VPN Problem

[sherbert]

I am new to VPN configs. I was hoping someone could take a look at my config, and let me know what is wrong. I presently have a config that lets my sales force connect via VPN client (the vpngroup). I am also trying to connect an outside LAN make a VPN connection. Every time I think I get the config correct, the new LAN is taking down the sales VPN client connection.

Here's my config ... if anyone could help, that would be geat! I would love to learn something new too! Thanks!!!

this is what I'm adding:

isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 group 2
isakmp policy 30 hash md5
isakmp enable outside
isakmp identify address
isakmp key "pass" xx.xxx.xx.xxx netmask 255.255.255.255
access-list IPSEC permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
crypto ipsec transform-set pixfirewall esp-3des-md5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 600
crypto map pixfirewall 30 ipsec-isakmp
crypto map pixfirewall 30 match address IPSEC
crypto map pixfirewall 30 set transform-set pixfirewall
crypto map pixfirewall 30 set peer xx.xxx.xx.xx
crypto map pixfirewall interface outside
nat (inside) 0 access-list IPSEC

existing config:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password JAogGoP.yZT107Kz encrypted
passwd kQ89ZvMlcgQ.0l/4 encrypted
hostname pixfirewall
domain-name name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 192.168.100.0
255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip 10.0.0.0 255.0.0.0 192.168.100.0
255.255.255.224
access-list inbound permit tcp any host 10.0.0.1 eq ssh
access-list acl_inside permit tcp any any
access-list acl_inside permit udp any any
access-list acl_inside permit icmp any any
access-list 101 permit tcp any host xx.xx.xx.xx eq smtp
access-list 101 permit tcp any host xx.xx.xx.xx eq www
access-list 101 permit tcp any host xx.xx.xx.xx eq www
pager lines 24
logging console debugging
icmp permit 10.0.0.0 255.0.0.0 echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.xx 255.255.255.240
ip address inside 10.0.0.1 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 192.168.100.10-192.168.100.30
pdm location 10.0.0.6 255.255.255.255 inside
pdm location 10.0.0.8 255.255.255.255 inside
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xx.xx.xx 10.0.0.19 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.xx 10.0.0.25 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server m3aaa protocol radius
aaa-server m3aaa (inside) host 10.0.0.6 12626 timeout 5
http server enable
http 10.0.0.8 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 900
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds
28800 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication m3aaa
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup xxxx address-pool m3vpnpool
vpngroup xxxx dns-server 10.0.0.4 10.0.0.6
vpngroup xxxx wins-server 10.0.0.6
vpngroup xxxx split-tunnel outside_cryptomap_dyn_20
vpngroup xxxx idle-time 1800
vpngroup xxxx max-time 86400
vpngroup xxxx password ********
telnet 10.0.0.0 255.0.0.0 inside
telnet 10.0.0.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:590d6b9876c2655bd40

 

[folken]

I always cheat on the PIX's and use the PDM management. Maybe making the VPN connection through that would make a difference.

 

[sherbert]

I don't know how how to do that? The person who was here before me maintained it that way ... but I think I need a password and don't have it. How do I set it up?

thanks!

 

[folken]

If the last tech used PDM then it should be safe to assume that the pix still has it installed, just open your web browser (IE preferred) and put in https://(internal ip of pix)
You will need to have java installed to run it.
The login should be the same as the one you use at the command line.

 

[sherbert]

I was able to get to the interface and login. Now I'm getting an error message that the "name of the site does not match the name on the certificate". Any ideas on this one? Thank you!

 

[folken]

You should have been promted with a certificate to accept... hm...

Here are the steps on Ciscos site:PDM Guide

It could be a case of finding the right java version too... That is one downside of cisco management gui's. If you could find/install the version of java that was released around the same time as your PIX OS version it might help tremendously.

 

[sherbert]

I did prompt me to accept the certificate. The message is that it's a hostname mismatch and that the hostname of the site doesn't match the certificate. So I'm guessing it isn't the certificate itself !! Ugh!!! and Thanks!!

 

[folken]

What version of IE are you using? If you have one of the IE7 Betas I'd take it off for this, they still have a couple bugs in em. Giving netscape or firefox a try couldn't hurt either though I've only had luck with IE in the past.

I looked around for that message and several people say there is a "do you want to proceed" with the option of yes. Do you get that at all?

 

[sherbert]

Using Firefox, I got past one error ... this is the log from java script

at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at com.cisco.pdm.e.c.q(Unknown Source)
at com.cisco.pdm.e.c.h(Unknown Source)
at com.cisco.pdm.a.byte(Unknown Source)
at com.cisco.pdm.PDMApplet.start(Unknown Source)
at com.cisco.nm.util.sgz.Env.start(Env.java:37)
at com.cisco.nm.util.sgz.Loader.start(Loader.java:109)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
basic: Exception: java.security.AccessControlException: access denied (java.util.Prope

 

[sherbert]

Using Firefox, I got past one error ... this is the log from java script

at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at com.cisco.pdm.e.c.q(Unknown Source)
at com.cisco.pdm.e.c.h(Unknown Source)
at com.cisco.pdm.a.byte(Unknown Source)
at com.cisco.pdm.PDMApplet.start(Unknown Source)
at com.cisco.nm.util.sgz.Env.start(Env.java:37)
at com.cisco.nm.util.sgz.Loader.start(Loader.java:109)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
basic: Exception: java.security.AccessControlException: access denied (java.util.Prope

 

[jimytri]

You cannot use the same subnet for you LAN-to-LAN VPN and your Vpngroup. Change ip local pool vpn 192.168.200.10-192.168.200.30. Add 2 access-lists in your PIX

access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 192.168.200.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip 10.0.0.0 255.0.0.0 192.168.200.0 255.255.255.224

After that, the vpngroup won't stop the LAN-to-LAN VPN