Hello Dalton: Here are a couple of ideas.
1) Change: isakmp key ******** address x.x.x.x netmask 255.255.255.255 to isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode 2) You might want to add: isakmp nat-traversal 20 3) I'm assuming you have a LOCAL username specified? Regards, Mike > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:cisco-nsp- > [EMAIL PROTECTED] On Behalf Of dalton > Sent: Thursday, September 11, 2008 3:26 PM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] site to site and remote access on pix 506e > > > Hi, > > I'm wondering if anyone has a working config for a pix 506e running 6.3 or > so, to do both site to site > and remote access vpn. I assume this is possible? > > I have a pix running a few site to sites, however when i added the remote > access config, it caused > the tunnels to fail leaving them in a state of Xauth config or something > of the like (don't have the exact error). > > Things fail when I add these 2 lines to the crypto map > > crypto map toCLIENT client configuration address initiate > crypto map toCLIENT client authentication LOCAL > > > config is below, thanks. > > -dalton > > PIX Version 6.3(4) > interface ethernet0 auto > interface ethernet1 auto > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > hostname client-pix > domain-name client.logicworks.net > fixup protocol dns maximum-length 512 > fixup protocol ftp 21 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol http 80 > fixup protocol rsh 514 > fixup protocol rtsp 554 > no fixup protocol sip 5060 > no fixup protocol sip udp 5060 > fixup protocol skinny 2000 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol tftp 69 > names > access-list toCLIENT permit ip host 10.10.1.49 host 205.200.125.1 > access-list toCLIENT permit ip host 10.10.1.49 host 205.200.125.2 > access-list toCLIENT permit ip host 10.10.1.60 host 205.200.125.1 > access-list toCLIENT permit ip host 10.10.1.60 host 205.200.125.2 > access-list toCLIENT permit ip host 10.10.1.51 host 205.200.125.1 > access-list toCLIENT permit ip host 10.10.1.51 host 205.200.125.2 > access-list DENY-NAT permit ip 10.10.1.0 255.255.255.0 10.177.187.0 > 255.255.255.0 > access-list DENY-NAT permit ip host 10.10.1.49 host 205.200.125.1 > access-list DENY-NAT permit ip host 10.10.1.49 host 205.200.125.2 > access-list DENY-NAT permit ip host 10.10.1.60 host 205.200.125.1 > access-list DENY-NAT permit ip host 10.10.1.60 host 205.200.125.2 > access-list DENY-NAT permit ip host 10.10.1.51 host 205.200.125.1 > access-list DENY-NAT permit ip host 10.10.1.51 host 205.200.125.2 > access-list DENY-NAT permit ip 10.10.1.0 255.255.255.0 10.254.10.0 > 255.255.255.0 > access-list splittunnelACL permit ip 10.10.1.0 255.255.255.0 10.254.10.0 > 255.255.255.0 > pager lines 24 > logging on > logging timestamp > logging standby > logging console alerts > logging monitor alerts > logging buffered debugging > logging history alerts > mtu outside 1500 > mtu inside 1500 > ip audit info action alarm > ip audit attack action alarm > ip local pool REMOTEPOOL 10.254.10.10-10.254.10.20 mask 255.255.255.0 > pdm history enable > arp timeout 14400 > nat (inside) 0 access-list DENY-NAT > conduit permit ip any any > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server TACACS+ max-failed-attempts 3 > aaa-server TACACS+ deadtime 10 > aaa-server RADIUS protocol radius > aaa-server RADIUS max-failed-attempts 3 > aaa-server RADIUS deadtime 10 > aaa-server LOCAL protocol local > no snmp-server location > no snmp-server contact > no snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > crypto ipsec transform-set strong esp-3des esp-sha-hmac > crypto ipsec transform-set mytrans esp-aes esp-sha-hmac > crypto dynamic-map dynmap 10 set transform-set mytrans > crypto map toCLIENT 20 ipsec-isakmp > crypto map toCLIENT 20 match address toCLIENT > crypto map toCLIENT 20 set peer x.x.x.x > crypto map toCLIENT 20 set transform-set strong > crypto map toCLIENT 999 ipsec-isakmp dynamic dynmap > crypto map toCLIENT client configuration address initiate > crypto map toCLIENT client authentication LOCAL > crypto map toCLIENT interface outside > isakmp enable outside > isakmp key ******** address x.x.x.x netmask 255.255.255.255 > isakmp identity address > isakmp policy 8 authentication pre-share > isakmp policy 8 encryption 3des > isakmp policy 8 hash sha > isakmp policy 8 group 2 > isakmp policy 8 lifetime 86400 > vpngroup client address-pool REMOTEPOOL > vpngroup client dns-server x.x.x.x > vpngroup client default-domain client.logicworks.net > vpngroup client split-tunnel splittunnelACL > vpngroup client split-dns logicworks.net > vpngroup client idle-time 3600 > vpngroup client password ******** > vpngroup idle-time idle-time 1800 > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/
PGP.sig
Description: PGP signature
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/