I have to site A and B connected by Site to Site VPN and they are working OK. When I try to add remote access VPN for Site A so that users at home could use Both site A´s ja Site B´s services and also connect to net through site A, I can't get this to work. I have tried doing this both with PDM and commandline. I have quite a lot experiece with routers, but PIXes are still somewhat mystery to me. Does anyone have any similar working configurations to share with me?
Here is what i used to set to remote access-vpn with the Cisco VPN client.
access-list nonat permit ip 172.16.0.0 255.255.0.0 192.168.10.0
255.255.255.0 (Access-list defining what traffic to not use NAT on) access-list 102 permit ip 172.16.0.0 255.255.0.0 192.168.10.0 255.255.255.0 (Access-list defining which traffic to use split-tunneling on) nat (interface) 0 access-list nonat (Command issued to not use NAT translation through whichever interface the VPN traffic will flow.)
sysopt connection permit-ipsec (Permits IPSEC communictation through the PIX)
crypto ipsec transform-set vpnsei esp-3des esp-md5-hmac (Setting up what type of encryption to use, there are many choices) crypto dynamic-map dynmapsei 10 set transform-set vpnsei
isakmp client configuration address-pool local sei-1 internet
vpngroup misvpn address-pool (The vpngroup command sets up your configuration for the vpn. Your first line tells which ip pool to use) vpngroup misvpn dns-server (DNS server IP) vpngroup misvpn wins-server (WINS server ip) vpngroup misvpn default-domain (your internal domain name) vpngroup misvpn split-tunnel (This command allows your vpn users to surf the web through their ISP and only use the VPN to connect to your internal servers or services) vpngroup misvpn split-dns (your internal domain-name. Also used in conjunction with command above) vpngroup misvpn idle-time 7200 (time in seconds you want the the Pix to allow a connection to sit idle) vpngroup misvpn password ******** (VPN group password)
ip local pool sei-1 192.168.10.10-192.168.10.25 (This is the ip addresses that are assigned to the VPN Clients)
If you have any problems or more questions, send me an email at snipped-for-privacy@yahoo.com
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.