and 7 of the PIX/ASA software. I assume it's also not possible on version 8. See http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_multiple_VPN_tunnels_to_one_remote_end_(same_public_IP_address)_on_the_PIX/Adaptive_Security_Appliance_(ASA)_or_router.
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.


Expert Comment

ID: 23637531
Oh, read your question :)

You're talking about Remote access. Ignore me. Listen to MikeKane.

Author Comment

ID: 23637610
    If we understand each other, yes, I am saying I need two VPNs, each pointing towards separate domain/authentication, etc.
    Ok. So it is possible. SO now all I have to do is pul out my PIX manual and figure out how to do it as you've described. I'm only a lowly CCNA working my way up :).

LVL 33

Assisted Solution

MikeKane earned 400 total points
ID: 23637736
Just picture a 2nd Peer to peer vpn with another auth group in the policy.....

This might help, at the bottom of the list are a bunch of config examples for VPN with auth....

Author Comment

ID: 23637836
I am new to working with PIX and ASA firewalls. As I said, I am a lowly CCNA. Currently the PIX is running firmware version 6.3(4) and PDM 3.0(2). DO you recommend any upgrades to these first? Will they make it easier? Will the updates break anything? :) I say this because many of the samples on that page you linked have a firmware of at least 7.

Expert Comment

ID: 23637931
There will be guides for version 6. However, I'd recommend upgrading to 7 or 8 if your hardware will allow it. I find the newer versions easier to work with.

Author Comment

ID: 23638034
Ugh. I just found out we do not have a service contract. I cannot get any of the updates. Not even the PDM 3.0(4) that will work with the newer releases of Java. I'll just have to do it the old fashioned way :)
LVL 57

Accepted Solution

Pete Long earned 1600 total points
ID: 23644361
Guys a 506e cannot be upgraded above 6.3 (5)  http://www.petenetlive.com/Tech/Firewalls/Cisco/pixupgrade.htm (before the pedants shour at me the 506e can be hacked to go go higher but its not recommended to be used outsde a test environment)
Mike is correct simply add a further remote VPN group - I would also suggest a seperate VPN pool for remote clients from domain "B", you can even set up a seperate RADIUS group pointng to domainB if you wish.
>>I am new to working with PIX and ASA firewalls.
Fair enuff, use the PDM > Wizard > VPN Wizard > > Remote access VPN > Next > Next > New group name > New Group Password >  Next > Select your radius server of use the PIX for authentication if you select local you will add users on the next screen > Set up a vew DHCP pool (use a sepaerate IP range than you use on domain a, domain b or he other VPN pool > Next > Add DNS and domain server details for domain b > Next > Accept 3des/md5/group2 > Next > (tick enable split tunneling if you want  your clients to use it > Enter your internal domainb network {make sure inside interface is selected} > Finish
Configure the client software see the bottom of my page here http://www.petenetlive.com/Tech/Firewalls/Cisco/c2svpnRADIUS.htm {note how to set up a RADIUS servers on that page as well :)
Sit back light your pipe and admire your handiwork :)

Author Comment

ID: 23644775
I do wish I had a pipe :)
LVL 57

Expert Comment

by:Pete Long
ID: 23644795
indeed :)

Author Comment

ID: 23644902
I will need to download an old version of Java. This version of the PDM doesn't like newer versions, and my client doesn't have a support contract so I cannot download a newer version of 3.0. I think the one that works is 3.0(5) or 3.0(4). Is there any way of finding these other than getting them directly from Cisco?

LVL 57

Expert Comment

by:Pete Long
ID: 23645190
use old java theres a link on the download section of my website :) as for Software for the PIX you need a valid support agreement to get that
LVL 57

Expert Comment

by:Pete Long
ID: 23768958

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question