GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: PIX VPN/IPSEC [7:64016] posted 02/28/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


I use the following configuration to allow VPN clients to terminate on PIX. 
Along with the usual rules about a firewall you need to create a "vpngroup"
which contains all the information that is passed to the client and an
access control list to list all the internal networks that the clients can
pass traffic to.
The clients are given an IP address from a pool called "home" in the config.

The clients also need to be given the IP address if the servers on the
inside that are performing DNS and WINS if you want them to be able to
"view" the inside network.
The VPN clients only require the outside address of the PIX, the groupname
and the password set up to be allowed to connect through to the company
network.
I have removed some of the company specific stuff, so if it does not make
sense either re-post the query or e-mail me direct for clarification.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password sanfran
passwd cisco
hostname pix506
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name X.X.X.1 default-gateway
name 192.168.0.0 inside-network
name 192.168.0.1 mail-server
access-list 100 permit tcp any host X.X.X.2 eq smtp
access-list 110 permit ip inside-network 255.255.255.0 172.16.1.0
255.255.255.224
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.3 255.255.255.248
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool home 172.16.1.1-172.16.1.31
pdm location mail-server 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 110
global (outside) 1 X.X.X.4
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) X.X.X.2 mail-server netmask 255.255.255.255 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 default-gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http mail-server 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set glasgow esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set glasgow
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup pix506 address-pool home
vpngroup pix506 dns-server mail-server
vpngroup pix506 wins-server mail-server
vpngroup pix506 default-domain "YOUR DOMAIN NAME"
vpngroup pix506 split-tunnel 110
vpngroup pix506 idle-time 1800
telnet mail-server 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:57078d328d36e851c854b4913142d72e
: end

Best of luck,
Steve Wilson
Network Engineer
-----Original Message-----
From: mostro@xxxxxxxxxxxx [mailto:mostro@xxxxxxxxxxxx] 
Sent: 27 February 2003 20:38
To: cisco@xxxxxxxxxxxxxx
Subject: PIX VPN/IPSEC [7:64016]

I have a question regarding the configuration of manual IPSEC. I have to
create an access list to define the traffice to protect.

I want to connect to my office network from home. I have a DHCP assigned
address from my ISP so I can't specify a peer address. So I will use isakmp
key ****** address 0.0.0.0 for now.

Now as far as the traffic goes. Should I specify protect all traffic or
what? What happens when I have multiple remote users? I would like the PIX
to be the end point so I can travel over my entire network (email, shares,
printers, etc). I'm a little confused on this..

Thanks in advance...




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64062&t=64016
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx