Pix configuration for vpn client access?

[freddotcom]

Hi
I´v got a Pix 506 (6.1) that I´m going to use as firewall / VPN box for a small company. I want the PIX to handle all vpn authentification itself, and we need to have five different vpn useraccounts on the Pix. (client to Pix, Vpnclient 3.5.)

Internal users should be able to access anything they want to on the internet, and vpn users should be able to access anything the want on the internal network.

If possible, it would nice if the vpnclients could access the internet as well, but I guess thats only possible by split-tunnel or a proxy on the inside and that´s out of the question.

I´v figured out how to configure the Pix so that all internal users can access the internet, the big problem is the configuration of vpn, I can't find any good documentation that clears everything out. Should I go with vpdn or vpngroup or something else? Would be glad if someone could point me in the right direction or post a config for me. If any of this is´nt possible, or you got any other suggestions please tell me.

Thanks in advance

Kind Regards Fred
Sweden

 

[gbiello]

Here is a template I use for the few VPN's I've done.
Make sure the VPNrange is a range of IP's you do not presently use.
Hope it helps,
-gbiello

ip local pool vpnpool <startVPNrange>-<endVPNrange>
access-list 80 permit ip <lanIPrange> <lanIPsubnetmask> <vpnIPrange> <vpnIPsubnetmask>
nat (inside) 0 access-list 80
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto dynamic-map mydynmap 10 set transform-set myset
crypto map newmap 10 ipsec-isakmp dynamic mydynmap
crypto map newmap client configuration address initiate
crypto map newmap client configuration address respond
crypto map newmap interface outside
isakmp enable outside
isakmp key <passwordhere> address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup <usernamehere> address-pool vpnpool
vpngroup <usernamehere> wins-server <WINSserverIP>
vpngroup <usernamehere> default-domain marketonea.com
vpngroup <usernamehere> split-tunnel 80
vpngroup <usernamehere> idle-time 1800
vpngroup <usernamehere> password <passwordhere>

 

[dotxbob]

&quot;If possible, it would nice if the vpnclients could access the internet as well, but I guess thats only possible by split-tunnel or a proxy on the inside and that´s out of the question.&quot;

The users are coming *in* through the public internet. They already have access to it. The client will magically encrypt private traffic, and send generic traffic unencrypted. Very cool.

An excellent reference (but watch out for mistakes) for your PIX version is at:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/basclnt.htm

 

[yizhar]

HI.

&quot;I want the PIX to handle all vpn authentification itself&quot;
If you're going to use IPSEC you can use the group name and password as authentication, and not use XAUTH which requires external RADIUS server (in pix version 6.2 I think you can have local auth for that, but not in version 6.1).
However for 5 different user accounts you will need to create 5 different but similar &quot;vpngroup&quot; in that case.
If possible, try to upgrade pix OS version.

If you're going to use PPTP, the pix can use local authentication.

You can use the templates and documentations mentioned above, and also pixcript can help you to get the job done:

http://teachers.sivan.co.il/yizhar/#pixcript

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar