outofcontrol
MIS
I have a Cisco 506E that is configured as the example below and it seems to work fine but now I need to configure VPN in and out. I have tried using the PDM to configure the firewall and nothing seems to be working. I can get into the network with either PPTP and/or the CISO VPN client 3.5
I am stumped again which does not take much.
Thanks for your help in advance.
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name mainsailgroup.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.103 DNS
name 192.168.1.102 mail
name 192.168.1.101 web
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any time-exceeded
access-list 100 permit tcp any host *.*.*.18 eq domain
access-list 100 permit udp any host *.*.*.18 eq domain
access-list 100 permit tcp any host *.*.*.21 eq www
access-list 100 permit tcp any host *.*.*.21 eq https
access-list 100 permit tcp any host *.*.*.21 eq ftp
access-list 100 permit tcp any host *.*.*.21 eq ftp-data
access-list 100 permit tcp any host *.*.*.20 eq smtp
access-list 100 permit tcp any host *.*.*.20 eq imap4
access-list 100 permit tcp any host *.*.*.20 eq pop3
access-list 100 permit tcp any host *.*.*.20 eq www
access-list 100 permit tcp any host *.*.*.20 eq pop2
access-list no_nat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat permit ip any 192.168.2.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.218 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool thelocalpool 192.168.1.90-192.168.1.100
ip local pool thelocalpool2 192.168.2.1-192.168.2.254
pdm location 192.168.2.0 255.255.255.0 outside
pdm location web 255.255.255.255 inside
pdm location mail 255.255.255.255 inside
pdm location DNS 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 *.*.*.22-*.*.*.30 netmask 255.255.255.240
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) *.*.*.20 mail netmask 255.255.255.255 0 0
static (inside,outside) *.*.*.21 web netmask 255.255.255.255 0 0
static (inside,outside) *.*.*.18 DNS netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.217 1
route outside 192.168.2.0 255.255.255.0 *.*.*.217 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mainsail address-pool thelocalpool2
vpngroup mainsail dns-server web
vpngroup mainsail default-domain mainsailgroup
vpngroup mainsail idle-time 1800
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
dhcpd address 192.168.1.105-192.168.1.254 inside
dhcpd dns web 216.99.255.30
dhcpd lease 36000
dhcpd ping_timeout 750
dhcpd domain mainsailgroup.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
I am stumped again which does not take much.
Thanks for your help in advance.
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name mainsailgroup.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.103 DNS
name 192.168.1.102 mail
name 192.168.1.101 web
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any time-exceeded
access-list 100 permit tcp any host *.*.*.18 eq domain
access-list 100 permit udp any host *.*.*.18 eq domain
access-list 100 permit tcp any host *.*.*.21 eq www
access-list 100 permit tcp any host *.*.*.21 eq https
access-list 100 permit tcp any host *.*.*.21 eq ftp
access-list 100 permit tcp any host *.*.*.21 eq ftp-data
access-list 100 permit tcp any host *.*.*.20 eq smtp
access-list 100 permit tcp any host *.*.*.20 eq imap4
access-list 100 permit tcp any host *.*.*.20 eq pop3
access-list 100 permit tcp any host *.*.*.20 eq www
access-list 100 permit tcp any host *.*.*.20 eq pop2
access-list no_nat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat permit ip any 192.168.2.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.218 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool thelocalpool 192.168.1.90-192.168.1.100
ip local pool thelocalpool2 192.168.2.1-192.168.2.254
pdm location 192.168.2.0 255.255.255.0 outside
pdm location web 255.255.255.255 inside
pdm location mail 255.255.255.255 inside
pdm location DNS 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 *.*.*.22-*.*.*.30 netmask 255.255.255.240
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) *.*.*.20 mail netmask 255.255.255.255 0 0
static (inside,outside) *.*.*.21 web netmask 255.255.255.255 0 0
static (inside,outside) *.*.*.18 DNS netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.217 1
route outside 192.168.2.0 255.255.255.0 *.*.*.217 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup mainsail address-pool thelocalpool2
vpngroup mainsail dns-server web
vpngroup mainsail default-domain mainsailgroup
vpngroup mainsail idle-time 1800
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
dhcpd address 192.168.1.105-192.168.1.254 inside
dhcpd dns web 216.99.255.30
dhcpd lease 36000
dhcpd ping_timeout 750
dhcpd domain mainsailgroup.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
