Remote Access VPN

[SoonTObe]

Hello again guys. i just want to give my share of thanks for the helpful tips. i got my pix 501 up and running and it seems to be working just fine to this point. however, i do need help on setting remote access vpn. i found a copy of "configuring remote access access VPNs" i was following the steps until i got to the tunnel-group command. it looks like my pix with the 6.2(1) version, does not have the tunnel-group command. i need to know which command do i use instead. this is the steps i was following:

hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx
hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
thanks again...!

 

[Supergrrover]

Tunnel-group is a way to group like IPSEC policies on the newer PIX 7.

This one is site to site v6.x

crypto ipsec transform-set site2sitexform esp-aes-256 esp-sha-hmac
crypto map VPNmap 20 ipsec-isakmp
crypto map VPNmap 20 match address vpntraffic (ACL for choosing protected traffic)
crypto map VPNmap 20 set peer XX.XX.XX.XX
crypto map VPNmap 20 set transform-set site2sitexform
crypto map VPNmap interface outside
isakmp enable outside
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400

Try this (this has vpn client) v6.x

crypto ipsec transform-set SET1 esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 50 set transform-set SET1
crypto dynamic-map dynmap 60 set transform-set SET1
crypto map mymap10 50 ipsec-isakmp dynamic dynmap
crypto map mymap10 client authentication LOCAL
crypto map mymap10 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup groupit address-pool vpnpoolit
vpngroup groupit dns-server XX.XX.XX.XX
vpngroup groupit wins-server XX.XX.XX.XX
vpngroup groupit default-domain XXXXX.com
vpngroup groupit split-tunnel no_NAT
vpngroup groupit idle-time 1800
vpngroup groupit password ********

You have to set up a VPN pool of IP addresses and a local user database for the second .


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[SoonTObe]

are you saying 6.x only allow for site2site vpn and not remote access.

 

[Supergrrover]

No, The pix 6x just doesn't have the tunnel-group. That is for the pix 7x.
I just posted some examples for the 6x code. I seperated them out as two different cases with site to site and remote access users in case you wanted either/or.


Brent
Systems Engineer / Consultant
CCNP, CCSP