setting up PIX515 for two networks

[paccorobin]

Hello,

We have a PIX515 and I want to set it up so it can serve client VPN connections for a network on the inside interface and also for a network on the dmz interface.

On a client machine we set up the ip address of the PIX in a VPN connection and the user can log on using credentials and domain. Now the PIX has to look up credentials using RADIUS, but some users are known on domain A (inside interface) and some users are known on domain B (dmz interface). Domain B is completely different and uses other internal ip addresses, dns servers, ip pool etc.

Already I have set up VPN for the inside interface and that was easy and it works ok.

But can I create such a configuration? We only have one DSL line and we want both networks (domain A 192.168.1.x and domain B 192.168.10.x) to go through this PIX.

Your help is more than appreciated!

Regards,

Frank

 

[Supergrrover]

You will need to set up different VPN groups
Here is a quick config guide -

http://www.cisco.com/en/US/products...s_configuration_example09186a00806ab788.shtml

Hope this helps


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[paccorobin]

Hi Brent,

I read the article and came up with the following code. I will also publish the existing code (with more local servers and clients in it) in the next reply.

First I have some questions as the example differs from our situation. I must make sure the code is ok before I put it on the PIX. This is a live PIX and it will immediately take effect within our organisation.

1. Can I put vlan 2 on interface 1 (inside) and vlan 3 on interface 2 (dmz)? Can I maintain security 100 for vlan2 and vlan3?
2. I noticed there are static users (vpn2 and vpn1) for the connection. Is it possible to use radius for this? For vlan2 a radius server in network 192.168.1.0 and for vlan3 a radius server in network 192.168.10.0?
3. In the article PIX Version 7 is used. We have 6.3. Are all commands understood by 6.3?
4. In the article the Cisco client is used. Can we also setup a connection through Windows? In XP/Vista it is very easy to make a connection to the VPN right now. Also we use PPTP at the moment.

Your help is very much appreciated.

Kind regards,
Frank

This is the code:
PIX Version 6.3(3)
!
hostname PIXNRD
enable password ******** encrypted
!
interface ethernet0
nameif outside
security-level 0
ip address ***.***.***.162 255.255.255.240
auto
!
interface ethernet1
vlan 2
nameif vlan2
security-level 100
ip address 192.168.1.251 255.255.255.0
auto
!
interface ethernet2
vlan 3
nameif vlan3
security-level 100
ip address 192.168.10.251 255.255.255.0
auto
!
passwd ******** encrypted
ftp mode passive
!
names
name 192.168.1.3 KELLY
name 192.168.1.4 LAILA
name 192.168.4.5 EVA
name 192.168.1.8 DIGIDELIVERY
name 192.168.1.254 STRNRD
name 192.168.10.10 NINA
!
static (vlan2,outside) ***.***.***.164 LAILA netmask 255.255.255.255 0 0
static (vlan2,outside) ***.***.***.166 EVA netmask 255.255.255.255 0 0
static (vlan2,outside) ***.***.***.168 DIGIDELIVERY netmask 255.255.255.255 0 0
static (vlan3,outside) ***.***.***.170 NINA netmask 255.255.255.255 0 0
!
access-list outside_in permit tcp any host LAILA eq www
access-list outside_in permit tcp any host EVA eq www
access-list outside_in permit tcp any host LAILA eq smtp
access-list outside_in permit tcp any host EVA eq smtp
access-list outside_in permit tcp any host NINA eq www
access-list outside_in permit tcp any host NINA eq smtp
access-list outside_in permit tcp any host NINA eq 3389
access-list outside_in permit tcp any host DIGIDELIVERY eq ssh
access-list outside_in permit tcp any host DIGIDELIVERY eq domain
access-list outside_in permit udp any host DIGIDELIVERY eq domain
access-list outside_in permit tcp any host DIGIDELIVERY eq www
access-list outside_in permit tcp any host DIGIDELIVERY eq 123
access-list outside_in permit udp any host DIGIDELIVERY eq ntp
access-list outside_in permit tcp any host DIGIDELIVERY eq https
access-list vlan2_out permit ip host LAILA any
access-list vlan2_out permit ip host EVA any
access-list vlan2_out permit ip host KELLY any
access-list vlan2_out permit ip host DIGIDELIVERY any
access-list vlan3_out permit ip host NINA any
!
access-group outside_in in interface outside
access-group vlan2_out in interface vlan2
access-group vlan3_out in interface vlan3
!
!--- This access list is used for a nat zero command that prevents
!--- traffic from undergoing network address translation (NAT).
access-list no-nat-vpn1-group extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat-vpn2-group extended permit ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.0
!--- This access list is used for the split tunneling
!--- to be downloaded to the VPN Client to tell the interesting traffic to be encrypted.
access-list SPLIT-Tunnel-vpn1group standard permit 192.168.1.0 255.255.255.0
access-list SPLIT-Tunnel-vpn2group standard permit 192.168.10.0 255.255.255.0
!
pager lines 24
logging console debugging
mtu outside 1500
mtu vlan2 1500
mtu vlan3 1500
!
!--- Create a pool of addresses from which IP addresses are assigned
!--- dynamically to the remote VPN Clients.
!--- The pool user1 IP address is assigned to the tunnel group (vpn1).
!--- The pool user2 IP address is assigned to the tunnel group (vpn2).
ip local pool user1 192.168.1.240-192.168.1.249 mask 255.255.255.0
ip local pool user2 192.168.10.240-192.168.10.249 mask 255.255.255.0
!
no failover
no asdm history enable
arp timeout 14400
!
!--- NAT 0 prevents NAT for the networks specified in the access list.
!--- The nat 1 command specifies port address translation (PAT)
!--- using the outside interface IP address for all other traffic.
global (outside) 1 interface
nat (vlan2) 0 access-list no-nat-vpn1-group
nat (vlan2) 1 0.0.0.0 0.0.0.0
nat (vlan2) 1 KELLY 255.255.255.255 0 0
nat (vlan3) 0 access-list no-nat-vpn2-group
nat (vlan3) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 ***.***.***.161 1
route vlan2 192.168.4.0 255.255.255.0 STRNRD 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
!
!--- Enter group-policy attributes mode for the group policy (vpn2).
group-policy vpn2 internal
group-policy vpn2 attributes
!--- The split tunnel policy tunnels all traffic from or to the specified networks.
split-tunnel-policy tunnelspecified
!--- Split tunnel in group-policy configuration mode identifies
!--- an access list (SPLIT-Tunnel-vpn2group) that enumerates the network to be
!--- tunneled from the VPN Client.
!--- After the IPsec tunnel formation, the access list (SPLIT-Tunnel-vpn2group) has to be
!--- downloaded to the VPN Client of vpn2 (tunnel group).
split-tunnel-network-list value SPLIT-Tunnel-vpn2group
group-policy vpn1 internal
group-policy vpn1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-Tunnel-vpn1group
!--- Configure usernames and passwords
!--- to identify remote access users to the PIX Security Appliance.
username vpn2 password ******** encrypted
username vpn1 password ******** encrypted
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.
!--- A single DES encryption with
!--- the md5 hash algorithm is used.
crypto ipsec transform-set my-set esp-des esp-md5-hmac
!--- Defines a dynamic crypto map with
!--- the specified encryption settings.
crypto dynamic-map dynmap 10 set transform-set my-set
!--- Enable Reverse Route Information (RRI), which allows the
!--- PIX Security Appliance to learn routing information for connected clients.
crypto dynamic-map dynmap 10 set reverse-route
!--- Binds the dynamic map to the IPsec/ISAKMP process.
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!--- Specifies the interface to be used with
!--- the settings defined in this configuration.
crypto map mymap interface outside
!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses ISAKMP policy 10.
!--- Policy 65535 is included in the configuration by default.
!--- The configuration commands here define the Phase
!--- 1 policy parameters that are used.
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group vpn type ipsec-ra
!--- Sets the connection type to IPsec remote access (ipsec-ra).
tunnel-group vpn1 type ipsec-ra
!--- Configures an address pool for the tunnel group and enters the general-attributes mode.
!--- Associates the user1 pool to the tunnel group (vpn1) that uses the address pool.
tunnel-group vpn1 general-attributes
address-pool user1
!--- Specifies the set of attributes that the user inherits by default
!--- in tunnel-group general-attributes configuration mode.
!--- Tunnel groups identify the group policy for a specific connection.
default-group-policy vpn1
!--- Enter the ipsec-attributes mode to configure the authentication method
!--- by entering the preshared key.
!--- You need to use the same preshared key on both
!--- devices (PIX and VPN Client) for this remote access connection.
tunnel-group vpn1 ipsec-attributes
pre-shared-key *
tunnel-group vpn2 type ipsec-ra
tunnel-group vpn2 general-attributes
address-pool user2
default-group-policy vpn2
tunnel-group vpn2 ipsec-attributes
pre-shared-key *
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
!
pdm location KELLY 255.255.255.255 vlan2
pdm location LAILA 255.255.255.255 vlan2
pdm location EVA 255.255.255.255 vlan2
pdm location 192.168.4.0 255.255.255.0 vlan2
pdm location DIGIDELIVERY 255.255.255.255 vlan2
pdm location NINA 255.255.255.255 vlan3
pdm logging warnings 512
pdm history enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
!
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!

 

[paccorobin]

This is the original code, I can reach the internet from server NINA, so both inside as dmz works. But there is only a PPTP VPN connection for the interface inside.

I appreciate any comments and/or remarks.

Regards,

Frank

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password ******** encrypted
passwd ******** encrypted
hostname PIXNRD
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name ***.***.***.163 h_AXIS
name ***.***.***.164 h_LAILA
name ***.***.***.165 h_LANA
name ***.***.***.166 h_EVA
name ***.***.***.167 h_NADIA
name ***.***.***.168 h_DIGIDELIVERY
name ***.***.***.170 h_NINA
name 192.168.1.3 KELLY
name 192.168.1.4 LAILA
name 192.168.1.9 BELLE
name 192.168.1.252 LARA
name 192.168.1.254 STRNRD
name 192.168.4.5 EVA
name 192.168.4.100 PDINSTALL
name 192.168.1.10 SABINE
name 192.168.1.1 AXIS
name 192.168.1.69 AS
name 192.168.1.8 DIGIDELIVERY
name 192.168.1.7 ILSE
name 192.168.1.2 NADIA
name 192.168.1.5 LUNA
name 192.168.1.253 SOPHIE
name 192.168.1.236 LILLIE
name 192.168.1.32 BUMA
name 192.168.1.129 FM2
name 192.168.1.6 LANA
name 192.168.4.36 FW
name 192.168.1.43 WOES
name 192.168.1.33 PAUL
name 192.168.1.65 SOBFINANCE
name 192.168.1.98 BOURBON
name 192.168.1.45 HENDRIKS
name 192.168.1.23 TENMAC1
name 192.168.1.22 VTCMAC1
name 192.168.1.49 SOBMAC2
name 192.168.1.15 TENMAC2
name 192.168.1.52 JOHN
name 192.168.1.101 SOBMAC3
name 192.168.1.54 OSKAR
name 192.168.4.28 FMH
name 192.168.1.97 FRITS
name 192.168.1.13 UNITED
name 192.168.1.59 RAOUL
name 192.168.1.184 BPMWINXP0004
name 192.168.1.75 WKOPPERS
name 192.168.1.60 SOBMAC4
name 192.168.1.105 SOBMAC1
name 192.168.1.35 thdm
name 192.168.1.34 VTCMAC2
name 192.168.1.223 TEST
name 192.168.10.10 NINA
name 192.168.1.90 TEMP1
access-list outside_in permit tcp any host h_AXIS eq www
access-list outside_in permit tcp any host h_LAILA eq www
access-list outside_in permit tcp any host h_LANA eq www
access-list outside_in permit tcp any host h_EVA eq www
access-list outside_in permit tcp any host h_LAILA eq smtp
access-list outside_in permit tcp any host h_LANA eq smtp
access-list outside_in permit tcp any host h_EVA eq smtp
access-list outside_in permit tcp any host h_NADIA eq ftp
access-list outside_in permit tcp any host h_NADIA eq www
access-list outside_in permit tcp any host h_NADIA eq ftp-data
access-list outside_in permit tcp any host h_NINA eq www
access-list outside_in permit tcp any host h_NINA eq smtp
access-list outside_in permit tcp any host h_NINA eq 3389
access-list outside_in permit tcp any host h_DIGIDELIVERY eq ssh
access-list outside_in permit tcp any host h_DIGIDELIVERY eq domain
access-list outside_in permit udp any host h_DIGIDELIVERY eq domain
access-list outside_in permit tcp any host h_DIGIDELIVERY eq www
access-list outside_in permit tcp any host h_DIGIDELIVERY eq 123
access-list outside_in permit udp any host h_DIGIDELIVERY eq ntp
access-list outside_in permit tcp any host h_DIGIDELIVERY eq https
access-list inside_out permit ip host LAILA any
access-list inside_out permit ip host LANA any
access-list inside_out permit ip host LUNA any
access-list inside_out permit ip host ILSE any
access-list inside_out permit ip host BELLE any
access-list inside_out permit ip host LARA any
access-list inside_out permit ip host EVA any
access-list inside_out permit ip host SABINE any
access-list inside_out permit ip host BUMA any
access-list inside_out permit ip host UNITED any
access-list inside_out permit ip host WKOPPERS any
access-list inside_out permit ip host FM2 any
access-list inside_out permit ip host FW any
access-list inside_out permit ip host FMH any
access-list inside_out permit ip host AS any
access-list inside_out permit ip host BPMWINXP0004 any
access-list inside_out permit ip host SOBMAC1 any
access-list inside_out permit ip host SOBMAC2 any
access-list inside_out permit ip host SOBMAC3 any
access-list inside_out permit ip host SOBMAC4 any
access-list inside_out permit ip host SOBFINANCE any
access-list inside_out permit ip host TEST any
access-list inside_out permit ip host KELLY any
access-list inside_out permit ip host NADIA any
access-list inside_out permit ip host PDINSTALL any
access-list inside_out permit ip host VTCMAC1 any
access-list inside_out permit ip host VTCMAC2 any
access-list inside_out permit ip host TENMAC1 any
access-list inside_out permit ip host TENMAC2 any
access-list inside_out permit ip host thdm any
access-list inside_out permit ip host WOES any
access-list inside_out permit ip host TEMP1 any
access-list inside_out permit ip host PAUL any
access-list inside_out permit ip host BOURBON any
access-list inside_out permit ip host HENDRIKS any
access-list inside_out permit ip host JOHN any
access-list inside_out permit ip host FRITS any
access-list inside_out permit ip host OSKAR any
access-list inside_out permit ip host LILLIE any
access-list inside_out permit ip host SOPHIE any
access-list inside_out permit ip host DIGIDELIVERY any
access-list inside_out permit ip host RAOUL any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.240 255.255.255.240
access-list dmz_access_in permit ip host NINA any
pager lines 24
logging on
icmp deny any outside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside ***.***.***.162 255.255.255.240
ip address inside 192.168.1.251 255.255.255.0
ip address dmz 192.168.10.251 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 192.168.1.242-192.168.1.249
pdm location KELLY 255.255.255.255 inside
pdm location LAILA 255.255.255.255 inside
pdm location LUNA 255.255.255.255 inside
pdm location BELLE 255.255.255.255 inside
pdm location LARA 255.255.255.255 inside
pdm location EVA 255.255.255.255 inside
pdm location 192.168.4.0 255.255.255.0 inside
pdm location 192.168.1.240 255.255.255.240 outside
pdm location NADIA 255.255.255.255 inside
pdm location PDINSTALL 255.255.255.255 inside
pdm location SABINE 255.255.255.255 inside
pdm location AXIS 255.255.255.255 inside
pdm location AS 255.255.255.255 inside
pdm location DIGIDELIVERY 255.255.255.255 inside
pdm location ILSE 255.255.255.255 inside
pdm location SOPHIE 255.255.255.255 inside
pdm location SOBMAC2 255.255.255.255 inside
pdm location LILLIE 255.255.255.255 inside
pdm location VTCMAC1 255.255.255.255 inside
pdm location BUMA 255.255.255.255 inside
pdm location FM2 255.255.255.255 inside
pdm location LANA 255.255.255.255 inside
pdm location FW 255.255.255.255 inside
pdm location WOES 255.255.255.255 inside
pdm location TENMAC1 255.255.255.255 inside
pdm location PAUL 255.255.255.255 inside
pdm location SOBFINANCE 255.255.255.255 inside
pdm location BOURBON 255.255.255.255 inside
pdm location HENDRIKS 255.255.255.255 inside
pdm location TENMAC2 255.255.255.255 inside
pdm location JOHN 255.255.255.255 inside
pdm location SOBMAC3 255.255.255.255 inside
pdm location OSKAR 255.255.255.255 inside
pdm location FMH 255.255.255.255 inside
pdm location FRITS 255.255.255.255 inside
pdm location UNITED 255.255.255.255 inside
pdm location RAOUL 255.255.255.255 inside
pdm location BPMWINXP0004 255.255.255.255 inside
pdm location WKOPPERS 255.255.255.255 inside
pdm location SOBMAC4 255.255.255.255 inside
pdm location SOBMAC1 255.255.255.255 inside
pdm location thdm 255.255.255.255 inside
pdm location VTCMAC2 255.255.255.255 inside
pdm location TEST 255.255.255.255 inside
pdm location NINA 255.255.255.255 dmz
pdm location TEMP1 255.255.255.255 inside
pdm logging warnings 512
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 KELLY 255.255.255.255 0 0
nat (inside) 1 LAILA 255.255.255.255 dns 0 0
nat (inside) 1 LUNA 255.255.255.255 0 0
nat (inside) 1 LANA 255.255.255.255 0 0
nat (inside) 1 ILSE 255.255.255.255 0 0
nat (inside) 1 BELLE 255.255.255.255 0 0
nat (inside) 1 SABINE 255.255.255.255 0 0
nat (inside) 1 UNITED 255.255.255.255 0 0
nat (inside) 1 TENMAC2 255.255.255.255 0 0
nat (inside) 1 VTCMAC1 255.255.255.255 0 0
nat (inside) 1 TENMAC1 255.255.255.255 0 0
nat (inside) 1 BUMA 255.255.255.255 0 0
nat (inside) 1 PAUL 255.255.255.255 0 0
nat (inside) 1 VTCMAC2 255.255.255.255 0 0
nat (inside) 1 thdm 255.255.255.255 0 0
nat (inside) 1 WOES 255.255.255.255 0 0
nat (inside) 1 HENDRIKS 255.255.255.255 0 0
nat (inside) 1 SOBMAC2 255.255.255.255 0 0
nat (inside) 1 JOHN 255.255.255.255 0 0
nat (inside) 1 OSKAR 255.255.255.255 0 0
nat (inside) 1 RAOUL 255.255.255.255 0 0
nat (inside) 1 SOBMAC4 255.255.255.255 0 0
nat (inside) 1 SOBFINANCE 255.255.255.255 0 0
nat (inside) 1 AS 255.255.255.255 0 0
nat (inside) 1 WKOPPERS 255.255.255.255 0 0
nat (inside) 1 TEMP1 255.255.255.255 0 0
nat (inside) 1 FRITS 255.255.255.255 0 0
nat (inside) 1 BOURBON 255.255.255.255 0 0
nat (inside) 1 SOBMAC3 255.255.255.255 0 0
nat (inside) 1 SOBMAC1 255.255.255.255 0 0
nat (inside) 1 FM2 255.255.255.255 0 0
nat (inside) 1 BPMWINXP0004 255.255.255.255 0 0
nat (inside) 1 TEST 255.255.255.255 0 0
nat (inside) 1 LILLIE 255.255.255.255 0 0
nat (inside) 1 LARA 255.255.255.255 0 0
nat (inside) 1 SOPHIE 255.255.255.255 0 0
nat (inside) 1 FMH 255.255.255.255 0 0
nat (inside) 1 FW 255.255.255.255 0 0
nat (inside) 1 PDINSTALL 255.255.255.255 0 0
static (inside,outside) h_EVA EVA netmask 255.255.255.255 0 0
static (inside,outside) h_LAILA LAILA netmask 255.255.255.255 0 0
static (inside,outside) h_NADIA NADIA netmask 255.255.255.255 0 0
static (inside,outside) h_AXIS AXIS netmask 255.255.255.255 0 0
static (inside,outside) h_DIGIDELIVERY DIGIDELIVERY netmask 255.255.255.255 0 0
static (inside,outside) h_LANA LANA netmask 255.255.255.255 0 0
static (dmz,outside) h_NINA NINA netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group inside_out in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 ***.***.***.161 1
route inside 192.168.4.0 255.255.255.0 STRNRD 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host LUNA ****** timeout 10
aaa-server LOCAL protocol local
ntp authenticate
ntp server KELLY source inside prefer
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp enable outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.4.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local VPN
vpdn group PPTP-VPDN-GROUP client configuration dns LUNA EVA
vpdn group PPTP-VPDN-GROUP client configuration wins LUNA EVA
vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
vpdn group PPTP-VPDN-GROUP client accounting RADIUS
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn enable outside
terminal width 80
: end

 

[Supergrrover]

If you aren't really comfortable with the PIX I highly recommend a consultant for this. You are doing quite a bit of config changes. I know this won't work the first time without lots of troubleshooting. Some basic answers -

1. Yes, the VLANs can have security set. If you are using separate interfaces, there is no need for the VLAN info though unless you have multiple VLANs off one interface.
2. Yes and no (or probably not) You will need to combine aspects of these two examples.

http://www.cisco.com/en/US/products...s_configuration_example09186a00807349e7.shtml

http://www.cisco.com/en/US/products...s_configuration_example09186a00800b6099.shtml

But I don't think you can have the cryptomap authenticate against two different RADIUS servers.
3. No, 6.3 is drastically different that 7x. Some settings are the same, others are not. Deeper knowledge/experience is needed to know what is what (hence the conultant bit above) so it is a learning process and not something that you can just do overnight without working on it a bit.
4. I don't use or recommend PPTP. IPSEC is more secure, more powerful and easier to administer on a PIX then PPTP. I am pretty sure it can be done, but I don't have the experience to do it on the fly.

I know this is probably isn't as helpful as you wanted, but you are undertaking a pretty big set of tasks there and the change window seems rather short.





Brent
Systems Engineer / Consultant
CCNP, CCSP