Pix 515 as Easy VPN -Server

[bzwissler]

Our PIX 515 works fine as Firewall. Now we want to use it as VPN- Server. With the VPN-Client 3.6 on a Laptop running WinXP I got the VPN- Connection to our PIX working.
Now we want to connect 5 remote offices to our headquarter via ADSL.
For a testinstallation I got a cisco 826 adsl- router. The connection to the internet works with this router.
I would like to use Easy VPN on the remote routers but in the cisco documentation I did not find the configuration for the 515 acting as Easy VPN- server.
- Can the 515 act as ezvpn- server?
- Are there any alternativ solutions?

Thanks in advance
Bernd

 

[tbissett]

Yes, the 515 can act as a head-end for EZVpn.

Here's the Cisco doc that (sort of) explains how:

http://www.cisco.com/warp/public/471/vpn3002pix-6421.shtml

...and here are the commands that we have on one of our PIXes:

sysopt connection permit-ipsec
crypto ipsec transform-set transset esp-3des esp-sha-hmac
crypto dynamic-map dcdynmap 5 set transform-set transset
crypto map dcoffices 10 ipsec-isakmp dynamic dcdynmap
crypto map dcoffices interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup office1 idle-time 86400
vpngroup office1 password ********

 

[yizhar]

HI.

Configuring the main site pix to act as EasyVpn server is same or similar to configuring it for remote access VPN (Software VPN client on single PC).
However I haven't actualy done it so I'm not sure about details.

I also don't know if the Cisco 826 router can act as Easy VPN client. Can it?

An alternate solution is a site to site VPN, something like this:

http://www.cisco.com/warp/public/110/37.html

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[bzwissler]

Thanks for the fast answers. I followed the proposal of tbissett and adapted my configuration (our companie's name is weru):

PIX Version 6.2(2)
==================
ip local pool werupool 192.168.135.1-192.168.135.254
...
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.135.0 255.255.255.0
nat (inside) 0 access-list nonat
...
ip address outside 194.49.125.240 255.255.255.0
...
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set weru3des esp-3des esp-sha-hmac
crypto dynamic-map weru-dyn 5 set transform-set weru3des
crypto map werumap 10 ipsec-isakmp dynamic weru-dyn
crypto map werumap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup weruvpn address-pool werupool
vpngroup weruvpn default-domain weru.de
vpngroup weruvpn idle-time 1800
vpngroup weruvpn password kkkkkk

Cisco 826, IOS V12.2(13)T
=========================
!
ip dhcp pool CLIENT
import all
network 192.168.135.0 255.255.255.0
default-router 192.168.135.1
!
vpdn-group pppoe
request-dialin
protocol pppoe
ip mtu adjust
!
crypto ipsec client ezvpn rgbnl
group weruvpn key kkkkkk
mode client
peer 194.49.125.240
!
interface Ethernet0
ip address 192.168.135.1 255.255.255.0
no ip proxy-arp
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 1/32
pppoe-client dial-pool-number 1
!
crypto ipsec client ezvpn rgbnl
hold-queue 224 in
!
interface Dialer1
ip address negotiated
ip mtu 1492
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxx
ppp ipcp dns request
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
access-list 1 permit any
dialer-list 1 protocol ip permit
no cdp run

The command: show crypto ipsec client ezvpn
gives the following output:
Current State: TUNNEL_INT_UP
Last Event: TUNNEL_INTERFACE_UP

I can reach from my router the outside interface from our pix with a ping.
Please, what is wrong with my configuration?

Thanks in advance
Bernd

 

[yizhar]

HI.

If the router is connecting as a client, then I think that you should add NAT overload configuration at the router, to let internal users use the VPN tunnel.

There is also something called "network extension" mode in Easy VPN which I think that can also be a solution, but I didn't try using it so I can't give you details on implementation.

> I can reach from my router the outside interface from our pix with a ping.
> Please, what is wrong with my configuration?
Please describe with more details what is working, what is not, and what kind of tests did you use.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[bzwissler]

Hi,
I got it working. I removed the line
"crypto ipsec client ezvpn rgbnl"
from the Interface ATM0 and put it into the Interface Dialer1. Now it works. Thanx

Bernd