1. Home
  2. Cisco Systems
  3. Vpn site to site + vpn cisco client access list problem.

Vpn site to site + vpn cisco client access list problem.

Hi

I have problem to get vpn site to site tunnel and the vpn client tunnel to work at the same time. How can I join access list 80 and 100 so i can add them to nat "(inside) 0 access-list 80"

I got a pix 501 and 2620 and on the pix 501 It's accessible thugh Cisco VPN client.

The config on the pix 501:

: Written by admin at 15:32:22.817 CEDT Mon Aug 7 2006 PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password g4JAhKwvQDnczMDZ encrypted passwd g4JAhKwvQDnczMDZ encrypted hostname gotfw01 domain-name veprox.int clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.99.0 VPN access-list 80 permit ip 172.16.100.0 255.255.255.0 172.16.101.0

255.255.255.0 access-list 100 permit ip 172.16.100.0 255.255.255.0 VPN 255.255.255.0 pager lines 24 mtu outside 1420 mtu inside 1500 ip address outside 192.168.0.10 255.255.254.0 ip address inside 172.16.100.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpn_client_pool 192.168.99.50-192.168.99.60 mask 255.255.255.0 pdm location 172.16.0.0 255.255.0.0 inside pdm location VPN 255.255.255.0 outside pdm location 172.16.0.0 255.255.0.0 outside pdm location 172.16.0.0 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 80 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication enable console LOCAL aaa authentication serial console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http 172.16.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set esp3dessha1 esp-3des esp-sha-hmac crypto dynamic-map vpnclient 10 set transform-set esp3dessha1 crypto map vpnmap 9 ipsec-isakmp crypto map vpnmap 9 match address 80 crypto map vpnmap 9 set peer 192.168.0.11 crypto map vpnmap 9 set transform-set esp3dessha1 crypto map vpnmap 10 ipsec-isakmp dynamic vpnclient crypto map vpnmap client configuration address initiate crypto map vpnmap interface outside isakmp enable outside isakmp key ******** address 192.168.0.11 netmask 255.255.255.255 isakmp identity address isakmp nat-traversal 10 isakmp policy 9 authentication pre-share isakmp policy 9 encryption 3des isakmp policy 9 hash sha isakmp policy 9 group 2 isakmp policy 9 lifetime 86400 vpngroup vpncli address-pool vpn_client_pool vpngroup vpncli dns-server 172.16.100.10 vpngroup vpncli wins-server 172.16.100.10 vpngroup vpncli default-domain mycompany.int vpngroup vpncli split-tunnel 100 vpngroup vpncli idle-time 1800 vpngroup vpncli secure-unit-authentication vpngroup vpncli password ******** telnet 172.16.0.0 255.255.0.0 inside telnet timeout 5 ssh 172.16.0.0 255.255.0.0 inside ssh timeout 5 management-access inside console timeout 60 dhcpd address 172.16.100.32-172.16.100.62 inside dhcpd dns 195.67.199.27 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain company.int dhcpd enable inside username admin password Vs.JwYvvku50bpmp encrypted privilege 15 privilege show level 0 command version privilege show level 0 command curpriv privilege show level 3 command pdm privilege show level 3 command blocks privilege show level 3 command ssh privilege configure level 3 command who privilege show level 3 command isakmp privilege show level 3 command ipsec privilege show level 3 command vpdn privilege show level 3 command local-host privilege show level 3 command interface privilege show level 3 command ip privilege configure level 3 command ping privilege show level 3 command uauth privilege configure level 5 mode enable command configure privilege show level 5 command running-config privilege show level 5 command privilege privilege show level 5 command clock privilege show level 5 command ntp privilege show level 5 mode configure command logging privilege show level 5 command fragment terminal width 80 banner exec banner exec *************************************** banner exec * You made It into the intranet core! * banner exec *************************************** banner exec banner login You are trying to access a local network!

And on the 2620:

Using 1110 out of 29688 bytes ! version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! ! ! ! ! ! memory-size iomem 15 ip subnet-zero ! ip dhcp pool local network 172.16.101.0 255.255.255.0 default-router 172.16.101.1 lease 15 ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key 123qwe address 192.168.0.10 ! ! crypto ipsec transform-set esp3dessha1 esp-3des esp-sha-hmac ! crypto map vpnmap 1 ipsec-isakmp set peer 192.168.0.10 set transform-set esp3dessha1 match address 101 ! ! ! ! ! ! interface FastEthernet0/0 ip address 172.16.101.1 255.255.255.0 duplex auto speed auto ! interface Serial0/0 no ip address shutdown ! interface Ethernet1/0 description To internet (outside) ip address 192.168.0.11 255.255.254.0 ip nat outside crypto map vpnmap ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.0.1 ip http server ! access-list 1 permit 172.16.101.0 0.0.0.255 access-list 101 permit ip 172.16.101.0 0.0.0.255 any ! ! line con 0 line aux 0 line vty 0 4 ! end

Hope that It=B4s easy to fix Best regards

Robert

Reply to
Vigarv
Loading thread data ...

The only way is to copy the contents. Create a new access list that has the content of both access lists, and use that new access list *only* for the nat 0 access-list . You currently use the same access list for nat 0 access-list and for crypto map match address; using the same access-list for both purposes will often cause problems.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.