Pix Easyvpn or Site to Site?

[mjroam]

I'm struggling with a VPN solution I thought would be relatively simple. I now have considerably more respect for those of you who have a clear understanding of Pix vpn setup. The basic setup is 3 Pix 501's at 3 branch locations
each with it's own static dsl account. The plan was to provide an extended lan through vpn and extend printer mapping from the central site for a Unix server. The unix server uses netbios or name resolution to map to the windows shared printers and the clients use a proprietary
telnet shell to access the unix machine. Another consideration is bandwidth so I wanted to use split tunneling to allow unencrypted web access for all three sites. Can this be done using the central site as an easyvpn server for both remotes?

Any help would be greatly appreciated.

 

[br0ck]

1st off if im not mistaken you can not use the 501 for a EZVPN Server (only 506 and up) the 501 is a EZVPN client only

If you have 3 pix's then do a LAN to LAN it will save you a headache

the problem you will see with EZVPN is the remote host needs to send the first packet to build the tunnel

I have a client that has time clocks in each branch office and the HR department at the main location needs to pull the info from the clock we started with the EZVPN but ran into a problem if no one at the branch office sent a packet accross then the tunnel is not built thus the main office couldnt pole the punch clocks i thought the network extenstion mode would solve this but that was not the case (after a few hrs on the phone with TAC)

so we where forced to do LAN to LAN

hope that helps

 

[mjroam]

Thanks for the reply. It was my understanding that any Pix above 6.2 could act as an easyvpn server and that when you set the mode to Network-Extension that the tunnel was always up? Also I attempted to use site to site vpns but I couldn't figure out how to allow split tunneling for all three locations and the static routing for the tunnels has me stumped. I'm about out of usefull grey-matter after hours of trying to find a 3 way VPN setup that will work and yet I've found multiple references online that it can be done. If I could see sample configs of a similar setup it would be very helpful. I realize that's taking the easy way out but it's so helpful in understanding the commands and and how it all interacts. Once again thanks for responding and if you have any other input I'd be in your debt.

 

[br0ck]

Take a look at this

below is for a hub in a spoke and hub config

MAIN hub (10.1.20.0)
MIA spoke (10.1.50.0)
VT spoke (10.1.40.0)

access-list nonat permit ip 10.1.20.0 255.255.255.0 10.1.40.0 255.255.255.0
access-list nonat permit ip 10.1.20.0 255.255.255.0 10.1.50.0 255.255.255.0

access-list split permit ip 10.1.20.0 255.255.255.0 10.1.40.0 255.255.255.0
access-list split permit ip 10.1.20.0 255.255.255.0 10.1.50.0 255.255.255.0

access-list MIAVPN_list permit ip 10.1.20.0 255.255.255.0 10.1.50.0 255.255.255.0
access-list VTVPN_list permit ip 10.1.20.0 255.255.255.0 10.1.40.0 255.255.255.0


ip address outside PUBLIC IP 255.255.255.240
ip address inside 10.1.20.22 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec
sysopt connection permit-pptp

crypto ipsec transform-set IPSecset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set IPSecset
crypto map IPSec 1 ipsec-isakmp
crypto map IPSec 1 match address MIAVPN_list
crypto map IPSec 1 set peer MIAPIXIP
crypto map IPSec 1 set transform-set IPSecset
crypto map IPSec 2 ipsec-isakmp
crypto map IPSec 2 match address VTVPN_list
crypto map IPSec 2 set peer VTPIXIP
crypto map IPSec 2 set transform-set IPSecset
crypto map IPSec 10 ipsec-isakmp dynamic dynmap
crypto map IPSec interface outside

isakmp enable outside

isakmp key ******** address MIAPIXIP netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address VTPIXIP netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup IPSec address-pool ipsecpool
vpngroup IPSec dns-server INSIDEDNS
vpngroup IPSec default-domain net.com
vpngroup IPSec split-tunnel split
vpngroup IPSec idle-time 1800
vpngroup IPSec password ********
vpngroup idle-time idle-time 1800

 

[mjroam]

Thank you Br0ck this is very helpful. Naming the host makes it easier to see. Can you also post one of the spoke configs.
I'm going to work on this again tomorrow. I have a couple of newbie q's if you get a chance to respond again.
1.)Do I need any outbound static routes to the spokes or vice-versa.
2.)How do the networks see each other with the different
subnets?

I don't feel it necessary to apologize for my ingorance,
everyone needs to start somewhere but I do appreciate your patience and assistance and that goes for all the knowledgeable and helpful members of this site.

 

[br0ck]

Heh

i feel if you attend the school of hard knocks there is no need to apologize!

in the IT Class is alwase in session

i'll post the spokes configs in a min

 

[br0ck]

1.)Do I need any outbound static routes to the spokes or vice-versa.

The access-lists will do this for you

when the INSIDEHUBHOST sends a packet destin for the SPOKELAN to the pix (the Gateway) the pix considers this interesting traffic(to the vpn) and encrypts it and sends it down the tunnel

2.)How do the networks see each other with the different
subnets?

this is done by the nonat Access-list this creates a bridge between the lans

SPOKE VT

access-list VT_list permit ip 10.1.40.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list nonat permit ip 10.1.40.0 255.255.255.0 10.1.20.0 255.255.255.0

ip address outside PUBLIC IP 255.255.255.240
ip address inside 10.1.40.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map VTVPN 10 ipsec-isakmp
crypto map VTVPN 10 match address VTVPN_list
crypto map VTVPN 10 set peer HUBPUBIP
crypto map VTVPN 10 set transform-set ESP-DES-MD5
crypto map VTVPN interface outside

isakmp enable outside
isakmp key ******** address HUBPUBIP netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

SPOKE MIA

access-list MIA_list permit ip 10.1.50.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list nonat permit ip 10.1.50.0 255.255.255.0 10.1.20.0 255.255.255.0

ip address outside MIAPIXIP 255.255.255.240
ip address inside 10.1.50.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map MIAVPN 10 ipsec-isakmp
crypto map MIAVPN 10 match address MIAVPN_list
crypto map MIAVPN 10 set peer HUBPUBIP
crypto map MIAVPN 10 set transform-set ESP-DES-MD5
crypto map MIAVPN interface outside

isakmp enable outside
isakmp key ******** address HUBPUBIP netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

hope this helps

Cheers!

 

[br0ck]

Crap!

corrections

(i hope this doesnt confuse you )



VT Spoke (VTVPN_list needs to match)

(incorrect)
access-list VT_list permit ip 10.1.40.0 255.255.255.0 10.1.20.0 255.255.255.0

needs to be 

access-list [b]VTVPN_list[/b] permit ip 10.1.40.0 255.255.255.0 10.1.20.0 255.255.255.0

crypto map VTVPN 10 match address [b]VTVPN_list[/b]

MIA Spoke (MIAVPN_list needs to match)

(incorrect)
access-list MIA_list permit ip 10.1.40.0 255.255.255.0 10.1.20.0 255.255.255.0

needs to be 

access-list [b]MIAVPN_list[/b] permit ip 10.1.40.0 255.255.255.0 10.1.20.0 255.255.255.0

crypto map MIAVPN 10 match address [b]MIAVPN_list[/b]

sorry

 

[mjroam]

Many thanks again Br0ck. Ironically we just celebrated my birthday tonight and this was the best gift I received. (Don't tell my wife). I'll go through this tomorrow and the examples will allow me to make sense of the structure and functionality.


Regards

 

[br0ck]

well happy birthday

 

[mjroam]

br0ck
I have a few q's on the code for the hub.

Are the following lines needed for the static vpns or are they strictly for pptp or remote sw clients?

sysopt connection permit-pptp

crypt dynamic-map dynmap 10 set transform-set IPSecset

crypto map IPSec 10 ipsec-isakmp dynamic dynmap
crypto map IPSec interface outside

isakmp enable outside


isakmp policy 5 authentication pre-share
isakmp policy 5 encryption des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 86400

vpngroup IPSec address-pool ipsecpool
vpngroup IPSec dns-server INSIDEDNS
vpngroup IPSec default-domain net.com
vpngroup IPSec split-tunnel split
vpngroup IPSec idle-time 1800
vpngroup IPSec password ********
vpngroup idle-time idle-time 1800

 

[mjroam]

Sorry I meant to leave these out

crypto map IPSec interface outside

isakmp enable outside

 

[br0ck]

sysopt connection permit-pptp

that is not nessary for IPSec VPN (overlooked it)


crypt dynamic-map dynmap 10 set transform-set IPSecset

crypto map IPSec 10 ipsec-isakmp dynamic dynmap
crypto map IPSec interface outside

isakmp enable outside


isakmp policy 5 authentication pre-share
isakmp policy 5 encryption des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 86400

vpngroup IPSec address-pool ipsecpool
vpngroup IPSec dns-server INSIDEDNS
vpngroup IPSec default-domain net.com
vpngroup IPSec split-tunnel split
vpngroup IPSec idle-time 1800
vpngroup IPSec password ********
vpngroup idle-time idle-time 1800

these are the meat and potatos of the vpn config

the above will support a LAN to LAN

for VPN Client you need a few more statments

 

[br0ck]

sysopt connection permit-pptp

that is not nessary for IPSec VPN (overlooked it)


crypt dynamic-map dynmap 10 set transform-set IPSecset

crypto map IPSec 10 ipsec-isakmp dynamic dynmap
crypto map IPSec interface outside

isakmp enable outside


isakmp policy 5 authentication pre-share
isakmp policy 5 encryption des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 86400

vpngroup IPSec address-pool ipsecpool
vpngroup IPSec dns-server INSIDEDNS
vpngroup IPSec default-domain net.com
vpngroup IPSec split-tunnel split
vpngroup IPSec idle-time 1800
vpngroup IPSec password ********
vpngroup idle-time idle-time 1800

these are the meat and potatos of the vpn config

the above will support a LAN to LAN

for VPN Client you need a few more statments

 

[br0ck]

Take a look at this one

LAN-TO-LAN “Spoke and hub” with 2 sites MIA and VT
EZVPN SERVER for dynamic PIX’s and VPN Clients
PPtP VPNs are auth.’ed by Windows IAS Server

access-list nonat permit ip 10.1.20.0 255.255.255.0 10.1.40.0 255.255.255.0

access-list nonat permit ip 10.1.20.0 255.255.255.0 10.1.50.0 255.255.255.0


access-list split permit ip 10.1.20.0 255.255.255.0 10.1.40.0 255.255.255.0

access-list split permit ip 10.1.20.0 255.255.255.0 10.1.50.0 255.255.255.0



access-list MIAVPN_list permit ip 10.1.20.0 255.255.255.0 10.1.50.0 255.255.255.0

access-list VTVPN_list permit ip 10.1.20.0 255.255.255.0 10.1.40.0 255.255.255.0


ip address outside PUBLIC IP 255.255.255.240
ip address inside 10.1.20.22 255.255.255.0

ip local pool pptpippool 10.1.60.1-10.1.60.254
ip local pool ipsecpool 10.1.70.1-10.1.70.254

global (outside) 1 interface

nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AAAGROUP protocol radius
aaa-server AAAGROUP (inside) host AAASERVERIP AAAPASSWORD timeout 10

sysopt connection permit-ipsec
sysopt connection permit-pptp

crypto ipsec transform-set IPSecset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set IPSecset

crypto map IPSec 1 ipsec-isakmp
crypto map IPSec 1 match address MIAVPN_list
crypto map IPSec 1 set peer MIAPIXIP
crypto map IPSec 1 set transform-set IPSecset

crypto map IPSec 2 ipsec-isakmp
crypto map IPSec 2 match address VTVPN_list
crypto map IPSec 2 set peer VTPIXIP
crypto map IPSec 2 set transform-set IPSecset

crypto map IPSec 10 ipsec-isakmp dynamic dynmap

crypto map IPSec interface outside

isakmp enable outside

isakmp key ******** address MIAPIXIP netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address VTPIXIP netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 5 authentication pre-share
isakmp policy 5 encryption des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 86400

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup IPSec address-pool ipsecpool
vpngroup IPSec dns-server INSIDEDNS
vpngroup IPSec default-domain net.com
vpngroup IPSec split-tunnel split
vpngroup IPSec idle-time 1800
vpngroup IPSec password ********
vpngroup idle-time idle-time 1800

vpdn group PPTPVPN accept dialin pptp

vpdn group PPTPVPN ppp authentication pap
vpdn group PPTPVPN ppp authentication chap
vpdn group PPTPVPN ppp authentication mschap
vpdn group PPTPVPN ppp encryption mppe 40 required

vpdn group PPTPVPN client configuration address local pptpippool
vpdn group PPTPVPN client configuration dns INSIDEDNS
vpdn group PPTPVPN client configuration wins INSDIEWINS
vpdn group PPTPVPN client authentication aaa AAAGROUP

vpdn group PPTPVPN pptp echo 60

vpdn enable outside

 

[mjroam]

Final Notes
Got Hub and Spoke (3-way) up and running thanks to your help Br0ck.

Able to ping both ways from all sites.

Now working on creating LMhost files to overcome workgroup
(peer to peer no Wins, DNS or Domain servers)limitations across subnets.

Thanks again for all your post.

Regards