RE: more VPN fun... [7:58818]
OK, Im a little confused as to what are "lan" sites. " Allow Local Lan Access" just allows the PC that is running the VPN software to be able to interact with ITS local lan. If your wanting the remote PC to access the INSIDE lan, then you need to make sure that both your NAT 0 access-list allows it,as well as your inside acl, and that the PC's know now to get to the range of address's that you assigned to your remote users. Thanks Larry -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 6:07 PM To: [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] thanks for the config i can't seem to ping from the remote client to any lan sites, though...any ideas? the "allow local lan access" line is disabled in the statistics, though i have it enabled in the client... thanks, ed -Original Message- From: Roberts, Larry [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 1:26 PM To: 'Edward Sohn'; [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] Share the knowledge I say... OK, this has been edited to protect my information, but other than that its directly off of a PIX that has 2 lan 2 Lan tunnels and also allows VPN remote access... I think I got all the leftover junk cleaned out as well... ! access-list 100 permit ip m.y.h.o u.s.e.! 10.0.0.0 255.0.0.0 access-list 100 permit ip m.y.h.o u.s.e.! 172.16.0.0 255.240.0.0 access-list 100 permit ip m.y.h.o u.s.e.! 192.168.1.0 255.255.255.0 access-list 100 permit ip m.y.h.o u.s.e.! 192.168.2.0 255.255.255.0 access-list 120 permit ip m.y.h.o u.s.e.! 192.168.1.0 255.255.255.0 access-list 110 permit ip m.y.h.o u.s.e.! 10.0.0.0 255.0.0.0 access-list 110 permit ip m.y.h.o u.s.e.! 172.16.0.0 255.240.0.0 ip local pool REMOTEUSER 192.168.2.1-192.168.2.255 nat (inside) 0 access-list 100 crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac crypto dynamic-map DYNOMAP 30 set transform-set TRANSFORM crypto map MYMAP 10 ipsec-isakmp crypto map MYMAP 10 match address 110 crypto map MYMAP 10 set peer e.f.g.h crypto map MYMAP 10 set transform-set TRANSFORM crypto map MYMAP 30 ipsec-isakmp crypto map MYMAP 30 match address 120 crypto map MYMAP 30 set peer a.b.c.d crypto map MYMAP 30 set transform-set TRANSFORM crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP crypto map MYMAP interface outside isakmp enable outside isakmp key address a.b.c.d netmask 255.255.255.255 isakmp key address e.f.g.h netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup DONTTHINK address-pool REMOTEUSER vpngroup DONTTHINK dns-server 192.168.24.22 vpngroup DONTTHINK default-domain groupstudy.rocks vpngroup DONTTHINK idle-time 1800 vpngroup DONTTHINK password Thanks Larry -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: more VPN fun... [7:58818] anyone have any working configs of a PIX set up for a site-to-site IPSec tunnel with another PIX (at a remote site), as well as set up for mobile user VPN access (through dialup/dsl/cable/etc)? the client will user secure VPN client 3.0 for windows. i have the docs from CCO, but someone told me that their config for the remote user is wrong and does not work right. appreciate your help. please email me directly. ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58859&t=58818 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: more VPN fun... [7:58818]
OK, Im following up one at a time here. I will respond to the others as I get to them.. In order for the person that is VPN'd to be able to surf the web, then you must do 1 of 2 things. 1) Enable split tunneling on the PIX ( I think its in 6.2(1) maybe earlier ). Doing it on just the client doesn't matter. 2) Have the user come into the PIX, and out another Internet connection. The PIX doesn't allow hairpin routing, or traffic to come into 1 interface ( outside ) and go back out that same interface on its way to the destination. Thanks Larry -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 6:41 PM To: 'Joshua Vince'; [EMAIL PROTECTED]; 'Roberts, Larry' Subject: RE: more VPN fun... [7:58818] hey guys, i've got connectivity now. thanks a bunch for all the help. however, per the diagram that josh sent the link for... how can i now get the remote vpn client to go back out through the pix for internet, if the PIX is the default gateway? how does the client know *any* gateway, for that matter? it doesn't seem that there is a default route in the pix config that would dictate such... any ideas? thanks ed -Original Message- From: Joshua Vince [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 3:29 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] What's the client behind? If it's behind a firewall, you need to make sure that firewall allows UDP 500 and IP Protocol 50 (ESP) or IP Protocol 51 (AH), depending on which you are using. Josh -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 6:06 PM To: Joshua Vince; [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] dude, good site. i can't believe i couldn't find this doc. this is exactly what i want to do... anyway, i got the client connected and stuff, but i can't access anything on the lan...thanks for the config i can't seem to ping from the remote client to any internal ip's...any ideas? the "allow local lan access" line is disabled in the statistics, though i have it enabled in the client... i've checked and double-checked the pix config. looks like the pix in the guide... thanks, ed -Original Message- From: Joshua Vince [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 1:22 PM To: Edward Sohn; [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] Just make sure that you use Group 2 in the isakmp policy, and the users will connect. Here is a great reference: http://www.cisco.com/warp/customer/110/pixpixvpn.html And it works... Joshua R. Vince MCSE MCP+I CCNP CCA CSS1 Network Engineering Supervisor BCG Systems, Inc. 800-968-6661 mailto:[EMAIL PROTECTED] -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: more VPN fun... [7:58818] anyone have any working configs of a PIX set up for a site-to-site IPSec tunnel with another PIX (at a remote site), as well as set up for mobile user VPN access (through dialup/dsl/cable/etc)? the client will user secure VPN client 3.0 for windows. i have the docs from CCO, but someone told me that their config for the remote user is wrong and does not work right. appreciate your help. please email me directly. ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58858&t=58818 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: more VPN fun... [7:58818]
That's a little more advanced, and requires access-lists to encrypt that specific traffic on the PIX. I am assuming you mean LAN sites that are in different IP subnets? -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 6:07 PM To: [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] thanks for the config i can't seem to ping from the remote client to any lan sites, though...any ideas? the "allow local lan access" line is disabled in the statistics, though i have it enabled in the client... thanks, ed -Original Message- From: Roberts, Larry [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 1:26 PM To: 'Edward Sohn'; [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] Share the knowledge I say... OK, this has been edited to protect my information, but other than that its directly off of a PIX that has 2 lan 2 Lan tunnels and also allows VPN remote access... I think I got all the leftover junk cleaned out as well... ! access-list 100 permit ip m.y.h.o u.s.e.! 10.0.0.0 255.0.0.0 access-list 100 permit ip m.y.h.o u.s.e.! 172.16.0.0 255.240.0.0 access-list 100 permit ip m.y.h.o u.s.e.! 192.168.1.0 255.255.255.0 access-list 100 permit ip m.y.h.o u.s.e.! 192.168.2.0 255.255.255.0 access-list 120 permit ip m.y.h.o u.s.e.! 192.168.1.0 255.255.255.0 access-list 110 permit ip m.y.h.o u.s.e.! 10.0.0.0 255.0.0.0 access-list 110 permit ip m.y.h.o u.s.e.! 172.16.0.0 255.240.0.0 ip local pool REMOTEUSER 192.168.2.1-192.168.2.255 nat (inside) 0 access-list 100 crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac crypto dynamic-map DYNOMAP 30 set transform-set TRANSFORM crypto map MYMAP 10 ipsec-isakmp crypto map MYMAP 10 match address 110 crypto map MYMAP 10 set peer e.f.g.h crypto map MYMAP 10 set transform-set TRANSFORM crypto map MYMAP 30 ipsec-isakmp crypto map MYMAP 30 match address 120 crypto map MYMAP 30 set peer a.b.c.d crypto map MYMAP 30 set transform-set TRANSFORM crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP crypto map MYMAP interface outside isakmp enable outside isakmp key address a.b.c.d netmask 255.255.255.255 isakmp key address e.f.g.h netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup DONTTHINK address-pool REMOTEUSER vpngroup DONTTHINK dns-server 192.168.24.22 vpngroup DONTTHINK default-domain groupstudy.rocks vpngroup DONTTHINK idle-time 1800 vpngroup DONTTHINK password Thanks Larry -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: more VPN fun... [7:58818] anyone have any working configs of a PIX set up for a site-to-site IPSec tunnel with another PIX (at a remote site), as well as set up for mobile user VPN access (through dialup/dsl/cable/etc)? the client will user secure VPN client 3.0 for windows. i have the docs from CCO, but someone told me that their config for the remote user is wrong and does not work right. appreciate your help. please email me directly. ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58853&t=58818 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: more VPN fun... [7:58818]
hey guys, i've got connectivity now. thanks a bunch for all the help. however, per the diagram that josh sent the link for... how can i now get the remote vpn client to go back out through the pix for internet, if the PIX is the default gateway? how does the client know *any* gateway, for that matter? it doesn't seem that there is a default route in the pix config that would dictate such... any ideas? thanks ed -Original Message- From: Joshua Vince [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 3:29 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] What's the client behind? If it's behind a firewall, you need to make sure that firewall allows UDP 500 and IP Protocol 50 (ESP) or IP Protocol 51 (AH), depending on which you are using. Josh -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 6:06 PM To: Joshua Vince; [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] dude, good site. i can't believe i couldn't find this doc. this is exactly what i want to do... anyway, i got the client connected and stuff, but i can't access anything on the lan...thanks for the config i can't seem to ping from the remote client to any internal ip's...any ideas? the "allow local lan access" line is disabled in the statistics, though i have it enabled in the client... i've checked and double-checked the pix config. looks like the pix in the guide... thanks, ed -Original Message- From: Joshua Vince [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 1:22 PM To: Edward Sohn; [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] Just make sure that you use Group 2 in the isakmp policy, and the users will connect. Here is a great reference: http://www.cisco.com/warp/customer/110/pixpixvpn.html And it works... Joshua R. Vince MCSE MCP+I CCNP CCA CSS1 Network Engineering Supervisor BCG Systems, Inc. 800-968-6661 mailto:[EMAIL PROTECTED] -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: more VPN fun... [7:58818] anyone have any working configs of a PIX set up for a site-to-site IPSec tunnel with another PIX (at a remote site), as well as set up for mobile user VPN access (through dialup/dsl/cable/etc)? the client will user secure VPN client 3.0 for windows. i have the docs from CCO, but someone told me that their config for the remote user is wrong and does not work right. appreciate your help. please email me directly. ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58852&t=58818 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: more VPN fun... [7:58818]
forget it...i got it working...there is a weird router set up internally...just putting statics to the vpn client pool worked. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Edward Sohn Sent: Monday, December 09, 2002 3:09 PM To: [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] dude, good site. i can't believe i couldn't find this doc. this is exactly what i want to do... anyway, i got the client connected and stuff, but i can't access anything on the lan...thanks for the config i can't seem to ping from the remote client to any internal ip's...any ideas? the "allow local lan access" line is disabled in the statistics, though i have it enabled in the client... i've checked and double-checked the pix config. looks like the pix in the guide... thanks, ed -Original Message- From: Joshua Vince [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 1:22 PM To: Edward Sohn; [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] Just make sure that you use Group 2 in the isakmp policy, and the users will connect. Here is a great reference: http://www.cisco.com/warp/customer/110/pixpixvpn.html And it works... Joshua R. Vince MCSE MCP+I CCNP CCA CSS1 Network Engineering Supervisor BCG Systems, Inc. 800-968-6661 mailto:[EMAIL PROTECTED] -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: more VPN fun... [7:58818] anyone have any working configs of a PIX set up for a site-to-site IPSec tunnel with another PIX (at a remote site), as well as set up for mobile user VPN access (through dialup/dsl/cable/etc)? the client will user secure VPN client 3.0 for windows. i have the docs from CCO, but someone told me that their config for the remote user is wrong and does not work right. appreciate your help. please email me directly. ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58851&t=58818 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: more VPN fun... [7:58818]
What's the client behind? If it's behind a firewall, you need to make sure that firewall allows UDP 500 and IP Protocol 50 (ESP) or IP Protocol 51 (AH), depending on which you are using. Josh -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 6:06 PM To: Joshua Vince; [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] dude, good site. i can't believe i couldn't find this doc. this is exactly what i want to do... anyway, i got the client connected and stuff, but i can't access anything on the lan...thanks for the config i can't seem to ping from the remote client to any internal ip's...any ideas? the "allow local lan access" line is disabled in the statistics, though i have it enabled in the client... i've checked and double-checked the pix config. looks like the pix in the guide... thanks, ed -Original Message- From: Joshua Vince [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 1:22 PM To: Edward Sohn; [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] Just make sure that you use Group 2 in the isakmp policy, and the users will connect. Here is a great reference: http://www.cisco.com/warp/customer/110/pixpixvpn.html And it works... Joshua R. Vince MCSE MCP+I CCNP CCA CSS1 Network Engineering Supervisor BCG Systems, Inc. 800-968-6661 mailto:[EMAIL PROTECTED] -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: more VPN fun... [7:58818] anyone have any working configs of a PIX set up for a site-to-site IPSec tunnel with another PIX (at a remote site), as well as set up for mobile user VPN access (through dialup/dsl/cable/etc)? the client will user secure VPN client 3.0 for windows. i have the docs from CCO, but someone told me that their config for the remote user is wrong and does not work right. appreciate your help. please email me directly. ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58850&t=58818 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: more VPN fun... [7:58818]
dude, good site. i can't believe i couldn't find this doc. this is exactly what i want to do... anyway, i got the client connected and stuff, but i can't access anything on the lan...thanks for the config i can't seem to ping from the remote client to any internal ip's...any ideas? the "allow local lan access" line is disabled in the statistics, though i have it enabled in the client... i've checked and double-checked the pix config. looks like the pix in the guide... thanks, ed -Original Message- From: Joshua Vince [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 1:22 PM To: Edward Sohn; [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] Just make sure that you use Group 2 in the isakmp policy, and the users will connect. Here is a great reference: http://www.cisco.com/warp/customer/110/pixpixvpn.html And it works... Joshua R. Vince MCSE MCP+I CCNP CCA CSS1 Network Engineering Supervisor BCG Systems, Inc. 800-968-6661 mailto:[EMAIL PROTECTED] -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: more VPN fun... [7:58818] anyone have any working configs of a PIX set up for a site-to-site IPSec tunnel with another PIX (at a remote site), as well as set up for mobile user VPN access (through dialup/dsl/cable/etc)? the client will user secure VPN client 3.0 for windows. i have the docs from CCO, but someone told me that their config for the remote user is wrong and does not work right. appreciate your help. please email me directly. ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58844&t=58818 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: more VPN fun... [7:58818]
thanks for the config i can't seem to ping from the remote client to any lan sites, though...any ideas? the "allow local lan access" line is disabled in the statistics, though i have it enabled in the client... thanks, ed -Original Message- From: Roberts, Larry [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 1:26 PM To: 'Edward Sohn'; [EMAIL PROTECTED] Subject: RE: more VPN fun... [7:58818] Share the knowledge I say... OK, this has been edited to protect my information, but other than that its directly off of a PIX that has 2 lan 2 Lan tunnels and also allows VPN remote access... I think I got all the leftover junk cleaned out as well... ! access-list 100 permit ip m.y.h.o u.s.e.! 10.0.0.0 255.0.0.0 access-list 100 permit ip m.y.h.o u.s.e.! 172.16.0.0 255.240.0.0 access-list 100 permit ip m.y.h.o u.s.e.! 192.168.1.0 255.255.255.0 access-list 100 permit ip m.y.h.o u.s.e.! 192.168.2.0 255.255.255.0 access-list 120 permit ip m.y.h.o u.s.e.! 192.168.1.0 255.255.255.0 access-list 110 permit ip m.y.h.o u.s.e.! 10.0.0.0 255.0.0.0 access-list 110 permit ip m.y.h.o u.s.e.! 172.16.0.0 255.240.0.0 ip local pool REMOTEUSER 192.168.2.1-192.168.2.255 nat (inside) 0 access-list 100 crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac crypto dynamic-map DYNOMAP 30 set transform-set TRANSFORM crypto map MYMAP 10 ipsec-isakmp crypto map MYMAP 10 match address 110 crypto map MYMAP 10 set peer e.f.g.h crypto map MYMAP 10 set transform-set TRANSFORM crypto map MYMAP 30 ipsec-isakmp crypto map MYMAP 30 match address 120 crypto map MYMAP 30 set peer a.b.c.d crypto map MYMAP 30 set transform-set TRANSFORM crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP crypto map MYMAP interface outside isakmp enable outside isakmp key address a.b.c.d netmask 255.255.255.255 isakmp key address e.f.g.h netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup DONTTHINK address-pool REMOTEUSER vpngroup DONTTHINK dns-server 192.168.24.22 vpngroup DONTTHINK default-domain groupstudy.rocks vpngroup DONTTHINK idle-time 1800 vpngroup DONTTHINK password Thanks Larry -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: more VPN fun... [7:58818] anyone have any working configs of a PIX set up for a site-to-site IPSec tunnel with another PIX (at a remote site), as well as set up for mobile user VPN access (through dialup/dsl/cable/etc)? the client will user secure VPN client 3.0 for windows. i have the docs from CCO, but someone told me that their config for the remote user is wrong and does not work right. appreciate your help. please email me directly. ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58842&t=58818 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: more VPN fun... [7:58818]
Share the knowledge I say... OK, this has been edited to protect my information, but other than that its directly off of a PIX that has 2 lan 2 Lan tunnels and also allows VPN remote access... I think I got all the leftover junk cleaned out as well... ! access-list 100 permit ip m.y.h.o u.s.e.! 10.0.0.0 255.0.0.0 access-list 100 permit ip m.y.h.o u.s.e.! 172.16.0.0 255.240.0.0 access-list 100 permit ip m.y.h.o u.s.e.! 192.168.1.0 255.255.255.0 access-list 100 permit ip m.y.h.o u.s.e.! 192.168.2.0 255.255.255.0 access-list 120 permit ip m.y.h.o u.s.e.! 192.168.1.0 255.255.255.0 access-list 110 permit ip m.y.h.o u.s.e.! 10.0.0.0 255.0.0.0 access-list 110 permit ip m.y.h.o u.s.e.! 172.16.0.0 255.240.0.0 ip local pool REMOTEUSER 192.168.2.1-192.168.2.255 nat (inside) 0 access-list 100 crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac crypto dynamic-map DYNOMAP 30 set transform-set TRANSFORM crypto map MYMAP 10 ipsec-isakmp crypto map MYMAP 10 match address 110 crypto map MYMAP 10 set peer e.f.g.h crypto map MYMAP 10 set transform-set TRANSFORM crypto map MYMAP 30 ipsec-isakmp crypto map MYMAP 30 match address 120 crypto map MYMAP 30 set peer a.b.c.d crypto map MYMAP 30 set transform-set TRANSFORM crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP crypto map MYMAP interface outside isakmp enable outside isakmp key address a.b.c.d netmask 255.255.255.255 isakmp key address e.f.g.h netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup DONTTHINK address-pool REMOTEUSER vpngroup DONTTHINK dns-server 192.168.24.22 vpngroup DONTTHINK default-domain groupstudy.rocks vpngroup DONTTHINK idle-time 1800 vpngroup DONTTHINK password Thanks Larry -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: more VPN fun... [7:58818] anyone have any working configs of a PIX set up for a site-to-site IPSec tunnel with another PIX (at a remote site), as well as set up for mobile user VPN access (through dialup/dsl/cable/etc)? the client will user secure VPN client 3.0 for windows. i have the docs from CCO, but someone told me that their config for the remote user is wrong and does not work right. appreciate your help. please email me directly. ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58828&t=58818 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: more VPN fun... [7:58818]
Just make sure that you use Group 2 in the isakmp policy, and the users will connect. Here is a great reference: http://www.cisco.com/warp/customer/110/pixpixvpn.html And it works... Joshua R. Vince MCSE MCP+I CCNP CCA CSS1 Network Engineering Supervisor BCG Systems, Inc. 800-968-6661 mailto:[EMAIL PROTECTED] -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: more VPN fun... [7:58818] anyone have any working configs of a PIX set up for a site-to-site IPSec tunnel with another PIX (at a remote site), as well as set up for mobile user VPN access (through dialup/dsl/cable/etc)? the client will user secure VPN client 3.0 for windows. i have the docs from CCO, but someone told me that their config for the remote user is wrong and does not work right. appreciate your help. please email me directly. ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58825&t=58818 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: more VPN fun... [7:58818]
Am working on the IOS version of what you are doing. We better keep each other posted. In a few weeks I am bound to roll out multi ios to (pix head-end) 3des ipsec hub/spoke. Martijn -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Edward Sohn Verzonden: maandag 9 december 2002 21:44 Aan: [EMAIL PROTECTED] Onderwerp: more VPN fun... [7:58818] anyone have any working configs of a PIX set up for a site-to-site IPSec tunnel with another PIX (at a remote site), as well as set up for mobile user VPN access (through dialup/dsl/cable/etc)? the client will user secure VPN client 3.0 for windows. i have the docs from CCO, but someone told me that their config for the remote user is wrong and does not work right. appreciate your help. please email me directly. ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58822&t=58818 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]