Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 501 VPN Wizard

Status
Not open for further replies.
mbarrett03

mbarrett03

MIS
Aug 11, 2004
11
US
Hi - this is my first attempt to setup a PIX501 for VPN access and thus far I am failing miserably. I am able to authenticate to the PIX using Cisco's VPN client - however I am not able to access any devices on the internal network. As far as I can tell, the PIX DHCP pool is giving me an acceptable IP address, 192.168.1.50, but the default gateway is the same (.50). Surely this can't be right. I walked through the VPN wizard again (through the PDM) from scratch and get the same results. I also can't figure out where in the VPN config via the PDM the default gateway is set. Could anyone help?

Thanks in advance.
 
Sort by date Sort by votes
mbarrett-

This is a personal recommendation; I would learn to use the cli, before using PDM. The reason behind it is PDM, someimes does some strang things to your configs, that is hard to decipher. If you are setting up an IPSEC vpn, here is a template to follow via client.

172.16.0.0/16 network is protected traffic
192.168.10.0/24 network is your DHCP VPN Traffic

access-list 102 permit ip 172.16.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list nonat permit ip 172.16.0.0 255.255.0.0 192.168.10.0 255.255.255.0

nat (vpn) 0 access-list nonat

ip local pool sei-1 192.168.10.10-192.168.10.100

crypto ipsec transform-set vpn0 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set vpn2 esp-des esp-md5-hmac
crypto dynamic-map dynmapsei 10 set transform-set vpn0 vpn2

crypto map vpn 10 ipsec-isakmp dynamic dynmapsei
crypto map vpn client configuration address initiate
crypto map vpn client configuration address respond
crypto map vpn interface <name_of_outside_interface>

isakmp enable <name_of_outside_interface>
isakmp client configuration address-pool local sei-1 internet
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption aes-256
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000

vpngroup <nameofgroup> address-pool sei-1
vpngroup <nameofgroup> dns-server 172.16.xxx.xxx
vpngroup <nameofgroup> wins-server 172.16.xxx.xxx
vpngroup <nameofgroup> default-domain domain.com
vpngroup <nameofgroup> split-tunnel 102
vpngroup <nameofgroup> split-dns domain.com
vpngroup <nameofgroup> idle-time 3600
vpngroup <nameofgroup> password ********

That should get you basic secure VPN Access...

Frank
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
578
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
205
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
711
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
158
WhosYourDiffie
WhosYourDiffie
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
108
xwray
xwray

Part and Inventory Search

Sponsor

Back
Top