GroupStudy.com - CCIE, CCNA, CCNP and other Cisco Certifications

Home

BookStore

StudyNotes

Links

[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Subject: RE: PIX IPSEC/VPN and remote client question - looking for a working config (updated config)
From: "George Hansen" <ghansen@xxxxxxxxxxxxxxxxxx>
Date: Mon, 2 Dec 2002 16:40:12 -0800
Content-class: urn:content-classes:message
Thread-index: AcKaWbkvkt8ER6a0RL6pIRcyyGYcXAACiXlw
Thread-topic: PIX IPSEC/VPN and remote client question - looking for a working config (updated config)

I think you need these as well:

sysopt connection permit-ipsec
access-list 80 permit (whatever you want to split tunnel)
access-list acloutside (whatever you want to allow in)
static (inside,outside) 192.168.1.x x.x.x.x (for your web servers, etc.
that are exposed)

You should use descriptive names for your access lists instead of using
numbers.

George

-----Original Message-----
From: Stong, Ian C [GMG] [mailto:Ian.C.Stong@xxxxxxxxxxxxxxx]
Sent: Monday, December 02, 2002 12:26 PM
To: security@xxxxxxxxxxxxxx
Subject: PIX IPSEC/VPN and remote client question - looking for a
working config (updated config)


Hi,

I need to setup a PIX so that some outside users can tie in securely
using
IPSEC and VPN client version 3 while others will tie in in the clear and
be
subject solely to ACL's (and lastly - the general public will have
access to
ports 80 and 443).

My confusion exists in the configuration of what if any ACL to use to
tell
the VPN what packets to look at for IPSEC and what packets not to look
at.
My updated sample config follows:

 access-list 100 permit ip host 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0

 nat 0 access-list 100
 nat (inside) 1 0.0.0.0 0.0.0.0 0 0

 ip address outside 150.140.130.1 255.255.255.0
 ip address inside 192.168.1.1 255.255.255.0

 ip local pool vpn_users 192.168.2.0-192.168.2.254

 crypto isakmp client configuration address-pool local vpn_users outside
 crypto ipsec transform-set whatever esp-des esp-md5-hmac
 crypto ipsec security-association lifetime seconds 3600
 crypto dynamic-map dynmap 10 set transform-set whatever
 crypto map mymap client-configuration address initiate
 crypto map mymap 10 ipsec-isakmp dynamic dynmap
 crypto map mymap interface outside
 isakmp enable outside

 vpngroup thegroup address-pool vpn_users
 vpngroup thegroup dns-server 200.100.50.1
 vpngroup thegroup wins-server 192.168.1.10
 vpngroup thegroup default-domain mydomain.com
 vpngroup thegroup split-tunnel 80
 vpngroup thegroup idle-time 1800 

 isakmp key privatekey address 0.0.0.0 netmask 0.0.0.0
 isakmp policy 10 authentication pre-share
 isakmp policy 10 encryption des
 isakmp policy 10 hash md5
 isakmp policy 10 group 2
 isakmp policy 10 lifetime 28800


Thoughts....

Prev by Date: RE: IPSEC/GRE backup
Next by Date: RE: One side of the tunnel is down
Previous by thread: PIX IPSEC/VPN and remote client question - looking for a working config (updated config)
Next by thread: Generating multicast traffic
Index(es):
- Date
- Thread