Pix site to site and client VPN

Hi All,

I have a PIX 515 with version 6.3(3). I have a site to site VPN up and running fine. I am adding client VPN access to this now. All clients will use the Cisco VPN Client 4.6. I followed some instructions I found online and have made the connection to the PIX from a client.

Relevant config:

access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0

192.23.52.240 255.255.255.252 access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.168.0 255.255.255.0 access-list split permit ip 192.168.0.0 255.255.255.0 192.168.168.0 255.255.255.0

nat (inside) 0 access-list outside_cryptomap_20

sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set ESP-DES-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 212.39.xxx.xxx crypto map outside_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 30 ipsec-isakmp dynamic dynmap crypto map outside_map client configuration address initiate crypto map outside_map client configuration address respond crypto map outside_map interface outside

isakmp enable outside isakmp key ******** address 212.39.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp client configuration address-pool local vpnpool outside isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup Users address-pool vpnpool vpngroup Users dns-server 192.168.0.22 vpngroup Users wins-server 192.168.0.22 vpngroup Users default-domain highstreetnetworks.com vpngroup Users split-tunnel split vpngroup Users idle-time 1800 vpngroup Users password ********

The problem is that when I ping from the client to inisde (192.168.0.75) I get no response. I have done a tcpdump on the inside host and see the echo-request arriving and the echo-response leaving. When I do a debug icmp trace on the PIX I I see the request and reply, but I can't see where the reply is going. I an sure it is not going out the correct tunnel. It may be going out the site to site tunnel but I can't figure out how to see which tunnel that reply is going out on.

Is there any debugging techniques that I can use to verify this?

Thanks

Glenn

Reply to
Glennmac
Loading thread data ...

Ok, so when I remove the site to site tunnel all client tunnels work fine. Is there some routing or something that I need to make both site to site and client tunnels work simultaniously?

Thanks

Glenn

snipped-for-privacy@gmail.com wrote:

Reply to
Glennmac

Can you put more information about the internal network behind the pix and the other site2site endpoint? Is the ip address pool that you assing for the dynamic map them that in some subnet inside your network? It seems that you are assigning and internatl subnet for dynamic map, is that what you need?

Regards.

snipped-for-privacy@gmail.com wrote:

Reply to
Agustin

My internal network is 192.168.0.0/24, the addresses I use for client VPN tunnels is 192.168.168.0/24

The one site to site tunnel that is running now should only carry traffic for 3 ips. 192.23.62.240 241 and 242. The access list is

192.23.62.240 255.255.255.252

I can't figure out why the client tunnel will not work when the site to site is up.

Thanks

Glenn

Agust> Can you put more information about the internal network behind the pix

Reply to
Glennmac

Reply to
Agustin

I used vpdn and it works quite fine.

Alex.

Reply to
AM

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.