PIX 506 from 5.1 to 6.3 with PDM

I don't have any of the software.  I suppose that it is a problem.  I don't have the Smartnet's either.  I have a couple of questions on the cli portion above...

 - I would need to do this config after flashed the pix with the upgraded ios version?

 - access-list vpnlist2 permit ip 192.168.3.0 255.255.255.0 192.168.6.x 255.255.255.224
access-list vpnlist2 permit ip 192.168.4.0 255.255.255.0 192.168.6.x 255.255.255.224
I don't understand why both are here, shouldn't there just be one, say the first one.
 
 - ip local pool client 192.168.6.x-192.168.6.x
This should be different then my internal nat, right?  So if my internal addresses were 192.168.3.x for instance, I could use anything else for my pool?

- vpngroup vpnmyclients dns-server 158.43.x.x 158.43.x.x
vpngroup vpnmyclients default-domain whatever.com
vpngroup vpnmyclients split-tunnel vpnlist2

On the DNS server, is this my particular internal DNS server addresses?
On the default-domain, is this just the domain name?
On the split tunnel, is this why there are two addresses ranges, does it split up the addresses between the two to provide for more concurrent accesses?

Sorry about all the questions, I don't know my arse from my elbow with this stuff...

Here is another question...Depending on the cost of the smartnet for the software, should I just dump both Pix's and get a new firewall with better functionality, etc.  I would like to have failover and I know the Pix 506 doesn't support it.

Not having the software will be a problem if ou want to upgrade, but why do you want to upgrade?

You would telnet to the router and then apply the config no need to upgrade to do it.

If you have only one internal address you would only have one access-list.

The pool should be something else than your internal address but you will need to add a route on your interanl address for that subnet via the Pix.

DNS would be the dns that you use whether internal or external.
Domain that would reflect your domain name.
Split tunnel allows local internet access so the client would come to the lan for any internal destined traffic and break out locally for internet access.

Smartnet is not cheap but I am a teckie and not familiar with the exact costs
Pix 506 does not support failover you would have to go to a 515 failover pair.

Two reasons for an upgrade.  

A - Have never configured PIX by CLI, and figured it would be easier by using the PDM.  
B - Currently using old Sonicwall VPN client, which doesn't run on XP, and all of my clients are XP and they need remote access.

I did a Write term and the contents are below.  Everything that I think is from the old consulting firm is delineated with a NOT APPLICABLE.  I need to strip out what I don't need.  This is the production PIX, and everything works fine.  I need the backup PIX to have this same config, so I need to know how to do that also.  I also found a Cisco VPN client 3.5, will that work with XP and this version of PIX?  Maybe I don't have to upgrade the IOS after all.  :)

Everything is currently configured ok, here it is...

write term
Building configuration...
: Saved
:
PIX Version 5.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ****** encrypted
passwd *******encrypted
hostname ***
domain-name ****.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
no fixup protocol smtp 25
names
access-list 100 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0 - NOT APPLICABLE
access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0 - NOT APPLICABLE
access-list 101 permit ip 192.168.3.0 255.255.255.0 10.10.10.0 255.255.255.0 - NOT APPLICABLE
access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0 - NOT APPLICABLE
access-list 102 permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0 - NOT APPLICABLE
no pager
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.4 255.255.255.XXX
ip address inside 192.168.3.x 255.255.255.0
ip local pool lake 10.10.10.2-10.10.10.254 - NOT APPLICABLE
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.6
global (outside) 1 xxx.xxx.xxx.7-xxx.xxx.xxx.8
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.xxx.5 192.168.3.x netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host xxx.xxx.xxx.5 eq www any
conduit permit tcp host xxx.xxx.xxx.5 eq smtp any
conduit permit tcp host XXX.XXX.XXX.XXX eq smtp any
conduit permit tcp host XXX.XXX.XXX.XXX eq www any
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.3 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
snmp-server host inside 192.168.2.31 - NOT CURRENTLY AT MY SITE
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set camelot esp-des esp-md5-hmac  - NOT APPLICABLE
crypto dynamic-map vectrocon 4 set transform-set camelot - NOT APPLICABLE
crypto map excalibur 10 ipsec-isakmp - NOT APPLICABLE
crypto map excalibur 10 match address 100 - NOT APPLICABLE
crypto map excalibur 10 set peer XXX.XXX.XXX.XXX- NOT APPLICABLE
crypto map excalibur 10 set transform-set camelot - NOT APPLICABLE
crypto map excalibur 11 ipsec-isakmp - NOT APPLICABLE
crypto map excalibur 11 match address 102 - NOT APPLICABLE
crypto map excalibur 11 set peer XXX.XXX.XXX.XXX- NOT APPLICABLE
crypto map excalibur 11 set transform-set camelot - NOT APPLICABLE
crypto map excalibur 30 ipsec-isakmp dynamic vectrocon - NOT APPLICABLE
crypto map excalibur client configuration address initiate - NOT APPLICABLE
crypto map excalibur interface outside - NOT APPLICABLE
isakmp enable outside - NOT APPLICABLE
isakmp key raritan3 address 0.0.0.0 netmask 0.0.0.0 - NOT APPLICABLE
isakmp key vectro0001 address XXX.XXX.XXX.XXX netmask 255.255.255.255 no-config-mode - NOT APPLICABLE
isakmp key scott2lsw365 address XXX.XXX.XXX.XXX netmask 255.255.255.255 no-config-mode - NOT APPLICABLE
isakmp identity address
isakmp client configuration address-pool local lake outside
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
telnet 192.168.3.2 255.255.255.0 inside
telnet 192.168.3.3 255.255.255.0 inside
telnet timeout 5
terminal width 80
Cryptochecksum:c36de0030c9228661a73f9c00a0727cd
: end
[OK]

 XXX#

3.5 that is an old version I know that there was a version for 2000 not sure about XP you will have to try it.

If you want PDM you will need to upgrade.

You can simply save this in a text format somathing like notepad and copy and paste the text into the new Pix you must be in config mode. If you are going to do this do not copy the whole text body in one go break it down in sections.

I cannot however tell you what needs removing, not being familiar with your set-up.

Would the solution from snoopy (Comment from snoopy13
Date: 03/12/2004 02:53AM PST) be better or tim (Comment from tim_holman
Date: 03/15/2004 10:50AM PST)?  I think that the 3.5 client works fine on XP, I don't mind not having the latest version.  I just need config help inserting the correct commands and deleting the old vpn tunnels to the consultants office...See above PIX code...

VPN client compatability list is here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094e6d.shtml

Windows XP with any version of VPN client (Cisco or native PPTP) will only work with PIX 6.0x and above.

Cheapest Smartnet for a PIX 506 is $190 (without any discount) -

SP-SW-PIX506      SP Base Svc, For Pix-506      $190