Question

Setup VPN Tunnel on Cisco PIX 506e

Asked by: DLockwood

I need to setup a new VPN tunnel on a Cisco PIX 506e and have very limited experience with Cisco and Cisco language.

If you give me the exact lines I need to enter I can do it but I do not know what configuration items need to be entered. Here is what I know....

Will be connecting to a Cisco ASA 5520 at the other end.
Settings needed, provided by the State....
Exchange Mode, Main
Authentication Method  Pre-Shared Secret, Pre-Shared Secret provided via phone
Encryption Method, 3DES-168, AES-128, AES-192 or AES-256  (AES-256 Preferred)
Data Integrity, SHA1
Diffie-Hillman Group, Group 5  -  preferred
Phase 1 Timeout, 14,400 seconds (4 hours)

IPSEC PHASE 2,
Security Protocol, ESP
Encapsulation Mode, Tunnel
Encryption Method, 3DES-168, AES-128, AES-192 or AES-256   (AES-256 Preferred)
Data Integrity, SHA1
Phase 2 Timeout, 3600 seconds
Compression Method, None
Perfect Forward Secrecy, None (DH Group 2 0r 5)

ACCESS CONTROL,
Hosts at Remote Site, 192.xxx.xxx.xxx
Hosts at State Site
                     XXXWEB                      168.xxx.xxx.xxx    ports 80 and 443
                     XXXWEBAPP               168.xxx.xxx.xxx    ports 80 and 443
                     xxx.xxx.gov                     168.xxx.xxx.xxx   ports 80 and 443                                      
Protocols Permitted (Inbound/Outbound),

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-10-23 at 07:35:22ID24838058
Tags

Cisco PIX 506e

Topics

Cisco PIX Firewall

,

Virtual Private Networking (VPN)

Participating Experts
2
Points
500
Comments
14

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Cisco Pix IPSec VPN
    Hi, I have this problem I hope someone is able to answer me. Over here on the company we use a router and a pix firewall the setup is as follows: || INTERNET ||----|| Router ||----|| PIX ||----|| LAN || Everything is well. We have internet from the inside -> out. Our w...
  2. VPN on PIX
    Is the following configuration on the PIX 6.1 enough to configure VPN . The PIX connects to a catalyst switch on the inside and ISP router on the outside. Do I have to add something to the catayst as well to configure vpn access. ip local pool vpnpool 192.168.1.1-192.168....
  3. Pix to Pix VPN
    Ok, here goes my first question at Experts-Exchange, which looks to me like the perfect place to get an answer. This first post is intended to explain the case and get some preliminary advice (if needed). Hopefully tomorrow i will be able to post more specific information abo...
  4. pix to pix vpn question
    I've done several router to router vpn tunnels but never pix to pix. Usually to test vpn connectivity from router to router I do an extended ping. Is there something similar I can do on a pix to send ipsec traffic from one to the other?
  5. Cisco PIX IPSec VPN tunnel question
    hi, I would like to set up the VPN IPSec tunnels between two PIXes. 10.0.2.0 and 10.1.8.0 network. I want users from 10.0.2 network able to connect to 10.1.8 network but blocking anyone from 10.1.8 network coming into 10.0.2. Is it possible to do so? Any help is deeply...
  6. Pass Client to Site IPSec VPN Tunnell Through Pix 6.3x
    I am trying to allow a client to site VPN tunnell through a PIX Firewall (version 6.3x). Can anyone shed any light?

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: bignewfPosted on 2009-10-23 at 07:45:43ID: 25644901

I am enclosing two articles from cisco. One is for pix 7.x or later, the other 6.X
just look at the config statements and substitue your data. If you can't bring up the tunnel, please post config and enable debug crypto isakmp 127 and debug crypto ipsec 127 and I will help you.

It's not that I'm lazy to type this, but this article will explain each step. You will understand what you are doing instead of just typing in configs

 

by: bignewfPosted on 2009-10-23 at 07:46:51ID: 25644912

Here are the configs:

 

by: bignewfPosted on 2009-10-23 at 07:47:41ID: 25644921

here is the doc for ver 7.X PIX and ASA:

 

by: bignewfPosted on 2009-10-23 at 07:51:28ID: 25644943

hint on doing this:

make sure the access-lists are identical in syntax   i.e numerical ip addresses/subnets on each peer, instead of a network object on one peer and numerical ip on another. This can cause lots of tunnel failures
make sure your transform sets match, ie. 3DES-168
also, for starters, use 3DES-168 unless you are sure you have license for AES-256
this will also cause tunnel failures  (this will save you some time)

 

by: DLockwoodPosted on 2009-10-23 at 08:05:28ID: 25645097

Most of what you said is like chinese to me. I imagine that the documents will be pretty foreign as well but I will look.
2 questions...
How do I determine which version I am running?
They specifically asked me to use AES-265. How can I determine if I have a license for this?

 

by: DLockwoodPosted on 2009-10-23 at 08:07:06ID: 25645114

OK - I looked at the current config file and it shows version 6.3

Is that a problem? Do I need to upgrade?

 

by: DLockwoodPosted on 2009-10-23 at 08:08:21ID: 25645129

There are also 4 other tunnels currently configured on the PIX (They were setup by a Cisco Consultant).

How can I be sure that I am not going to mess everything up?

Should I post the config file show you can show me the exact entries I need?

 

by: learn2earnPosted on 2009-10-23 at 08:16:33ID: 25645226

!---Phase1

sakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 14,400

isakmp key my123key address (5520 Outside ipaddres) netmask 255.255.255.255
iskamp identity address

!---Phase 2

access-list inside_nat0_outbound extended permit ip (506e inside) 255.255.255.0 192.xxx.xxx.xxx  255.255.255.0
access-list outside_map extended permit ip (506e inside) 255.255.255.0 192.xxx.xxx.xxx  255.255.255.0


crypto IPSec transform-set myVPNset esp-des esp-md5-hmac
crypto map outside_map 10 IPSec-isakmp
crypto map outside_map 10 match address outside_1_cryptomap
crypto map outside_map 10 set peer (5520 Outside address)
crypto map outside_map 10 set transform-set myVPNset
crypto map outside_map interface outside

nat (inside) 0 access-list inside_nat0_outbound

sysopt connection permit-IPSec

 

by: learn2earnPosted on 2009-10-23 at 08:19:53ID: 25645267

This is just an example. You will need to edit it with your info.

isakmp key (call4key) address (5520 Outside ipaddres) netmask 255.255.255.255 <-- call for the key

paste your config but edit what you do not want us to see.

 

by: DLockwoodPosted on 2009-10-23 at 08:48:25ID: 25645566

I have attached my current config file.

Thanks for the help.

 

by: bignewfPosted on 2009-10-23 at 11:31:00ID: 25647031

learn2earn has the basic config, which is the same I posted for you in the word doc. (for pix 6.X)  I would still read the doc since you have existing production config so you understand what your are doing instead of just copy and paste. This is a good time to get your feet wet.

knowledge is power

at a command prompt:

pix#sh ver

this will give license info
you should see something like this:  VPN-3DES-AES   enabled if you have AES encryption license

from your config:
esp-3des esp-md5-hmac   this transform set is already being used. Again, if you require AES the above command should show if it is enabled in your license

: . )  cheers


 

by: learn2earnPosted on 2009-10-23 at 12:05:22ID: 25647331

This is a good time to get your feet wet and understand what is going on.

I have been in your shoes plenty of times...

In you config " isakmp policy 10 " is already being used so you would need to create a new one.

isakmp policy 12 authentication pre-share
isakmp policy 12 encryption aes-256
isakmp policy 12 hash sha
isakmp policy 12 group 5
isakmp policy 12 lifetime 14400

crypto IPSec transform-set myVPNset esp-aes-256 esp-sha-hmac


 

by: learn2earnPosted on 2009-10-23 at 12:16:34ID: 25647432

You already have a nonat statement so... this is what your ACL would look like.

access-list nonat extended permit ip (506e inside) 255.255.255.0 192.xxx.xxx.xxx  255.255.255.0

Do not use: "access-list inside_nat0_outbound extendend permit ip"  as I added in my first post.

 

by: DLockwoodPosted on 2009-10-27 at 11:08:42ID: 31645029

Thanks for your help!

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...