Cisco VPN client access to PIX501's internal network

Hi,

I have a PIX501 (PIX1) in front of some servers. The servers are accessed thug some VPN tunnels (site to site) and it works perfect. 8 site to site tunnels at the moment.

Now I also want to use a Cisco VPN Client, but I am a little unsure how to do it whit out breaking any of the existing functionality.

I just want to be able connecting the 192.168.1.0 network with an VPN client.

would this work, I think it maybe destroy the existing tunnels?:

---------------------------- access-list no-nat-vpn permit ip 192.168.1.0 255.255.255.0 172.16.31.0

255.255.255.0 access-list vpn-cryptomap permit ip any 172.16.31.0 255.255.255.0

access-list 199 permit ip 192.168.1.0 255.255.255.0 172.16.31.0

255.255.255.0

ip local pool vpn-pool 172.16.31.1-172.16.31.254 nat (inside) 0 access-list no-nat-vpn

sysopt connection permit-ipsec crypto ipsec transform-set esp-aes-256 esp-3des esp-md5-hmac crypto dynamic-map vpn-dynamic 188 match address vpn-cryptomap crypto dynamic-map vpn-dynamic 188 set transform-set esp-aes-256 crypto map ipsec 65535 ipsec-isakmp dynamic vpn-dynamic crypto map ipsec client authentication LOCAL crypto map ipsec interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 188 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 1000 vpngroup imxxx address-pool vpn-pool vpngroup imxxx dns-server 195.xx.xx.2 2xx.xx.xx5.86 vpngroup imxxx idle-time 1800 vpngroup imxxx password imxxxaaaaaa username image password 1A2b3c45 encrypted privilege 3

------------------------------

This is the PIX in front of the servers (pix1).

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password OEvzd.wyg6yKVTht encrypted passwd mhn41xxXX3aWi6lD encrypted hostname PIX1 domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 2xx.xx.42.25 ipo name 2xx.xx.42.1 ipg name 87.xx.xx.186 emm-hq access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0

255.255.255.0 access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0 access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0 access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list 199 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list allow_inbound permit tcp host 80.xx.xx.242 interface outside eq 3389 access-list allow_inbound permit tcp host 2xx.xxx.42.2 interface outside eq 3389 access-list allow_inbound permit tcp host 85.xx.xx.210 interface outside eq 3389 access-list allow_inbound permit tcp host 2xx.xxx.42.2 interface outside eq 3390 access-list allow_inbound permit tcp host 80.xx.xx.242 interface outside eq 1433 access-list allow_inbound permit tcp host 85.xx.xx.210 interface outside eq 1433 access-list allow_inbound permit tcp host 2xx.xx.42.2 interface outside eq 1433 access-list allow_inbound permit tcp host 81.xx.xx.122 interface outside eq 1433 access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list 130 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list 140 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list 150 permit icmp any any access-list 160 permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0 access-list 170 permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0 access-list 180 permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list 190 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 pager lines 24 logging on logging trap notifications logging host inside 87.xx.xx.42 mtu outside 1500 mtu inside 1500 ip address outside ipo 255.255.255.192 ip address inside 192.168.1.1 255.255.255.0 ip verify reverse-path interface outside ip audit info action drop ip audit attack action drop pdm location 192.168.2.0 255.255.255.0 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 199 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 3390 192.168.1.3 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 1433 192.168.1.2 1433 netmask 255.255.255.255 0 0 access-group allow_inbound in interface outside route outside 0.0.0.0 0.0.0.0 ipg 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 2xx.xxx.42.2 255.255.255.255 outside http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set vpnlanset esp-aes-256 esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 101 crypto map mymap 10 set peer emm-hq crypto map mymap 10 set transform-set vpnlanset crypto map mymap 20 ipsec-isakmp crypto map mymap 20 match address 120 crypto map mymap 20 set peer 87.xx.xxx.102 crypto map mymap 20 set transform-set vpnlanset crypto map mymap 30 ipsec-isakmp crypto map mymap 30 match address 130 crypto map mymap 30 set peer 80.xxx.xxx.250 crypto map mymap 30 set transform-set vpnlanset crypto map mymap 40 ipsec-isakmp crypto map mymap 40 match address 140 crypto map mymap 40 set peer 80.xxx.xxx.46 crypto map mymap 40 set transform-set vpnlanset crypto map mymap 50 ipsec-isakmp crypto map mymap 50 match address 150 crypto map mymap 50 set peer 80.xxx.xxx.194 crypto map mymap 50 set transform-set vpnlanset crypto map mymap 60 ipsec-isakmp crypto map mymap 60 match address 160 crypto map mymap 60 set peer 80.xxx.xxx.202 crypto map mymap 60 set transform-set vpnlanset crypto map mymap 70 ipsec-isakmp crypto map mymap 70 match address 170 crypto map mymap 70 set peer 80.xxx.xxx.102 crypto map mymap 70 set transform-set vpnlanset crypto map mymap 80 ipsec-isakmp crypto map mymap 80 match address 180 crypto map mymap 80 set peer 62.xxx.xxx.42 crypto map mymap 80 set transform-set vpnlanset crypto map mymap 90 ipsec-isakmp crypto map mymap 90 match address 190 crypto map mymap 90 set peer 2xxx.xxx.42.20 crypto map mymap 90 set transform-set vpnlanset crypto map mymap interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup gr74-emm-bu1 idle-time 1800 vpngroup image idle-time 1800 telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh 2xx.xxx.42.2 255.255.255.255 outside ssh timeout 60 console timeout 0 dhcpd address 192.168.1.200-192.168.1.231 inside dhcpd dns 195.xx.xx.2 2xx.xx.225.86 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside username imxxx password Eos6Js0xxxL7XX7v encrypted privilege 2 terminal width 120

------------------------------

Best regards Martin

Reply to
Martin
Loading thread data ...

Hey Martin, I'm no PIX/ASA guru myself, but I recently configured an ASA using...

l2l easyvpn RA (standard VPN client)

What I did was create seperate group for each one of these. The RA and easyvpn shared the same ip pool and split tunnel list.

Reply to
CeykoVer

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.