×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Security, hacker detection & forensics FAQ

VPN Client

How can I setup a Cisco PIX for IPSec VPN client use? by bytehd
Posted: 3 Sep 04

After 3 months of PIX books, TAC calls, and gracious Tek-Tips users, I found the answer to my PIX 501 VPN Client configuration headache.

Bascially, You need these 9 steps to get Cisco PIX
VPN IPSEC tunnels to work properly with the Cisco dial-in client. A sample completed configuration follows below.

STEPS
1) Create an ACL to allow the physical inside subnet access to your new virtual VPN-created vpngroup IP pool.

2) Use this access-list as an exception for this new subnet on your NAT zero statement.

3) Bind this same access-list to the access-group in interface outside statement.

4) Create an IP LOCAL POOL for usage by the ISAKMP and VPNGROUP commands.

5) Add the SYSOPT CONNECTION PERMIT-IPSEC command

6) Add a crypto ipsec transform set

7) Add a crypto dynamic map using this transform set

8) Add ISAKMP statements and policies as listed below

9) Create a VPNGROUP using the above IP POOL

NOTES
What was especially frustrating were the lack of Cisco
Step-by-Step setup directions, even in their official books.
And steps often conflicted from firmware to firmware.

Also note the lack of any route statements between the LAN and HOMEPOOL subnets!

The obvious oversight on my part was not allowing inbound packets to return through the PIX (to the "remote host" VPN dialin users) because those inside host's Default Gateways were NOT pointing back to the inside interface of the PIX.

Successful Configuration allowing both PIX-to-PIX and Client tunnel setups:
---------------------

CODE

PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname yourpix
domain-name yourdomain.com
clock timezone - -5
clock summer-time EST recurring

fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

names
name 192.168.120.0 LAN
name 192.168.120.100 NOVELL
name 192.168.120.111 logging_server

access-list corp permit ip LAN 255.255.255.0 10.146.40.0 255.255.248.0
access-list home_tunnel permit ip LAN 255.255.255.0 10.146.40.0 255.255.248.0
access-list home_tunnel permit ip LAN 255.255.255.0 192.168.121.0 255.255.255.0
access-list mail deny ip bad_spammers_subnet1 255.255.255.0 any
access-list mail permit udp any any eq ntp
access-list mail permit udp any any eq domain
access-list mail permit tcp any any eq smtp
access-list mail permit ip LAN 255.255.255.0 10.146.40.0 255.255.248.0
access-list mail permit icmp any any unreachable
access-list mail permit tcp any any eq www

ip address outside x.x.x.x 255.255.255.248
ip address inside 192.168.120.4 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool homepool 192.168.121.100-192.168.121.200

global (outside) 1 interface
nat (inside) 0 access-list home_tunnel
nat (inside) 1 LAN 255.255.255.0 dns 0 0
static (inside,outside) x.x.x.x NOVELL dns netmask 255.255.255.255 0 0
access-group mail in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

floodguard enable

sysopt connection permit-ipsec
crypto ipsec transform-set set esp-3des esp-md5-hmac
crypto dynamic-map homemap 20 set transform-set set
crypto map vpn 1 ipsec-isakmp
crypto map vpn 1 match address corp
crypto map vpn 1 set peer x.x.x.x
crypto map vpn 1 set transform-set set
crypto map vpn 6767 ipsec-isakmp dynamic homemap
crypto map vpn interface outside

isakmp enable outside
isakmp key ****** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp client configuration address-pool local homepool outside
isakmp nat-traversal 20

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600

vpngroup homegroup address-pool homepool
vpngroup homegroup dns-server 4.2.2.1
vpngroup homegroup default-domain corpdns
vpngroup homegroup idle-time 1800
vpngroup homegroup password ******

http://www.insyncva.com

Back to Security, hacker detection & forensics FAQ Index
Back to Security, hacker detection & forensics Forum

My Archive

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close