1. Home
  2. Cisco Systems
  3. pix 501 - VPN site-to-Site

pix 501 - VPN site-to-Site

Hello I have 2 pix firewalls i have vpn site to site

i tried so many times do VPN server and nothing works

this is my VPN config - what do i have to do ot be able connect to Office via Cisco VPN Client

Office IP address Outside = 100.100.100.100 IP address inside = 192.168.1.254

access-list 90 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 nat (inside) 0 access-list 90 sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto map toRemote 20 ipsec-isakmp crypto map toRemote 20 match address 90 crypto map toRemote 20 set peer 90.90.90.90 crypto map toRemote 20 set transform-set strong crypto map toRemote interface outside isakmp enable outside isakmp key ****** address 90.90.90.90 netmask 255.255.255.255 isakmp policy 9 authentication pre-share isakmp policy 9 encryption 3des

Remote office IP address Outside = 90.90.90.90 IP address inside = 10.0.0.254

access-list 80 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 nat 0 access-list 80 sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto map toOffice 10 ipsec-isakmp crypto map toOffice 10 match address 80 crypto map toOffice 10 set peer 100.100.100.100 crypto map toOffice 10 set transform-set strong crypto map toOffice interface outside isakmp enable outside isakmp key ****** address 100.100.100.100 netmask 255.255.255.255 isakmp policy 8 authentication pre-share isakmp policy 8 encryption 3des

Reply to
Robert
Loading thread data ...

I got the same problem. Anyone got a solution?

Reply to
Peter

Do not use the same access list name for two different purposes. Create different ACLs for use with nat 0 access-list and crypto map.

Reply to
Walter Roberson

It should be OK

How can I create VPN server (PIX1) - i tried so many things - so i can not manage this

access-list 90 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 access-list ASCD permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

Reply to
Robert

The portion of the configuration you provided looks okay.

I would suggest explicitly putting in the (inside) on the remote office's nat 0 access-list statement, but it will assume the (inside) anyhow so it is just a matter of making it easier to read.

Is that the complete policy? You didn't set the group, and you didn't set the hash? sha is the default, which should not be a problem, but it is best to specify these things explicitly.

What do you get when you

debug crypto ipsec 2 debug crypto isakmp 2

and try to make a connection ?

Reply to
Walter Roberson

no it was basic config

it is OK

VPN Site to site works perfect - no problems

I do not know how to access to 1 pix from home Via Cisco VPN client using vpngroup command

i tried so many things and nothing

Story is Before VPN site to site was VPN to office and VPN to Remote office - was OK tan workers said they do not want to enable VPN client to connect to remte office I created VPN site to site - but somehow i could not connect using VPN client

I removed VPN server config and left Site to site

Now users wants to connect to remote office (Site to site) and they want to work from home using VPN client and i can not to manage this

I did even this

formatting link
does not work

i am hoples i do not know how to doit

i do not have Cisco username and password (i am registered but i do not have access to looooot of stuff)

Robert

Reply to
Robert

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.