Announcement

Collapse
No announcement yet.

VPN Client & Site-to-site

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VPN Client & Site-to-site

    hi guys

    need help PIX 515 vpn client configuration, i have site to site vpn its working, I needs to add client vpn to connect my network to access rdp one of my server

    Site-to-site working
    vpn client not working


    configuration details
    /* site to site */
    access-list nonatvpn permit ip x.x.x.x 255.255.255.224 host x.x.x.x
    access-list nonatvpn permit ip x.x.x.x 255.255.255.224 host x.x.x.x
    access-list nonatvpn permit ip x.x.x.x 255.255.255.224 host x.x.x.x
    access-list nonatvpn permit ip x.x.x.x 255.255.255.224 host x.x.x.x
    access-list nonatvpn permit ip x.x.x.x 255.255.255.224 host x.x.x.x
    access-list nonatvpn permit ip x.x.x.x 255.255.255.224 host x.x.x.x
    access-list nonatvpn permit ip x.x.x.x 255.255.255.224 host x.x.x.x


    /*client VPN */
    access-list myvpn permit tcp host 10.1.1.190 192.168.110.0 255.255.255.240


    ip local pool ippool 192.168.110.1-192.168.110.15 /*client VPN */


    nat (inside) 0 access-list nonatvpn /*for site-to-site VPN */

    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authorization command LOCAL

    sysopt connection permit-ipsec
    crypto ipsec transform-set set1 esp-des esp-sha-hmac
    crypto ipsec transform-set set2 esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto dynamic-map map2 20 set transform-set set2

    crypto map vpnclinet 10 ipsec-isakmp
    crypto map vpnclinet 10 match address nonatvpn
    crypto map vpnclinet 10 set peer x.x.x.x
    crypto map vpnclinet 10 set transform-set set1

    crypto map vpnclinet 20 ipsec-isakmp dynamic Xmap
    crypto map vpnclinet interface outside


    nat (inside) 0 access-list nonatvpn
    nat (inside) 5 access-list myvpn 0 0


    isakmp enable outside
    isakmp key ******** address X.X.X.X netmask 255.255.255.255 /* site-to site*/
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp client configuration address-pool local ippool outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400

    vpngroup vpnuser address-pool ippool
    vpngroup vpnuser dns-server 10.1.1.1
    vpngroup vpnuser wins-server 10.1.1.1
    vpngroup vpnuser idle-time 1800
    vpngroup vpnuser password ********
    : end

    check any cmd i missed

    regards
    kums
    Last edited by kumscud; 20th May 2009, 14:22.

  • #2
    Re: VPN Client & Site-to-site

    Before I have change to read this thoroughly, it looks like you aren't No-Natting your client vpn traffic?

    What doesn't work by the way? Do you get errors, no connection etc?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: VPN Client & Site-to-site

      vpn client is connecting

      but unable to take rdp on my server
      still i am not able to ping the server ip

      Comment


      • #4
        Re: VPN Client & Site-to-site

        How about:

        Code:
        access-list nonatvpn permit tcp host 10.1.1.190 192.168.110.0 255.255.255.240
        no nat (inside) 5 access-list myvpn
        isakmp nat-traversal 300
        http://www.cisco.com/en/US/docs/secu...html#wp1027312
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment

        Working...
        X