|
|
Question : Problem: pix 515e firewall vpn to netgear with existing vpn's on the firewall
|
|
Hello all I have a pix 515e firewall. we have had vpn configs on this firewall already I am trying to get a point to point connection to a netgear router/firewall. I found some real nice configs to do so on the pix but when evebr i use the command crypto map vpnconnection interdace outside it takes away from another set of vpns coming in mas-idx. and stops my boss from vpning in. below i will put my configs i am not sure what iu need to take out so please dont kill me worse then i am already,
PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security10 enable password 2k9J.wpKv3oHMoTS encrypted passwd H9lE/QgkAWLTcSC/ encrypted hostname bloomPix domain-name med-act-svcs.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 names name 64.0.107.144 KEN name 207.41.173.194 moises name 192.168.30.14 Bloomfield3 name 192.168.30.10 bloomfield name 192.168.31.42 LouiseB name 167.206.229.178 KenJ name 68.194.62.58 LouiseB-Home name 207.156.182.195 EdMendez name 192.168.31.6 Wantagh2 name 192.168.31.5 Wantagh1 name 192.168.31.20 JoePC name 207.202.92.200 MASJCMC name 207.156.182.196 EdMendez1 name 24.47.246.159 JoeHome name 205.231.238.2 Meridian name 68.196.193.203 RayT-Home name 68.38.253.206 Nor-Home name 67.82.176.34 GinaK-Home name 209.66.57.100 PABALA1 name 209.66.57.102 PABala3 name 209.66.57.101 PABala2 name 209.66.57.103 PABala4 name 209.66.57.105 PABala6 name 209.66.57.104 PAbala5 name 68.195.161.115 DinaHome1 name 69.33.129.190 CTI name 68.36.28.177 Nor-Home1 name 68.37.72.18 Nor name 138.88.164.189 RandySpringer name 198.181.235.49 Columbia-VPN name 156.111.224.180 Columbia-VPN1 name 20.137.68.46 SVCMC name 10.20.30.45 nor-on-the-road name 68.196.203.149 RayT-Home1 name 138.89.42.147 Ray-Home-DSL object-group service public tcp description ftp-smtp-pop-www port-object eq ftp port-object eq pop3 port-object eq ftp-data port-object eq www port-object eq https port-object eq smtp object-group service domain tcp-udp description dns port-object eq domain access-list outside_access_in permit tcp any host 208.44.183.11 object-group pub lic access-list outside_access_in permit tcp any host 208.44.183.2 eq telnet access-list outside_access_in permit udp any any object-group domain access-list outside_access_in permit ip host moises any access-list outside_access_in permit ip KEN 255.255.255.248 any access-list outside_access_in permit ip host RandySpringer any access-list outside_access_in permit ip host JoeHome any access-list outside_access_in permit ip host PABALA1 any access-list outside_access_in permit ip host PABala2 any access-list outside_access_in permit ip host PABala3 any access-list outside_access_in permit ip host PABala4 any access-list outside_access_in permit ip host PAbala5 any access-list outside_access_in permit ip host PABala6 any access-list outside_access_in permit ip host RayT-Home1 any access-list outside_access_in permit ip host Ray-Home-DSL any access-list outside_access_in permit ip host 69.141.116.59 any access-list outside_access_in permit ip host nor-on-the-road any access-list outside_access_in permit ip host MASJCMC any access-list outside_access_in permit ip host LouiseB-Home any access-list outside_access_in permit ip host DinaHome1 any access-list outside_access_in permit ip host SVCMC any access-list outside_access_in permit ip host Meridian any access-list outside_access_in permit ip host EdMendez1 any access-list outside_access_in permit ip host GinaK-Home any access-list outside_access_in permit ip host CTI any access-list inside_outbound_nat0_acl permit ip any 192.168.200.0 255.255.255.0 access-list medical_splitTunnelAcl permit ip 192.168.30.0 255.255.255.0 192.168. 200.0 255.255.255.0 access-list 100 permit ip 192.168.31.0 255.255.255.0 host Columbia-VPN access-list 100 permit ip 192.168.30.0 255.255.255.0 host Columbia-VPN access-list no-nat permit ip 192.168.31.0 255.255.255.0 host Columbia-VPN access-list no-nat permit ip 192.168.30.0 255.255.255.0 192.168.200.0 255.255.25 5.0 access-list no-nat permit ip 192.168.30.0 255.255.255.0 host Columbia-VPN pager lines 24 logging on interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto shutdown icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 208.44.183.8 255.255.255.0 ip address inside 192.168.30.1 255.255.255.0 ip address intf2 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm ip local pool 200pool 192.168.200.2-192.168.200.254 pdm location 192.168.30.125 255.255.255.255 inside pdm location bloomfield 255.255.255.255 inside pdm location KEN 255.255.255.248 outside pdm location Bloomfield3 255.255.255.255 inside pdm location 192.168.30.7 255.255.255.255 inside pdm location 192.168.30.21 255.255.255.255 inside pdm location 192.168.30.22 255.255.255.255 inside pdm location 192.168.30.23 255.255.255.255 inside pdm location 192.168.30.24 255.255.255.255 inside pdm location 192.168.30.25 255.255.255.255 inside pdm location moises 255.255.255.255 outside pdm location 192.168.31.0 255.255.255.0 inside pdm location 192.168.15.0 255.255.255.0 inside pdm location 192.168.16.0 255.255.255.0 inside pdm location 192.168.17.0 255.255.255.0 inside pdm location 192.168.10.0 255.255.255.0 inside pdm location 192.168.11.0 255.255.255.0 inside pdm location 192.168.12.0 255.255.255.0 inside pdm location 192.168.20.0 255.255.255.0 inside pdm location 192.168.30.2 255.255.255.255 inside pdm location LouiseB 255.255.255.255 inside pdm location Wantagh2 255.255.255.255 inside pdm location 192.168.31.55 255.255.255.255 inside pdm location JoePC 255.255.255.255 inside pdm location 192.168.32.1 255.255.255.255 inside pdm location 192.168.32.0 255.255.255.0 inside pdm location 192.168.100.0 255.255.255.0 inside pdm location 192.168.30.36 255.255.255.255 inside pdm location KenJ 255.255.255.255 outside pdm location LouiseB-Home 255.255.255.255 outside pdm location EdMendez 255.255.255.255 outside pdm location Wantagh1 255.255.255.255 inside pdm location MASJCMC 255.255.255.255 outside pdm location EdMendez1 255.255.255.255 outside pdm location 192.168.31.21 255.255.255.255 inside pdm location 192.168.31.22 255.255.255.255 inside pdm location 192.168.31.23 255.255.255.255 inside pdm location 192.168.31.24 255.255.255.255 inside pdm location 192.168.30.95 255.255.255.255 inside pdm location 192.168.31.25 255.255.255.255 inside pdm location 192.168.31.26 255.255.255.255 inside pdm location 192.168.31.27 255.255.255.255 inside pdm location JoeHome 255.255.255.255 outside pdm location 192.168.31.28 255.255.255.255 inside pdm location 192.168.200.0 255.255.255.0 outside pdm location Meridian 255.255.255.255 outside pdm location RayT-Home 255.255.255.255 outside pdm location Nor-Home 255.255.255.255 outside pdm location 192.168.30.52 255.255.255.255 inside pdm location GinaK-Home 255.255.255.255 outside pdm location 192.168.30.20 255.255.255.255 inside pdm location 192.168.31.4 255.255.255.255 inside pdm location PABALA1 255.255.255.255 outside pdm location PABala2 255.255.255.255 outside pdm location PABala3 255.255.255.255 outside pdm location PABala4 255.255.255.255 outside pdm location PAbala5 255.255.255.255 outside pdm location PABala6 255.255.255.255 outside pdm location DinaHome1 255.255.255.255 outside pdm location CTI 255.255.255.255 outside pdm location Nor-Home1 255.255.255.255 outside pdm location 192.168.31.29 255.255.255.255 inside pdm location Nor 255.255.255.255 outside pdm location RandySpringer 255.255.255.255 outside pdm location 192.168.30.45 255.255.255.255 inside pdm location Columbia-VPN 255.255.255.255 outside pdm location Columbia-VPN1 255.255.255.255 outside pdm location 206.126.161.134 255.255.255.255 outside pdm location SVCMC 255.255.255.255 outside pdm location 200.9.49.66 255.255.255.255 outside pdm location 206.126.161.161 255.255.255.255 outside pdm location nor-on-the-road 255.255.255.255 outside pdm location RayT-Home1 255.255.255.255 outside pdm location 69.141.116.59 255.255.255.255 outside pdm location Ray-Home-DSL 255.255.255.255 outside pdm logging critical 100 pdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 0 access-list no-nat nat (inside) 10 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 208.44.183.11 bloomfield netmask 255.255.255.255 0 0 static (inside,outside) 208.44.183.14 Bloomfield3 netmask 255.255.255.255 0 0 static (inside,outside) 208.44.183.9 192.168.30.36 netmask 255.255.255.255 0 0 static (inside,outside) 208.44.183.7 192.168.30.7 netmask 255.255.255.255 0 0 static (inside,outside) 208.44.183.20 192.168.30.20 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.21 192.168.30.21 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.22 192.168.30.22 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.23 192.168.30.23 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.24 192.168.30.24 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.25 192.168.30.25 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.2 192.168.30.2 netmask 255.255.255.255 0 0 static (inside,outside) 208.44.183.222 192.168.31.28 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.194 Wantagh1 netmask 255.255.255.255 0 0 static (inside,outside) 208.44.183.193 Wantagh2 netmask 255.255.255.255 0 0 static (inside,outside) 208.44.183.204 192.168.31.55 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.243 JoePC netmask 255.255.255.255 0 0 static (inside,outside) 208.44.183.31 192.168.31.21 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.32 192.168.31.22 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.33 192.168.31.23 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.34 192.168.31.24 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.36 192.168.31.25 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.37 192.168.31.26 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.38 192.168.31.27 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.39 192.168.31.29 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.26 192.168.30.52 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.18 192.168.30.45 netmask 255.255.255.255 0 0
static (inside,outside) 208.44.183.239 192.168.31.4 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 208.44.183.1 1 route inside 192.168.10.0 255.255.255.0 192.168.30.2 1 route inside 192.168.11.0 255.255.255.0 192.168.30.2 1 route inside 192.168.12.0 255.255.255.0 192.168.30.2 1 route inside 192.168.15.0 255.255.255.0 192.168.30.2 1 route inside 192.168.16.0 255.255.255.0 192.168.30.2 1 route inside 192.168.17.0 255.255.255.0 192.168.30.2 1 route inside 192.168.20.0 255.255.255.0 192.168.30.2 1 route inside 192.168.31.0 255.255.255.0 192.168.30.2 1 route inside 192.168.32.0 255.255.255.0 192.168.30.2 1 route inside 192.168.100.0 255.255.255.0 192.168.30.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.30.125 255.255.255.255 inside http 192.168.30.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set MAS-IDX esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5 crypto map MAS-IDX 1 ipsec-isakmp crypto map MAS-IDX 1 match address 100 crypto map MAS-IDX 1 set peer Columbia-VPN1 crypto map MAS-IDX 1 set transform-set MAS-IDX crypto map MAS-IDX 65535 ipsec-isakmp dynamic outside_dyn_map crypto map MAS-IDX interface outside isakmp enable outside isakmp key ******** address Columbia-VPN1 netmask 255.255.255.255 no-xauth no-co nfig-mode isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 3600 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash sha isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 isakmp policy 50 authentication pre-share isakmp policy 50 encryption 3des isakmp policy 50 hash sha isakmp policy 50 group 1 isakmp policy 50 lifetime 86400 vpngroup medical address-pool 200pool vpngroup medical dns-server 216.111.65.217 vpngroup medical wins-server Bloomfield3 bloomfield vpngroup medical default-domain med-act-svcs.com vpngroup medical split-tunnel medical_splitTunnelAcl vpngroup medical idle-time 1800 vpngroup medical password ******** telnet 192.168.30.0 255.255.255.0 inside telnet 192.168.32.1 255.255.255.255 inside telnet 192.168.32.1 255.255.255.255 intf2 telnet timeout 30 ssh 206.126.161.134 255.255.255.255 outside ssh 200.9.49.66 255.255.255.255 outside ssh 206.126.161.161 255.255.255.255 outside ssh timeout 30 terminal width 80 Cryptochecksum:0d8919955ce93171980424280a475f57 : end
|
Answer : Problem: pix 515e firewall vpn to netgear with existing vpn's on the firewall
|
|
you can only have one crypto "map" command applied to the outside interface at any point in time.
You need to create another crypto sequence with the same name. So that it might look something like this (this is from a PIX that I have, although I've changed the IP addresses):
crypto map mymap 12 ipsec-isakmp crypto map mymap 12 match address 120 crypto map mymap 12 set peer 2.2.2.2 crypto map mymap 12 set transform-set myset crypto map mymap 13 ipsec-isakmp crypto map mymap 13 match address 130 crypto map mymap 13 set peer 3.3.3.3 crypto map mymap 13 set transform-set myset crypto map mymap 14 ipsec-isakmp crypto map mymap 14 match address 140 crypto map mymap 14 set peer 4.4.4.4 crypto map mymap 14 set transform-set myset crypto map mymap 15 ipsec-isakmp crypto map mymap 15 match address 150 crypto map mymap 15 set peer 5.5.5.5 crypto map mymap 15 set transform-set myset crypto map mymap 16 ipsec-isakmp crypto map mymap 16 match address 160 crypto map mymap 16 set peer 6.6.6.6 crypto map mymap 16 set transform-set myset crypto map mymap 17 ipsec-isakmp crypto map mymap 17 match address 170 crypto map mymap 17 set peer 7.7.7.7 crypto map mymap 17 set transform-set myset
|
|
|
|