Hi all,
Cisco is new for me and I am not sure how to do this...
I am trying to configure a pix 515 for vpn use. It will be used for clients to connect from home to the office. Most people have cable modems so I will not know their ip address. I would like to be able to use a Windows IAS server located in my dmz for authentication and would like to dynamically assign the clients an ip for the internal network.
Here is my proposed config .... any guidance would be GREATLY appreciated. Thanks!
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security30
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
hostname one
domain-name XXXXXXXXXX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
pager lines 24
logging on
logging trap debugging
logging host inside 10.10.1.40
interface ethernet0 10full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
ip address outside xxx.xxx.xx.xx 255.255.255.0
ip address inside 10.10.1.1 255.255.0.0
ip address DMZ1 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xx.xxx
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 80 permit ip 10.10.0.0 255.255.0.0 10.10.126.0 255.255.255.0
access-list 100 permit tcp 10.10.126.0 255.255.0.0 10.10.10.0 255.255.255.0 eq telnet
access-list 100 permit tcp 10.10.126.0 255.255.0.0 10.10.10.0 255.255.255.0 eq ftp
access-list 100 permit tcp 10.10.126.0 255.255.0.0 10.10.10.0 255.255.255.0 eq http
nat (inside) 0 access-list 80
static (inside,outside) xxx.xxx.xx.xx 10.10.1.28 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xx.xx 10.10.1.6 netmask 255.255.255.255 0 0
conduit permit tcp host xxx.xxx.xx.xx eq conduit permit tcp host xxx.xxx.xx.xx eq 443 any
conduit permit tcp host xxx.xxx.xx.xx eq smtp any
route outside 0.0.0.0 0.0.0.0 209.73.41.1 1
route inside 172.16.0.0 255.255.0.0 10.10.1.254 1
route inside 172.20.0.0 255.255.0.0 10.10.1.254 1
route inside 192.168.250.0 255.255.255.0 10.10.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
ip local pool vpnippool 10.10.126.1-10.10.126.100
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (dmz) host 192.168.10.10
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXXXXX
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
crypto map partnet-map client configuration address initiate;
crypto ipsec transform-set strong-des esp-3ds esp-sha-hmc
crypto dynamic-map cisco 4 set transform-set strong-des
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client authentication partnerauth
crypto map partner-map interface outside
isakmp key 12345 address 0.0.0.0 netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
vpngroup w&l-vpn address-pool vpnippool
vpngroup w&l-vpn dns-server 10.10.1.250
vpngroup w&l-vpn wins-server 10.10.1.250
vpngroup w&l-vpn default-domain wl-domain.com
vpngroup w&l-vpn idle-time 1800
sysopt conection permit-ipsec
telnet 10.10.1.40 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:
Cisco is new for me and I am not sure how to do this...
I am trying to configure a pix 515 for vpn use. It will be used for clients to connect from home to the office. Most people have cable modems so I will not know their ip address. I would like to be able to use a Windows IAS server located in my dmz for authentication and would like to dynamically assign the clients an ip for the internal network.
Here is my proposed config .... any guidance would be GREATLY appreciated. Thanks!
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security30
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
hostname one
domain-name XXXXXXXXXX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
pager lines 24
logging on
logging trap debugging
logging host inside 10.10.1.40
interface ethernet0 10full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
ip address outside xxx.xxx.xx.xx 255.255.255.0
ip address inside 10.10.1.1 255.255.0.0
ip address DMZ1 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xx.xxx
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 80 permit ip 10.10.0.0 255.255.0.0 10.10.126.0 255.255.255.0
access-list 100 permit tcp 10.10.126.0 255.255.0.0 10.10.10.0 255.255.255.0 eq telnet
access-list 100 permit tcp 10.10.126.0 255.255.0.0 10.10.10.0 255.255.255.0 eq ftp
access-list 100 permit tcp 10.10.126.0 255.255.0.0 10.10.10.0 255.255.255.0 eq http
nat (inside) 0 access-list 80
static (inside,outside) xxx.xxx.xx.xx 10.10.1.28 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xx.xx 10.10.1.6 netmask 255.255.255.255 0 0
conduit permit tcp host xxx.xxx.xx.xx eq conduit permit tcp host xxx.xxx.xx.xx eq 443 any
conduit permit tcp host xxx.xxx.xx.xx eq smtp any
route outside 0.0.0.0 0.0.0.0 209.73.41.1 1
route inside 172.16.0.0 255.255.0.0 10.10.1.254 1
route inside 172.20.0.0 255.255.0.0 10.10.1.254 1
route inside 192.168.250.0 255.255.255.0 10.10.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
ip local pool vpnippool 10.10.126.1-10.10.126.100
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (dmz) host 192.168.10.10
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXXXXX
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
crypto map partnet-map client configuration address initiate;
crypto ipsec transform-set strong-des esp-3ds esp-sha-hmc
crypto dynamic-map cisco 4 set transform-set strong-des
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client authentication partnerauth
crypto map partner-map interface outside
isakmp key 12345 address 0.0.0.0 netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
vpngroup w&l-vpn address-pool vpnippool
vpngroup w&l-vpn dns-server 10.10.1.250
vpngroup w&l-vpn wins-server 10.10.1.250
vpngroup w&l-vpn default-domain wl-domain.com
vpngroup w&l-vpn idle-time 1800
sysopt conection permit-ipsec
telnet 10.10.1.40 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:
