Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How can I setup a Cisco PIX for IPSec VPN client use?

VPN Client

How can I setup a Cisco PIX for IPSec VPN client use?

by  bytehd  Posted    (Edited  )
After 3 months of PIX books, TAC calls, and gracious Tek-Tips users, I found the answer to my PIX 501 VPN Client configuration headache.

Bascially, You need these 9 steps to get Cisco PIX
VPN IPSEC tunnels to work properly with the Cisco dial-in client. A sample completed configuration follows below.

STEPS
1) Create an ACL to allow the physical inside subnet access to your new virtual VPN-created vpngroup IP pool.

2) Use this access-list as an exception for this new subnet on your NAT zero statement.

3) Bind this same access-list to the access-group in interface outside statement.

4) Create an IP LOCAL POOL for usage by the ISAKMP and VPNGROUP commands.

5) Add the SYSOPT CONNECTION PERMIT-IPSEC command

6) Add a crypto ipsec transform set

7) Add a crypto dynamic map using this transform set

8) Add ISAKMP statements and policies as listed below

9) Create a VPNGROUP using the above IP POOL

NOTES
What was especially frustrating were the lack of Cisco
Step-by-Step setup directions, even in their official books.
And steps often conflicted from firmware to firmware.

Also note the lack of any route statements between the LAN and HOMEPOOL subnets!

The obvious oversight on my part was not allowing inbound packets to return through the PIX (to the "remote host" VPN dialin users) because those inside host's Default Gateways were NOT pointing back to the inside interface of the PIX.

Successful Configuration allowing both PIX-to-PIX and Client tunnel setups:
---------------------
Code: 
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname yourpix
domain-name yourdomain.com
clock timezone - -5
clock summer-time EST recurring

fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

names
name 192.168.120.0 LAN
name 192.168.120.100 NOVELL
name 192.168.120.111 logging_server

access-list [b]corp[/b] permit ip LAN 255.255.255.0 10.146.40.0 255.255.248.0 
access-list [b]home_tunnel[/b] permit ip LAN 255.255.255.0 10.146.40.0 255.255.248.0 
access-list [b]home_tunnel[/b] permit ip LAN 255.255.255.0 192.168.121.0 255.255.255.0 
access-list mail deny ip bad_spammers_subnet1 255.255.255.0 any 
access-list mail permit udp any any eq ntp 
access-list mail permit udp any any eq domain 
access-list mail permit tcp any any eq smtp 
access-list mail permit ip LAN 255.255.255.0 10.146.40.0 255.255.248.0 
access-list mail permit icmp any any unreachable 
access-list mail permit tcp any any eq www 

ip address outside x.x.x.x 255.255.255.248
ip address inside 192.168.120.4 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool [b]homepool[/b] 192.168.121.100-192.168.121.200

global (outside) 1 interface
nat (inside) 0 [b]access-list home_tunnel[/b]
nat (inside) 1 LAN 255.255.255.0 dns 0 0
static (inside,outside) x.x.x.x NOVELL dns netmask 255.255.255.255 0 0 
access-group mail in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

floodguard enable

sysopt connection permit-ipsec
crypto ipsec transform-set [b]set[/b] esp-3des esp-md5-hmac 
crypto dynamic-map [b]homemap[/b] 20 set transform-set [b]set[/b]
crypto map vpn 1 ipsec-isakmp
crypto map vpn 1 match address [b]corp[/b]
crypto map vpn 1 set peer x.x.x.x
crypto map vpn 1 set transform-set [b]set[/b]
crypto map vpn 6767 ipsec-isakmp dynamic [b]homemap[/b]
crypto map vpn interface outside

isakmp enable outside
isakmp key ****** address x.x.x.x netmask 255.255.255.255 
isakmp identity address
isakmp client configuration address-pool local [b]homepool[/b] outside
isakmp nat-traversal 20

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600

vpngroup homegroup address-pool [b]homepool[/b]
vpngroup homegroup dns-server 4.2.2.1
vpngroup homegroup default-domain corpdns
vpngroup homegroup idle-time 1800
vpngroup homegroup password ******

http://www.insyncva.com
Register to add this FAQ to your archive
Register to rate this FAQ  : BAD 1 2 3 4 5 6 7 8 9 10 GOOD
Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

Back
Top