PIX 515 - can Use VPN300 Client and PIX-to-PIX VPN at the same time?

I have a PIX 515 through which I currently have a hand full of users who use the V.4 Cisco VPN software client to connect to our network. We have one remote site for which we would like to install a hardware VPN using a PIX

501 to connect yo our existing PIX 515.

I successfully reconfigured the 501 and the 515 with a VPN tunnel.

formatting link
Unfortunately, this broke the software VPN.

I have been able to reduce this down to a single configuration line:

crypto map newmap interface outside

crypto map Remote-Map interface outside

(the rest of the relevant config is posted below)

With the fist crypto map, the soft VPN works, with the second the hardware VPN works. With both, the second command overlays the first.

1) Is it even possible to have both the hard and soft VPN's through the same interface? 2) If so, how do I syntactically merge the maps or the maps attach to maps to an interface? 3) There is some admittedly elderly firmware on the 515 (6.1(4)) might that be a factor? The 501 is new. 4) We will want to attach several hardware VPN's (buy a couple more 501's for different sites) to this interface, if this works. Is multiple hardware VPN's through a single interface a show-stopper?



name ccc.ccc.ccc.ccc Remote-PIX

name aaa.aaa.aaa.0 Main-Network

name bbb.bbb.bbb.0 Remote-Network

access-list dialvpn permit ip Main-Network

access-list nonat permit ip Main-Network

access-list nonat permit ip Main-Network Remote-Network

access-list Remote-Tunnel permit ip Main-Network Remote-Network

icmp permit any outside

icmp permit any inside

ip address outside zzz.zzz.zzz.158

ip address inside aaa.aaa.aaa.5

ip local pool dialvpn

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

route outside zzz.zzz.zzz.157 1

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set dialvpnset esp-des esp-md5-hmac

crypto ipsec transform-set Tunnelset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set dialvpnset

crypto map newmap 10 ipsec-isakmp dynamic dynmap

crypto map newmap client configuration address respond

crypto map newmap interface outside

crypto map Remote-Map interface outside

crypto map Remote-Map 1 ipsec-isakmp

crypto map Remote-Map 1 match address Remote-Tunnel

crypto map Remote-Map 1 set peer Remote-PIX

crypto map Remote-Map 1 set transform-set Tunnelset

isakmp enable outside

isakmp key ******** address Remote-PIX netmask

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000-all address-pool dialvpn

vpngroup vpn3000-all dns-server primaryDNS secondary DNS

vpngroup vpn3000-all split-tunnel dialvpn

vpngroup vpn3000-all idle-time 36000

vpngroup vpn3000-all password ********

vpngroup group idle-time 1800

Reply to
Stephen M
Loading thread data ...

formatting link

You can only apply one crypto map to the outside interface but you can have more than one entry in a crypto map, with different sequence number. For example, you could replace "crypto map Remote-map 1" with "crypto map newmap 20".

Note that i never used the command "crypto map newmap client configuration address respond" so i am not sure what impact it will have on your lan2lan VPN.

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.