- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: PIX VPN/IPSEC [7:64016] posted 02/28/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

I use the following configuration to allow VPN clients to terminate on PIX. 
Along with the usual rules about a firewall you need to create a "vpngroup"
which contains all the information that is passed to the client and an
access control list to list all the internal networks that the clients can
pass traffic to.
The clients are given an IP address from a pool called "home" in the config.

The clients also need to be given the IP address if the servers on the
inside that are performing DNS and WINS if you want them to be able to
"view" the inside network.
The VPN clients only require the outside address of the PIX, the groupname
and the password set up to be allowed to connect through to the company
I have removed some of the company specific stuff, so if it does not make
sense either re-post the query or e-mail me direct for clarification.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password sanfran
passwd cisco
hostname pix506
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
name X.X.X.1 default-gateway
name inside-network
name mail-server
access-list 100 permit tcp any host X.X.X.2 eq smtp
access-list 110 permit ip inside-network
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.3
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool home
pdm location mail-server inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 110
global (outside) 1 X.X.X.4
nat (inside) 1 0 0
static (inside,outside) X.X.X.2 mail-server netmask 0 0
conduit permit icmp any any
route outside default-gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http mail-server inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set glasgow esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set glasgow
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup pix506 address-pool home
vpngroup pix506 dns-server mail-server
vpngroup pix506 wins-server mail-server
vpngroup pix506 default-domain "YOUR DOMAIN NAME"
vpngroup pix506 split-tunnel 110
vpngroup pix506 idle-time 1800
telnet mail-server inside
telnet timeout 5
ssh timeout 5
terminal width 80
: end

Best of luck,
Steve Wilson
Network Engineer
-----Original Message-----
From: mostro@xxxxxxxxxxxx [mailto:mostro@xxxxxxxxxxxx] 
Sent: 27 February 2003 20:38
To: cisco@xxxxxxxxxxxxxx
Subject: PIX VPN/IPSEC [7:64016]

I have a question regarding the configuration of manual IPSEC. I have to
create an access list to define the traffice to protect.

I want to connect to my office network from home. I have a DHCP assigned
address from my ISP so I can't specify a peer address. So I will use isakmp
key ****** address for now.

Now as far as the traffic goes. Should I specify protect all traffic or
what? What happens when I have multiple remote users? I would like the PIX
to be the end point so I can travel over my entire network (email, shares,
printers, etc). I'm a little confused on this..

Thanks in advance...

Message Posted at:
FAQ, list archives, and subscription info:
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx