Help > Setting Up 3 VPN's From Scratch - PIX 506E

[ITidiot]

Hi All,

I need some help to setup 3 VPN connections.
I have a Cisco PIX 506E configured and working as a Firewall only. I need to setup the VPN connections.

What I am Replacing
My current VPN concentrator which i am replacing with my PIX uses a presharred key with 3DES/MD5.
My current VPN tunnels are between my VPN router and ends at a WINDOWS XP pc using a security policy to end the VPN.

What I Need
I would like to recreate these VPN's with the PIX but dont know how..
what do i need to do? can you help with the config of the PIX?
And also i will need help with the config of the VPN client software
I would like my Teleworker at the end of the VPN tunnel to have full access to my LAN

Current Network Details
- LAN Address: 89.0.0.0/24 255.255.255.0
- PIX Public IP/Outside(Ethernet 0): 76.100.66.66
- PIX Private IP/Inside(Ethernet 1): 89.0.0.254
- Static IP Address of my First Teleworkers PC 45.45.45.45.1
- Static IP Address of my Second Teleworkers PC 45.45.45.45.2
- Static IP Address of my Third Teleworkers PC 45.45.45.45.3

{please note these are not actually my IP's - Im paranoid about hackers}

 

[ITidiot]

so Does anyone know how to do this?

 

[ixleplix]

You jumped threads on me.
The simplest way would be to use the Cisco VPN client on the remote PCs. You can also set it up for split tunneling--allows them to brows the Internet while connected to your VPN.
Do you want info on how to do this?

Roland

What's ADD again?

 

[ITidiot]

Hi just to comfirm the VPN is between PIX to XP Client

 

[ITidiot]

Hi Rowland

Does this Split tunneling mean the teleworker (end of VPN) can use there own internet connection to browse the internet but use the VPN to access company data!

If it does that sounds the trick! Do i need config at the users end and also the pix end???

 

[ITidiot]

whoops sorry spelt your name wrong !!!!

 

[ixleplix]

The config is on the PIX. And yes that's what split-tunneling means. All you do on their end is instal the Cisco VPN client and plug in a few pieces of information.


To download the VPN client, you'll need a CCO login.

Here's a link to the client.

http://www.cisco.com/cgi-bin/tablebuild.pl/windows

Get this version:
vpnclient-win-is-4.6.04.0043-k9.exe

I'll post the PIX config portion shortly.

Roland

What's ADD again?

 

[ixleplix]

These are the commands needed on the PIX to make the client VPN work. Using the info you provided.
I've put the names--that you might want to change--in bold. Just remember to keep the consistency, because the names are called in other places sometimes.



access-list 101 permit ip 89.0.0.0 255.255.255.0 89.0.1.0 255.255.255.0

access-list split1 permit ip 89.0.0.0 255.255.255.0 89.0.1.0 255.255.255.0

sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 90 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap client configuration address respond
crypto map newmap interface outside

isakmp enable outside
isakmp identity address
isakmp nat-traversal 15
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

ip local pool VPNPool 89.0.1.1-89.0.1.25

vpngroup VPNGroupName address-pool VPNPool
vpngroup VPNGroupName dns-server DNS_ServerIP
vpngroup VPNGroupName default-domain your.domain.name
vpngroup VPNGroupName split-tunnel split1
vpngroup VPNGroupName idle-time 28800
vpngroup VPNGroupName max-time 28800
vpngroup VPNGroupName password YourSecretPassword
**Definately change the VPNGroupName to something that suits you. It's part of the authentication process.

nat (inside) 0 access-list 101

****Make sure you watch for errors as you enter the commands and don't save the config until you know it's working...that way you can reload if you need to and be back at the beginning config.

Roland

What's ADD again?

 

[ixleplix]

On the PCs that will have the client.

Install the Cisco VPN Client.

After installing the VPN client. Open it then click on New and the Create new VPN Connection Entry box appears

Name the Connection whatever you want.

You can put in a description...or not.

Select the Group Authentication radial button.

The host IP is the outside interface IP address of the PIX. The Group Name is the VPN Group Name you've used(case sensitive); The password is the corresponding VPN Group Password(also case sensitive); Once all the info is entered correctly click on Save.

Then, when you double click the entry in the main VPN Client window it will connect.

You'll know it's connected when the window disappears and a little yellow padlock shows up in the lower right portion of the start bar.

Remember to have the users disconnect the VPN Client before logging off. Otherwise it can leave open sessions on the PIX.


What's ADD again?

 

[ITidiot]

Cheers Roland - i will try this tonight.

Appologies for not getting back to you sooner. Just got back from Greece but it was for business

Will let you know how i get on!

 

[ixleplix]

Greece sounds fun. I've never been out of the USA.
Let me know how it goes.

What's ADD again?