PIX VPN mesh with acess to multiple subnets at one of the sites?

I wonder whether any of the experts in this group can help me.

I have three sites (a 'central' one, and two remotes), each with a single subnet, and that are interconnected with a PIX-PIX IPsec VPN mesh. The whole thing has worked flawlessly since originally set up a few months ago, in that it provides intervisibility between IP hosts at each of the three sites.

I now have to move some of the servers at the central site to their own subnet on their own VLAN (named 'Databases' at 192.168.3.0/24). I need to be able to provide connectivity to hosts on the Databases subnet/VLAN from the two remote sites. However, I just have not been able to make this work.

With the central and remote configurations that are appended, if I do 'debug packet Databases' and then ping a host on the Databases VLAN at Central from the remote site, I can see the echo packet being sent to the host on the Databases subnet/VLAN, and I can see the echo reply being sent back from that host to the central PIX.

I can also see the hitcount increment on the access-list Databases_acl permit icmp any any echo-reply rule (that is generated from the object group named 'ICMP-allowed') on the central PIX.

However, I do not see the encapsulated packets count increment on the PIX at the central site end of the IPsec SA with the remote site that originated the ping. And, needless to say, the host from which I sent the ping does not see any response.

Can anybody point me at what I've got wrong in the appended configs. Note that other required access to the Databases subnet/VLAN from the 10.0.0.0/24 subnet at the central site, and from two other subnets, 10.0.1.0/24 and

10.0.2.0/24, (that are each connected via a router) all works fine. The problem is only with the VPN-connected sites that have the 10.0.3.0/24 and 10.0.4.0/24 subnets on their inside interfaces. I realise that, in what follows, some of the ACLs show signs of my increasing desperation to get the required setup working:

** Central site: PIX Version 6.3(4) interface ethernet0 100full interface ethernet1 100full interface ethernet1 vlan99 physical interface ethernet1 vlan1 logical interface ethernet1 vlan3 logical interface ethernet1 vlan4 logical nameif ethernet0 outside security0 nameif ethernet1 i-physical security99 nameif vlan1 inside security100 nameif vlan3 Databases security90 nameif vlan4 DMZ1 security50 enable password *** encrypted passwd *** encrypted hostname PIX515-1 domain-name ***.co.uk fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol http 8888 fixup protocol ils 389 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name x.x.x.x PIX_RemoteA name 10.0.3.0 Net_RemoteA name x.x.x.x PIX_RemoteB name 10.0.4.0 Net_RemoteB object-group icmp-type ICMP-allowed description ICMP types allowed in from outside icmp-object echo icmp-object echo-reply icmp-object time-exceeded object-group service DellERA tcp description The bunch of protocols used to access a Dell remote console card port-object eq www port-object eq https port-object range 5800 5809 port-object range 5900 5909 object-group service sitescope tcp description Sitesope port port-object eq 8888 object-group network xxx description External IPs of xxx systems network-object x.x.x.x 255.255.255.240 network-object host x.x.x.x network-object host x.x.x.x object-group network MLabsInbound description External IPs of MessageLabs systems permitted to deliver SMTP . . . object-group network shadowdns description External IPs of xxx shadow primary DNS servers network-object host x.x.x.x network-object host x.x.x.x access-list outside_acl remark ACL for inbound to the interface named outside access-list outside_acl remark ---------------------------------------------- access-list outside_acl remark -- ICMP access access-list outside_acl permit icmp any any object-group ICMP-allowed access-list outside_acl remark -- Access to mailserver from MessageLabs access-list outside_acl permit tcp object-group MLabsInbound host x.x.x.x eq smtp access-list outside_acl remark -- Access to platform management server from xxx access-list outside_acl permit tcp object-group xxx host x.x.x.x eq www access-list outside_acl permit tcp object-group xxx host x.x.x.x eq 8888 access-list outside_acl permit tcp object-group xxx host x.x.x.x eq 3389 access-list outside_acl remark -- DNS access to platform management server from xxx and xxx access-list outside_acl permit tcp object-group shadowdns host x.x.x.x eq domain access-list outside_acl permit udp object-group shadowdns host x.x.x.x eq domain access-list outside_acl permit tcp object-group xxx host x.x.x.x eq domain access-list outside_acl permit udp object-group xxx host x.x.x.x eq domain access-list outside_acl remark -- Access to web server pool access-list outside_acl permit tcp any host x.x.x.x eq www access-list outside_acl permit tcp any host x.x.x.x eq https access-list inside_acl remark ACL for inbound to the interface named inside access-list inside_acl remark --------------------------------------------- access-list inside_acl remark -- Hosts permittted to send SMTP access-list inside_acl permit tcp host 10.0.0.3 any eq smtp access-list inside_acl permit tcp host 10.0.0.93 any eq smtp access-list inside_acl permit tcp host 10.0.0.14 any eq smtp access-list inside_acl permit tcp host 10.0.0.178 any eq smtp access-list inside_acl remark -- Default posture access-list inside_acl deny tcp any any eq smtp access-list inside_acl permit ip any any access-list Databases_acl remark ACL for inbound to the interface named Databases access-list Databases_acl remark ------------------------------------------------ access-list Databases_acl remark -- ICMP access access-list Databases_acl permit icmp any any object-group ICMP-allowed access-list DMZ1_acl remark ACL for inbound to the interface named DMZ1 access-list DMZ1_acl remark ------------------------------------------- access-list DMZ1_acl remark -- ICMP access access-list DMZ1_acl permit icmp any any object-group ICMP-allowed access-list inside_outbound_nat0_acl remark ACL for NAT exceptions for VPN users access-list inside_outbound_nat0_acl remark ------------------------------------ access-list inside_outbound_nat0_acl permit ip any host 10.0.0.201 access-list inside_outbound_nat0_acl permit ip any host 10.0.0.202 access-list inside_outbound_nat0_acl permit ip any host 10.0.0.203 access-list inside_outbound_nat0_acl permit ip any host 10.0.0.204 access-list inside_outbound_nat0_acl permit ip any host 10.0.0.205 access-list inside_outbound_nat0_acl permit ip any host 10.0.0.206 access-list inside_outbound_nat0_acl permit ip any host 10.0.0.207 access-list inside_outbound_nat0_acl permit ip any host 10.0.0.208 access-list inside_outbound_nat0_acl permit ip any host 10.0.0.209 access-list inside_outbound_nat0_acl permit ip any host 10.100.0.1 access-list inside_outbound_nat0_acl permit ip any host 10.100.0.2 access-list inside_outbound_nat0_acl permit ip any host 10.100.0.3 access-list inside_outbound_nat0_acl permit ip any host 10.100.0.4 access-list inside_outbound_nat0_acl permit ip any host 10.100.0.5 access-list inside_outbound_nat0_acl permit ip any host 10.100.0.6 access-list inside_outbound_nat0_acl permit ip any host 10.100.0.7 access-list inside_outbound_nat0_acl permit ip any host 10.100.0.8 access-list inside_outbound_nat0_acl permit ip any host 10.100.0.9 access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip any Net_RemoteA 255.255.255.0 access-list inside_outbound_nat0_acl permit ip any Net_RemoteB 255.255.255.0 access-list outside_cryptomap_dyn_20_acl remark ACL for remote access VPN users access-list outside_cryptomap_dyn_20_acl remark ------------------------------- access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.201 access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.202 access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.203 access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.204 access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.205 access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.206 access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.207 access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.208 access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.209 access-list outside_cryptomap_21_acl remark ACL for crypto map 21 - Remote A access-list outside_cryptomap_21_acl remark ------------------------------------- access-list outside_cryptomap_21_acl permit ip 10.0.0.0 255.255.255.0 Net_RemoteA 255.255.255.0 access-list outside_cryptomap_21_acl permit ip 10.0.1.0 255.255.255.0 Net_RemoteA 255.255.255.0 access-list outside_cryptomap_21_acl permit ip 10.0.2.0 255.255.255.0 Net_RemoteA 255.255.255.0 access-list outside_cryptomap_21_acl permit ip 192.168.3.0 255.255.255.0 Net_RemoteA 255.255.255.0 access-list outside_cryptomap_22_acl remark ACL for crypto map 22 - Remote B access-list outside_cryptomap_22_acl remark ------------------------------ access-list outside_cryptomap_22_acl permit ip 10.0.0.0 255.255.255.0 Net_RemoteB 255.255.255.0 access-list outside_cryptomap_22_acl permit ip 10.0.1.0 255.255.255.0 Net_RemoteB 255.255.255.0 access-list outside_cryptomap_22_acl permit ip 10.0.2.0 255.255.255.0 Net_RemoteB 255.255.255.0 access-list outside_cryptomap_22_acl permit ip 192.168.3.0 255.255.255.0 Net_RemoteB 255.255.255.0 access-list Databases_outbound_nat0_acl remark ACL for NAT exceptions for Databases interface access-list Databases_outbound_nat0_acl remark -----------------------------

----------------- access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.201 access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.202 access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.203 access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.204 access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.205 access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.206 access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.207 access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.208 access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.209 access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.1 access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.2 access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.3 access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.4 access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.5 access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.6 access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.7 access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.8 access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.9 access-list Databases_outbound_nat0_acl permit ip any 192.168.3.0

255.255.255.0 access-list Databases_outbound_nat0_acl permit ip any Net_RemoteA 255.255.255.0 access-list Databases_outbound_nat0_acl permit ip any Net_RemoteB 255.255.255.0 pager lines 20 logging on mtu outside 1500 mtu i-physical 1500 ip address outside x.x.x.x 255.255.255.192 ip address i-physical 192.168.255.1 255.255.255.0 ip address inside 10.0.0.253 255.255.255.0 ip address Databases 192.168.3.1 255.255.255.0 ip address DMZ1 192.168.4.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VPNremotes 10.0.0.201-10.0.0.209 ip local pool PPTPremotes 10.100.0.1-10.100.0.9 pdm location 10.0.0.0 255.255.255.0 inside . . . pdm group shadowdns outside pdm history enable arp timeout 14400 global (outside) 1 x.x.x.x netmask 255.255.255.192 nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (Databases) 0 access-list Databases_outbound_nat0_acl static (inside,outside) x.x.x.x 10.0.0.178 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.x 10.0.0.14 netmask 255.255.255.255 0 0 static (DMZ1,outside) x.x.x.x 192.168.4.17 netmask 255.255.255.255 0 0 static (inside,Databases) 10.0.0.0 10.0.0.0 netmask 255.255.0.0 0 0 access-group outside_acl in interface outside access-group inside_acl in interface inside access-group Databases_acl in interface Databases access-group DMZ1_acl in interface DMZ1 route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 route inside 10.0.1.0 255.255.255.0 10.0.0.254 1 route inside 10.0.2.0 255.255.255.0 10.0.0.254 1 timeout xlate 0:10:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local ntp server x.x.x.x source outside prefer ntp server x.x.x.x source outside ntp server x.x.x.x source outside ntp server x.x.x.x source outside http server enable http 10.0.0.0 255.255.255.0 inside http 10.0.1.0 255.255.255.0 inside http 10.0.2.0 255.255.255.0 inside http Net_RemoteA 255.255.255.0 inside http Net_RemoteB 255.255.255.0 inside snmp-server host inside 10.0.0.14 snmp-server location First floor server room snmp-server contact xxx snmp-server community xxx no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_acl crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 86400 kilobytes 32000 crypto map outside_map 21 ipsec-isakmp crypto map outside_map 21 match address outside_cryptomap_21_acl crypto map outside_map 21 set peer PIX_RemoteA crypto map outside_map 21 set transform-set ESP-AES-256-SHA crypto map outside_map 21 set security-association lifetime seconds 86400 kilobytes 32000 crypto map outside_map 22 ipsec-isakmp crypto map outside_map 22 match address outside_cryptomap_22_acl crypto map outside_map 22 set peer PIX_RemoteB crypto map outside_map 22 set transform-set ESP-AES-256-SHA crypto map outside_map 22 set security-association lifetime seconds 86400 kilobytes 32000 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp key ******** address PIX_RemoteA netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address PIX_RemoteB netmask 255.255.255.255 no-xauth no-config-mode isakmp nat-traversal 22 isakmp policy 20 authentication pre-share isakmp policy 20 encryption aes-256 isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 3600 isakmp policy 40 authentication pre-share isakmp policy 40 encryption aes-256 isakmp policy 40 hash sha isakmp policy 40 group 5 isakmp policy 40 lifetime 86400 vpngroup xxxx address-pool VPNremotes vpngroup xxxx dns-server 10.0.0.1 10.0.2.1 vpngroup xxxx default-domain xxx.co.uk vpngroup xxxx split-tunnel inside_outbound_nat0_acl vpngroup xxxx idle-time 3600 vpngroup xxxx password ******** . . . ca identity xxx 10.0.0.93:/certsrv/mscep/mscep.dll ca configure xxx ra 1 20 crloptional telnet 10.0.0.0 255.255.255.0 inside telnet 10.0.1.0 255.255.255.0 inside telnet 10.0.2.0 255.255.255.0 inside telnet Net_RemoteA 255.255.255.0 inside telnet Net_RemoteB 255.255.255.0 inside telnet timeout 20 ssh timeout 5 management-access inside console timeout 0 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required vpdn group PPTP-VPDN-GROUP client configuration address local PPTPremotes vpdn group PPTP-VPDN-GROUP client configuration dns 10.0.0.1 10.0.2.1 vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username xxx password ********* vpdn username xxx password ********* vpdn enable outside terminal width 100 Cryptochecksum:42b23b3c93f08380055ffad89c23754f : end [OK]

** Remote site (Remote B): PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password *** encrypted passwd *** encrypted hostname fw1-xx domain-name xxx.co.uk fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name x.x.x.x PIX_Central name 10.0.0.0 Net_Central name x.x.x.x PIX_RemoteA name 10.0.3.0 Net_RemoteA object-group icmp-type icmp-allowed description ICMP types allowed in from outside icmp-object echo icmp-object echo-reply icmp-object time-exceeded object-group service DellERA tcp description The bunch of protocols used to access a Dell remote console card port-object eq www port-object eq https port-object range 5800 5809 port-object range 5900 5909 access-list outside_acl remark ACL for inbound to the interface named outside access-list outside_acl remark ---------------------------------------------- access-list outside_acl permit icmp any any object-group icmp-allowed access-list inside_acl remark ACL for inbound to the interface named inside access-list inside_acl remark --------------------------------------------- access-list inside_acl remark -- Default posture access-list inside_acl deny tcp any any eq smtp access-list inside_acl permit ip any any access-list inside_outbound_nat0_acl remark ACL for NAT exceptions for VPN users access-list inside_outbound_nat0_acl remark ------------------------------------ access-list inside_outbound_nat0_acl permit ip any host 10.0.4.201 access-list inside_outbound_nat0_acl permit ip any host 10.0.4.202 access-list inside_outbound_nat0_acl permit ip any host 10.0.4.203 access-list inside_outbound_nat0_acl permit ip any host 10.0.4.204 access-list inside_outbound_nat0_acl permit ip any host 10.0.4.205 access-list inside_outbound_nat0_acl permit ip any host 10.0.4.206 access-list inside_outbound_nat0_acl permit ip any host 10.0.4.207 access-list inside_outbound_nat0_acl permit ip any host 10.0.4.208 access-list inside_outbound_nat0_acl permit ip any host 10.0.4.209 access-list inside_outbound_nat0_acl permit ip any host 10.104.0.1 access-list inside_outbound_nat0_acl permit ip any host 10.104.0.2 access-list inside_outbound_nat0_acl permit ip any host 10.104.0.3 access-list inside_outbound_nat0_acl permit ip any host 10.104.0.4 access-list inside_outbound_nat0_acl permit ip any host 10.104.0.5 access-list inside_outbound_nat0_acl permit ip any host 10.104.0.6 access-list inside_outbound_nat0_acl permit ip any host 10.104.0.7 access-list inside_outbound_nat0_acl permit ip any host 10.104.0.8 access-list inside_outbound_nat0_acl permit ip any host 10.104.0.9 access-list inside_outbound_nat0_acl permit ip any Net_Central 255.255.255.0 access-list inside_outbound_nat0_acl permit ip any 10.0.1.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip any 10.0.2.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip any Net_RemoteA 255.255.255.0 access-list split_tunnel_acl remark ACL for split tunnel for VPN users access-list split_tunnel_acl remark ------------------------------------ access-list split_tunnel_acl remark Apparently needed by PDM 3.0(4) access-list split_tunnel_acl permit ip any host 10.0.4.201 access-list split_tunnel_acl permit ip any host 10.0.4.202 access-list split_tunnel_acl permit ip any host 10.0.4.203 access-list split_tunnel_acl permit ip any host 10.0.4.204 access-list split_tunnel_acl permit ip any host 10.0.4.205 access-list split_tunnel_acl permit ip any host 10.0.4.206 access-list split_tunnel_acl permit ip any host 10.0.4.207 access-list split_tunnel_acl permit ip any host 10.0.4.208 access-list split_tunnel_acl permit ip any host 10.0.4.209 access-list split_tunnel_acl permit ip any Net_Central 255.255.255.0 access-list split_tunnel_acl permit ip any 10.0.1.0 255.255.255.0 access-list split_tunnel_acl permit ip any 10.0.2.0 255.255.255.0 access-list split_tunnel_acl permit ip any 192.168.3.0 255.255.255.0 access-list split_tunnel_acl permit ip any Net_RemoteA 255.255.255.0 access-list outside_cryptomap_dyn_22_acl remark ACL for remote access VPN users access-list outside_cryptomap_dyn_22_acl remark ------------------------------- access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.201 access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.202 access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.203 access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.204 access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.205 access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.206 access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.207 access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.208 access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.209 access-list outside_cryptomap_20_acl remark ACL for crypto map 20 - Central access-list outside_cryptomap_20_acl remark --------------------------------- access-list outside_cryptomap_20_acl permit ip 10.0.4.0 255.255.255.0 Central 255.255.255.0 access-list outside_cryptomap_20_acl permit ip 10.0.4.0 255.255.255.0

10.0.1.0 255.255.255.0 access-list outside_cryptomap_20_acl permit ip 10.0.4.0 255.255.255.0 10.0.2.0 255.255.255.0 access-list outside_cryptomap_20_acl permit ip 10.0.4.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list outside_cryptomap_21_acl remark ACL for crypto map 21 - Remote A access-list outside_cryptomap_21_acl remark ------------------------------------- access-list outside_cryptomap_21_acl permit ip 10.0.4.0 255.255.255.0 Net_RemoteA 255.255.255.0 pager lines 20 logging on logging timestamp logging buffered warnings logging trap warnings mtu outside 1500 mtu inside 1500 ip address outside x.x.x.x 255.255.255.248 ip address inside 10.0.4.1 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm ip local pool VPNremotes 10.0.4.201-10.0.4.209 ip local pool PPTPremotes 10.104.0.1-10.104.0.9 pdm location 10.0.0.14 255.255.255.255 inside . . . pdm location 192.168.3.0 255.255.255.0 outside pdm history enable arp timeout 14400 global (outside) 1 x.x.x.x nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_acl in interface outside access-group inside_acl in interface inside route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local ntp server x.x.x.x source outside prefer ntp server x.x.x.x source outside ntp server x.x.x.x source outside ntp server x.x.x.x source outside ntp server x.x.x.x source outside http server enable http Net_Central 255.255.255.0 inside http 10.0.1.0 255.255.255.0 inside http 10.0.2.0 255.255.255.0 inside http Net_RemoteA 255.255.255.0 inside http 10.0.4.0 255.255.255.0 inside snmp-server host inside 10.0.0.14 snmp-server location RemoteB snmp-server contact xxx snmp-server community xxx no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto dynamic-map outside_dyn_map 22 match address outside_cryptomap_dyn_22_acl crypto dynamic-map outside_dyn_map 22 set transform-set ESP-AES-256-SHA crypto dynamic-map outside_dyn_map 22 set security-association lifetime seconds 86400 kilobytes 32000 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20_acl crypto map outside_map 20 set peer PIX_Central crypto map outside_map 20 set transform-set ESP-AES-256-SHA crypto map outside_map 20 set security-association lifetime seconds 86400 kilobytes 32000 crypto map outside_map 21 ipsec-isakmp crypto map outside_map 21 match address outside_cryptomap_21_acl crypto map outside_map 21 set peer PIX_RemoteA crypto map outside_map 21 set transform-set ESP-AES-256-SHA crypto map outside_map 21 set security-association lifetime seconds 86400 kilobytes 32000 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp key ******** address PIX_Central netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address PIX_RemoteA netmask 255.255.255.255 no-xauth no-config-mode isakmp nat-traversal 22 isakmp policy 20 authentication pre-share isakmp policy 20 encryption aes-256 isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 3600 isakmp policy 40 authentication pre-share isakmp policy 40 encryption aes-256 isakmp policy 40 hash sha isakmp policy 40 group 5 isakmp policy 40 lifetime 86400 vpngroup xxx address-pool VPNremotes vpngroup xxx dns-server 10.0.4.1 vpngroup xxx default-domain xxxx.co.uk vpngroup xxx split-tunnel split_tunnel_acl vpngroup xxx idle-time 3600 vpngroup xxx password ******** telnet Net_Central 255.255.255.0 inside telnet 10.0.1.0 255.255.255.0 inside telnet 10.0.2.0 255.255.255.0 inside telnet Net_RemoteA 255.255.255.0 inside telnet 10.0.4.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 management-access inside console timeout 0 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required vpdn group PPTP-VPDN-GROUP client configuration address local PPTPremotes vpdn group PPTP-VPDN-GROUP client configuration dns 10.0.4.1 vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username xxx password ********* vpdn enable outside terminal width 100 Cryptochecksum:2d2814d84f5b56055b6e890116ee2c4a : end [OK]

And if you've read this far through all that lot, then thanks!

Tim Levy

Reply to
Tim Levy
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.