Creating a VPN to PIX 501

[bdock]

I need to create a VPN so that I can administer my web server that is sitting behind the PIX 501 from a remote site. Can anyone tell me how to go about doing this? My PIX is configured with an inside xxx.xxx.xxx.1 address, an outside yyy.yyy.yyy.187 address, and the server I need to administer uses xxx.xxx.xxx.50.

Thanks

 

[Dimpa1]

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

access-list nonat permit ip <inside nw> <mask> 10.89.129.0 255.255.255.0
access-list spit permit ip <inside nw> <mask> 10.89.129.0 255.255.255.0

!--- range to be assigned to the VPN Clients.
ip local pool vpbpool 10.89.129.1-10.89.129.200

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 90 set transform-set myset
crypto map mymap 90 ipsec-isakmp dynamic dynmap

isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool vpnpool
vpngroup vpn3000 dns-server x.x.x.x
vpngroup vpn3000 wins-server x.x.x.x
vpngroup vpn3000 split split-tunnel split
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********

crypto map mymap interface outside

 

[bdock]

Dimpa1,

Thank you for your help with this. I did get some errors when entering some of this in, specifically:

access-list nonat permit ip <inside nw> <mask> 10.89.129.0 255.255.255.0
access-list spit permit ip <inside nw> <mask> 10.89.129.0 255.255.255.0

I substituted the inside ip address of the pix device (192.168.1.1 255.255.255.0) where you had <inside nw> <mask> and was told that the source address is incorrect or something to that effect. Using what little knowledge I've gained in the past week or so of using this device--dangerous, I know --I changed the command to:

access-list nonat permit ip interface inside 10.89.129.0 255.255.255.0
access-list split permit ip interface inside 10.89.129.0 255.255.255.0

which seemed to work. I don't have a DNS or a wins server so I didn't use these 2 entries:

vpngroup vpn3000 dns-server x.x.x.x
vpngroup vpn3000 wins-server x.x.x.x

I got home and used the Cisco VPN Client v4.60 to connect to the outside address of the PIX (yyy.yyy.yyy.187) and it worked, but I was not able to map to or ping the web server's internal 192 address. Since the whole point of creating the VPN was to enable me to administer the server (192.168.1.50), can you tell me what I overlooked/messed up/...

Thanks

 

[Dimpa1]

bdock
Take commands out in order:

no crypto map mymap interface outside
no nat (inside) 0 access-list nonat
no vpngroup vpn3000 split split-tunnel split
no access-list nonat permit ip interface inside 10.89.129.0 255.255.255.0
no access-list split permit ip interface inside 10.89.129.0 255.255.255.0

Add correct accesslist and below lines, lets pretend your inside interface is 10.1.1.1 255.255.255.0, note use network(nw) in your accesslist:

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.89.129.0 255.255.255.0
access-list spit permit ip 10.1.1.0 255.255.255.0 10.89.129.0 255.255.255.0

nat (inside) 0 access-list nonat
vpngroup vpn3000 split split-tunnel split
crypto map mymap interface outside

 

[bdock]

I will do it first thing tomorrow. I kept the default address of the router to simplify things until I got this working. Is it a problem that I kept the 192 address scheme, and trying to connect with a 10.x.x.x for the VPN? Not that I care much for GUIs, but I noticed that when I changed the 192.168.1.1 address I lost access to the GUI on the device, and wasn't sure if it caused other problems, so I just left it alone for now.

 

[Dimpa1]

Im not sure what u are trying to do with the default gw, since I dont know any of your ip address scheme. You changed the inside host address to 192.168.1.1 or vpn client? Use vpnpool ip range that is not use anywere else on your pix or nw. In the ex. I used 10.89.129.0/24.

Lets say:
inside 192.1.1.1
outside 200.1.1.1
vpnpool 10.89.129.0

All inside host will be 192.1.1.x and gw on pc will be 192.1.1.1 or unless you have an inside router, than set the pc gw to the router. And in the router add:
ip route 10.89.129.0 255.255.255.0 <next hop, should be the pix inside address>

BTW, dont use PDM(gui), it will give you more trouble.

 

[LloydSev]

The error you received for an invalid IP address was because you entered the PIX device's IP. The access list that you were entering in was to enable you to have both networks able to communicate with eachother, so when you VPN in you can access your network.

Computer/Network Technician
CCNA

 

[bdock]

Dimpa1/LloydSev,

I just twanted to thank you both for your help on this. Reading LloydSev's response I just used 192.168.1.0 instead of 192.168.1.1 in the access-list commands and that resolved the problem.