1. Home
  2. Cisco Systems
  3. Adding vpn client to Cisco 506 PIX messes up office to office tunnel

Adding vpn client to Cisco 506 PIX messes up office to office tunnel

Wow! Didn't realise that Google Groups is still alive an kicking!

Anyway, I have this really annoying problem:

Current situation is that I have 3 office to office vpn tunnels: HQ to office A (PIX 506 to PIX 501) HQ to office B (PIX 506 to PIX 506) HQ to office C (PIX 506 to Linksys)

All offices (HQ, offices A, B, C) have vpn tunnels to each other (mesh connection), and everything work very well.

However, I installed vpn client on my firewall (HQ) so that a user can connect to the office (which works pretty damn good - with split tunnel and all...), and the HQ to office C tunnel does not work anymore!

Notes:

  1. Removing vpn client settings on HQ firewall brings back the connection to Office C, so it is definitely related to vpn client config
  2. Office A has vpn client working perfectly, and still has connections to Office C (so I dont think this is a problem with Linksys)

So what am I doing wrong here?

Reply to
jsmith54
Loading thread data ...

I think we'd need to see the config of the HQ firewall complete with the vpn client settings.

Reply to
Walter Roberson

Hi Walter,

Thanks for the reply. I have listed the configs below (encrypted passwords and internet IP addresses have been filtered out):

1) config without vpn client settings (can connect with Office C)

=============================================

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password encrypted passwd encrypted hostname domain-name fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.0.0

255.255.255.0 access-list nonat permit ip 192.168.1.0 255.255.255.0 10.2.50.0 255.255.255.0 access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list 101 permit icmp any any access-list acl_in permit ip any any access-list 130 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list 140 permit ip 192.168.1.0 255.255.255.0 10.2.50.0 255.255.255.0 access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.1.10 255.255.255.255 inside pdm location 10.2.50.0 255.255.255.0 outside pdm location 192.168.0.0 255.255.255.0 outside pdm location 192.168.10.0 255.255.255.0 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 netmask 255.255.255.240 nat (inside) 0 access-list nonat nat (inside) 1 192.168.1.0 255.255.255.0 0 0 access-group 101 in interface outside access-group acl_in in interface inside route outside 0.0.0.0 0.0.0.0 1 timeout xlate 1:00:00 timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa-server AuthInbound protocol radius aaa-server AuthInbound max-failed-attempts 3 aaa-server AuthInbound deadtime 10 aaa-server AuthInbound (inside) host 192.168.1.10 timeout 10 http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside 192.168.1.10 pix.txt floodguard enable crypto ipsec transform-set myset esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map extvpn 30 ipsec-isakmp crypto map extvpn 30 match address 130 crypto map extvpn 30 set peer crypto map extvpn 30 set transform-set ESP-3DES-SHA crypto map extvpn 40 ipsec-isakmp crypto map extvpn 40 match address 140 crypto map extvpn 40 set peer crypto map extvpn 40 set transform-set ESP-3DES-SHA crypto map extvpn 50 ipsec-isakmp crypto map extvpn 50 match address 150 crypto map extvpn 50 set peer crypto map extvpn 50 set transform-set ESP-3DES-SHA crypto map extvpn interface outside isakmp enable outside isakmp key ******** address netmask 255.255.255.255 isakmp key ******** address netmask 255.255.255.255 isakmp key ******** address netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 1000 telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd lease 3600 dhcpd ping_timeout 750 terminal width 80 Cryptochecksum:28289529c6837a9f3e0479fb04d54013

==============================================

2) config with vpn client settings (no more connection to Office C)

==============================================

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password encrypted passwd encrypted hostname domain-name fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.0.0

255.255.255.0 ** subnet for Office A ** access-list nonat permit ip 192.168.1.0 255.255.255.0 10.2.50.0 255.255.255.0 ** subnet for Office B ** access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 ** subnet for Office C ** access-list nonat permit ip 192.168.1.0 255.255.255.0 10.7.10.0 255.255.255.0 ** subnet for vpn client ** access-list 101 permit icmp any any access-list acl_in permit ip any any access-list 130 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list 140 permit ip 192.168.1.0 255.255.255.0 10.2.50.0 255.255.255.0 access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list vpn-client-split permit ip 10.7.10.0 255.255.255.0 any access-list vpn-client-split permit ip 192.168.1.0 255.255.255.0 any pager lines 9999 mtu outside 1500 mtu inside 1500 ip address outside 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool my-addr-pool 10.7.10.1-10.7.10.20 pdm location 192.168.1.10 255.255.255.255 inside pdm location 10.2.50.0 255.255.255.0 outside pdm location 192.168.0.0 255.255.255.0 outside pdm location 192.168.10.0 255.255.255.0 outside pdm history enable arp timeout 14400 global (outside) 1 netmask 255.255.255.240 nat (inside) 0 access-list nonat nat (inside) 1 192.168.1.0 255.255.255.0 0 0 access-group 101 in interface outside access-group acl_in in interface inside route outside 0.0.0.0 0.0.0.0 1 timeout xlate 1:00:00 timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa-server AuthInbound protocol radius aaa-server AuthInbound max-failed-attempts 3 aaa-server AuthInbound deadtime 10 aaa-server AuthInbound (inside) host 192.168.1.10 timeout 10 http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside 192.168.1.10 pix.txt floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set ESP-3DES-SHA crypto map extvpn 30 ipsec-isakmp crypto map extvpn 30 match address 130 crypto map extvpn 30 set peer crypto map extvpn 30 set transform-set ESP-3DES-SHA crypto map extvpn 40 ipsec-isakmp crypto map extvpn 40 match address 140 crypto map extvpn 40 set peer crypto map extvpn 40 set transform-set ESP-3DES-SHA crypto map extvpn 50 ipsec-isakmp crypto map extvpn 50 match address 150 crypto map extvpn 50 set peer crypto map extvpn 50 set transform-set ESP-3DES-SHA crypto map extvpn 99 ipsec-isakmp dynamic dynmap crypto map extvpn client authentication LOCAL crypto map extvpn interface outside isakmp enable outside isakmp key ******** address netmask 255.255.255.255 isakmp key ******** address netmask 255.255.255.255 isakmp key ******** address netmask 255.255.255.255 isakmp identity address isakmp client configuration address-pool local my-addr-pool outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 1000 vpngroup vpn3000 address-pool my-addr-pool vpngroup vpn3000 dns-server 192.168.1.10 vpngroup vpn3000 default-domain vpngroup vpn3000 split-tunnel vpn-client-split vpngroup vpn3000 idle-time 1800 vpngroup vpn3000 password ******** telnet 192.168.1.0 255.255.255.0 inside telnet timeout 10 ssh timeout 5 console timeout 0 username password encrypted privilege 2 terminal width 80 Cryptochecksum:dd1e37f470309620ac5fed48ee132f96

==============================================

Reply to
jsmith54

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.