Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN setup using one PIX 515 firewall

Status
Not open for further replies.
dahowkins

dahowkins

Programmer
Apr 19, 2002
1
0
0
GB
After searching the web I found this article


Basically I want to vpn into our company network

Our current config is :-

sh ver

Cisco Secure PIX Firewall Version 5.3(3)

Compiled on Wed 09-Jan-02 22:56 by morlee

BAFW01 up 9 days 2 hours

Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is ffff.ffff.ffff, irq 10
1: ethernet1: address is ffff.ffff.ffff, irq 9

Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Disabled
Maximum Interfaces: 3
Cut-through Proxy: Enabled
Guards: Enabled
Websense: Enabled
Throughput: Unlimited
ISAKMP peers: Unlimited

Serial Number:
Activation Key:

wr term

PIX Version 5.3(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password <nottellingyou> encrypted
passwd <nottellingyou> encrypted
hostname BAFW01
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
no names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit ip any ip.ip.ip.ip 255.255.255.0
access-list 100 permit ip any host ip.ip.ip.ip
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside ip.ip.ip.ip 255.255.255.0
ip address inside ip.ip.ip.ip 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 ip.ip.ip.ip-ip.ip.ip.ip
global (outside) 1 ip.ip.ip.ip
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) ip.ip.ip.ip ip.ip.ip.ip netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 ip.ip.ip.ip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet ip.ip.ip.ip 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80


I have guessed that I have to upgarde to v6.11

Basics are :-

(Internet) <-> Router <-> Firewall <-> Network

users internet access out using pat using firewall as g/w
users connect into lotus notes server (static mapping)

I have VPN 3.1 client

What changes do I need to make to config to allow we to vpn-dial in

Regards

David
 
Sort by date Sort by votes
HI.

***
> access-list 100 permit ip any ip.ip.ip.ip 255.255.255.0
> access-list 100 permit ip any host ip.ip.ip.ip
I think that you first need to change this, or did I miss something?

***
About the VPN, the best way is to upgrade to the latest pix OS, and then you have the VPN wizard in PDM that will guide and help you with the configuarion.

You should also issue the command:

show version

And check if DES and 3DES are enabled.
You can get DES activation key (if needed) for free from your dealer, but 3DES will cost you some.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Definately upgrade to 6.2
But I recomment leadning the command line first.
Here is the VPN Config fill in the blanks
And download the latest vpn client form cisco website..

access-list VPN permit ip x.x.x.x 255.255.0.0 172.x.x.x 255.255.255.0

ip local pool agpool 172.x.x.0-172.x.x.x

nat (inside) 0 access-list VPN

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

crypto map vpnmap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

vpngroup vpn address-pool agpool

vpngroup vpn dns-server x.x.x.x

vpngroup vpn wins-server x.x.x.x

vpngroup vpn default-domain xxxx.com

vpngroup vpn idle-time 1800

vpngroup vpn password xxxxxx

vpngroup vpn split-tunnel VPN

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
145
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
150
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
71
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
174
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
53
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top