Hi

I have problem to get vpn site to site tunnel and the vpn client tunnel
to work at the same time.
How can I join access list 80 and 100 so i can add them to nat
"(inside) 0 access-list 80"

I got a pix 501 and 2620 and on the pix 501 It's accessible thugh Cisco
VPN client.

The config on the pix 501:

: Written by admin at 15:32:22.817 CEDT Mon Aug 7 2006
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password g4JAhKwvQDnczMDZ encrypted
passwd g4JAhKwvQDnczMDZ encrypted
hostname gotfw01
domain-name veprox.int
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.99.0 VPN
access-list 80 permit ip 172.16.100.0 255.255.255.0 172.16.101.0
255.255.255.0
access-list 100 permit ip 172.16.100.0 255.255.255.0 VPN 255.255.255.0
pager lines 24
mtu outside 1420
mtu inside 1500
ip address outside 192.168.0.10 255.255.254.0
ip address inside 172.16.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_client_pool 192.168.99.50-192.168.99.60 mask
255.255.255.0
pdm location 172.16.0.0 255.255.0.0 inside
pdm location VPN 255.255.255.0 outside
pdm location 172.16.0.0 255.255.0.0 outside
pdm location 172.16.0.0 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set esp3dessha1 esp-3des esp-sha-hmac
crypto dynamic-map vpnclient 10 set transform-set esp3dessha1
crypto map vpnmap 9 ipsec-isakmp
crypto map vpnmap 9 match address 80
crypto map vpnmap 9 set peer 192.168.0.11
crypto map vpnmap 9 set transform-set esp3dessha1
crypto map vpnmap 10 ipsec-isakmp dynamic vpnclient
crypto map vpnmap client configuration address initiate
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address 192.168.0.11 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 10
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
vpngroup vpncli address-pool vpn_client_pool
vpngroup vpncli dns-server 172.16.100.10
vpngroup vpncli wins-server 172.16.100.10
vpngroup vpncli default-domain mycompany.int
vpngroup vpncli split-tunnel 100
vpngroup vpncli idle-time 1800
vpngroup vpncli secure-unit-authentication
vpngroup vpncli password ********
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 5
management-access inside
console timeout 60
dhcpd address 172.16.100.32-172.16.100.62 inside
dhcpd dns 195.67.199.27
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain company.int
dhcpd enable inside
username admin password Vs.JwYvvku50bpmp encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
banner exec
banner exec ***************************************
banner exec * You made It into the intranet core! *
banner exec ***************************************
banner exec
banner login You are trying to access a local network!


And on the 2620:

Using 1110 out of 29688 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
!
!
!
!
!
memory-size iomem 15
ip subnet-zero
!
ip dhcp pool local
network 172.16.101.0 255.255.255.0
default-router 172.16.101.1
lease 15
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 123qwe address 192.168.0.10
!
!
crypto ipsec transform-set esp3dessha1 esp-3des esp-sha-hmac
!
crypto map vpnmap 1 ipsec-isakmp
set peer 192.168.0.10
set transform-set esp3dessha1
match address 101
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.101.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet1/0
description To internet (outside)
ip address 192.168.0.11 255.255.254.0
ip nat outside
crypto map vpnmap
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip http server
!
access-list 1 permit 172.16.101.0 0.0.0.255
access-list 101 permit ip 172.16.101.0 0.0.0.255 any
!
!
line con 0
line aux 0
line vty 0 4
!
end

Hope that It´s easy to fix
Best regards

Robert

In article <1154961305.224616.69900@n13g2000cwa.googlegroups. com>,
Vigarv <robert.vigarv@hotmail.com> wrote:
The only way is to copy the contents. Create a new access list
that has the content of both access lists, and use that new access
list *only* for the nat 0 access-list . You currently use the same
access list for nat 0 access-list and for crypto map match address;
using the same access-list for both purposes will often cause problems.