robert100
asked on
VPN Setup on Cisco PIX Firewall
We are going to setup Cisco PIX 515E as our firewall and VPN box as well.
How can I setup/enable VPN support on PIX box (using IPSec), and configure the client software on Windows to access it?
I searched Cisco web site, and found something, but I am still very confusing... Need help!
Thanks in advance
Robert100
How can I setup/enable VPN support on PIX box (using IPSec), and configure the client software on Windows to access it?
I searched Cisco web site, and found something, but I am still very confusing... Need help!
Thanks in advance
Robert100
This will explain how to setup for both VPN3000 client or for Windows PPTP:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/basclnt.htm
If you want practical example:
ip local pool IPSEC 192.168.122.33-192.168.122 .63
ip local pool PPTP 192.168.122.65-192.168.122 .126
access-list NO_NAT permit ip <internal network> 255.255.0.0 192.168.122.0 255.255.255.0
nat (inside) 0 access-list NO_NAT
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
crypto ipsec transform-set LAB esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set LAB
crypto map CRYMAP 10 ipsec-isakmp dynamic dynmap
crypto map CRYMAP interface outside
isakmp enable outside
isakmp key <password> address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
# setup for VPN3000 client:
# client setup username: LABVPN password: <password>
vpngroup LABVPN address-pool ippool
vpngroup LABVPN dns-server <DNS IP>
vpngroup LABVPN wins-server <WINS IP1> <WINS IP2>
vpngroup LABVPN idle-time 1800
vpngroup LABVPN password <password>
# setup for PPTP clients:
vpdn group PPTP accept dialin pptp
vpdn group PPTP ppp authentication mschap
vpdn group PPTP ppp encryption mppe 40
vpdn group PPTP client configuration address local PPTP
vpdn group PPTP client configuration dns <dns server IP>
vpdn group PPTP client configuration wins <WINS IP1> <WINS IP2>
vpdn group PPTP pptp echo 60
vpdn group PPTP client authentication local
vpdn username <username> password <password>
vpdn username <user2> password <password2>
vpdn enable outside
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/basclnt.htm
If you want practical example:
ip local pool IPSEC 192.168.122.33-192.168.122
ip local pool PPTP 192.168.122.65-192.168.122
access-list NO_NAT permit ip <internal network> 255.255.0.0 192.168.122.0 255.255.255.0
nat (inside) 0 access-list NO_NAT
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
crypto ipsec transform-set LAB esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set LAB
crypto map CRYMAP 10 ipsec-isakmp dynamic dynmap
crypto map CRYMAP interface outside
isakmp enable outside
isakmp key <password> address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
# setup for VPN3000 client:
# client setup username: LABVPN password: <password>
vpngroup LABVPN address-pool ippool
vpngroup LABVPN dns-server <DNS IP>
vpngroup LABVPN wins-server <WINS IP1> <WINS IP2>
vpngroup LABVPN idle-time 1800
vpngroup LABVPN password <password>
# setup for PPTP clients:
vpdn group PPTP accept dialin pptp
vpdn group PPTP ppp authentication mschap
vpdn group PPTP ppp encryption mppe 40
vpdn group PPTP client configuration address local PPTP
vpdn group PPTP client configuration dns <dns server IP>
vpdn group PPTP client configuration wins <WINS IP1> <WINS IP2>
vpdn group PPTP pptp echo 60
vpdn group PPTP client authentication local
vpdn username <username> password <password>
vpdn username <user2> password <password2>
vpdn enable outside
oops, change this:
vpngroup LABVPN address-pool ippool
to this:
vpngroup LABVPN address-pool IPSEC
vpngroup LABVPN address-pool ippool
to this:
vpngroup LABVPN address-pool IPSEC
ASKER
Thanks for the detailed help.
ASKER
Thanks for the detailed help.
ASKER
More questions on Cisco PIX VPN.
I am going to setup a VPN conncetion using IPSec to connect another host in another private network for a group of our users from one of our subnets. I don't know what platform of firewall or VPN server the other end use, most likely a hardware based. What I know is only a host IP address and they IPSec, not PPTP or L2TP. How could I do that? I read the article form Cisco web site http://www.cisco.com/warp/public/110/38.html, which deals with PIX-to-PIX situation.
Question:
1. Does PIX work with other firewall or hardware based VPN server? If yes, what informaiton about the other end I have to know?
2.Any client software must be installed on our internal clients to connect to the remote host?
3. I don't know very clearly that how host-to-host VPN works? Any source of information.
Thanks so much
Robert100
I am going to setup a VPN conncetion using IPSec to connect another host in another private network for a group of our users from one of our subnets. I don't know what platform of firewall or VPN server the other end use, most likely a hardware based. What I know is only a host IP address and they IPSec, not PPTP or L2TP. How could I do that? I read the article form Cisco web site http://www.cisco.com/warp/public/110/38.html, which deals with PIX-to-PIX situation.
Question:
1. Does PIX work with other firewall or hardware based VPN server? If yes, what informaiton about the other end I have to know?
2.Any client software must be installed on our internal clients to connect to the remote host?
3. I don't know very clearly that how host-to-host VPN works? Any source of information.
Thanks so much
Robert100
Just so you know, I get $175 per hour to help folks like yourself set up VPN's on PIX and Cisco routers.
The short answer, is yes, you can setup a site-to-site VPN between the PIX and virtually any IPSEC VPN capable device (checkpoint FW, Nokia, etc).
I would recommend a site-to-site VPN, with an access-list that restricts the access to specified IP addresses on both sides.
No additional software should be required anywhere.
Reference:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/sit2site.htm
http://www.cisco.com/warp/customer/110/cp-p.html
The short answer, is yes, you can setup a site-to-site VPN between the PIX and virtually any IPSEC VPN capable device (checkpoint FW, Nokia, etc).
I would recommend a site-to-site VPN, with an access-list that restricts the access to specified IP addresses on both sides.
No additional software should be required anywhere.
Reference:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/sit2site.htm
http://www.cisco.com/warp/customer/110/cp-p.html
ASKER
Thanks so much.
One more question, to setup IPSec on PIX , there is a bunch of settings, such as preshared key, access list, etc. to setup, do I need to know anything on the other side about these settings, except for the IP of the access point? This IP is that of the firewall of the other side, or the host to be reached on the internal network of the other side?
I know it maybe too detail, but it is important.
Thanks in advance.
Robert100
One more question, to setup IPSec on PIX , there is a bunch of settings, such as preshared key, access list, etc. to setup, do I need to know anything on the other side about these settings, except for the IP of the access point? This IP is that of the firewall of the other side, or the host to be reached on the internal network of the other side?
I know it maybe too detail, but it is important.
Thanks in advance.
Robert100
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Configuring Cisco Secure PIX Firewall 6.0 and Cisco VPN 3000 Client Using IPSec:
http://www.cisco.com/warp/public/110/pix3000.html
If so, where are you stuck?
If not, then please tell more.