PIX501 initial setup

Oh, just to let you know.  I'm using Cable internet, with a dynamic ip address.  How would I also set it up to use the dynamic ip so later on I can use it to vpn to it?

okay, what if I don't want it to act as a dhcp server, because i got a windows 2003 server enterprise acting as my dhcp server.  i got a dynamic ip address, which I notice on yoru config you got this line to do it's job

ip address outside dhcp setroute

Now, how will I pass over traffic to my workstations without using the pix dhcp(disabling dhcp)?

If you dont want the PIX to be a DHCP server all you need to do is not enter the lines which start with 'dhcpd'.

You will need to configure the windows DHCP server so that it issues the IP address of the PIX as the default gateway and then all machines will be able to access the internet.

okay, how do i do that issue the ip address of the pix as the default gateway?  i don't really follow you on this one?

so, on each workstation, for the default gateway, i just put in the pix ip?  but if it's dynamic on e0, it will change periodically?  

In my example e0 is the outside interface and that is the one which changes IP address occasionally.

e1 is the internal interface which has an IP address of 192.168.50.1 and it is that IP address which needs to be configured as the default gateway for all internal machines.
In the windows dhcp server configuration you can specify various parameters which are given to the windows clients. One of these is the default gateway.

i got a pix501, i did this command from your config


access-list outside_in permit tcp any any eq imap4
Type help or '?' for a list of available commands.

is this because, my pix don't support it?

and if it's set at

ip address outside dhcp setroute


how would i access my network externally?  since the ip address will keep on changing?

After you log into the PIX you need to enter "enable" to go into proviledged mode. From there you can enter "config t" which switches you into configuration mode and then you can paste in parts of my configuration.
When you have finished type "exit" to exit out of config mode and then "wri mem" to save the comfiguration to NVRAM so it is not lost if you switch off the power.

On one of your internal machines you will need to run a DDNS client using the services from a company such as http://www.dyndns.org/
This is free and the hostname you choose will be kept up to date as your IP changes.
Because the PIX will be switched on all the time you will find that your IP address very rarely changes.

Right, I know how to do that part,  I pasted most of your configurations to the PIX already, but it was just that one command didn't go through.  whats imap4 and will I need it for my mailserver?

imap4 is a way of collecting mail similar to pop3 but mail is normally left on the server and it supports multiple folders. Don't worry about it for now. Once it is working and internal machines can access the Internet you can fine tune what services should be redirected to which machines.

on your config, i notice you got 2 webservers and a mailserver.  I want to access my windows server 2003 box externally, which port will i have to enable?  and do you have the command line for it?

How do you need to access it?
I would strongly discourage you from accessing the file sharing remotely unless you use a VPN.
Do you just want to make a terminal services connection to it?

my goal is to use my pix501 to gain access to my network, then i can use the network resources just like i was there physically.  i thought a pix 501 can setup or create vpn tunnels?

Yes you can use a VPN. I am just about to leave work (I am in the UK) and I will give you the additional configuration for VPN when I get home in an hour or so.

cool, thanks.  i can give you 4000 points for helping me out through this one when we get done.  i will just have to post questions thats worth 500 each, then you can post answer to them and i will accept them.  don't worry, the questions will be very easy.  like, how do i go to privilege mode.  :)

Here is the basic configuration you should need to add :-

!--- Implisically permit VPN users to access all internal machines.
!--- This command must be present.
sysopt connection permit-ipsec
!--- Define a transform set using AES encryption and sha
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
!--- IPSEC applies to outside interface
crypto map outside_map interface outside
!--- Use profile 'partnerauth' to authenticate clients
crypto map outside_map client authentication LOCAL
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
!--- note group 5 is recomended when using 256 bit aes encryption
!--- but this is not supported by the VPN client so have to use group 2
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
!--- Define a split-tunnel ACL so that all traffic to these addresses are sent across the VPN.
!--- All other traffic is sent across the Internet normally.
access-list splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any
!--- Define address pools for the vpn users
ip local pool vpnpool 192.168.100.1-192.168.100.254
!--- Don't perform NAT between internal machines and VPN users
access-list inside_outbound_nat0_acl permit ip 192.168.50.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
vpngroup groupvpn address-pool staffpool
!--- We want staff to be able to access our intenal DNS and WINS server to resolve machine names
vpngroup groupvpn dns-server 192.168.50.1
vpngroup groupvpn wins-server 192.168.50.1
vpngroup groupvpn default-domain mydomain.com
vpngroup groupvpn split-tunnel splitTunnelAcl
!--- Use our internal DNS server for looking up our machines but let the client use its normal
!--- DNS server for other sites.
vpngroup groupvpn split-dns mydomain.com
vpngroup groupvpn idle-time 1800
vpngroup groupvpn password your-group-password-here
user myusername password mypassword


A few usefull links :-
PIX configuration examples - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
PIX configuration basics - http://www.netcraftsmen.net/welcher/papers/pix01.html
PIX ssh configuration - http://www.tech-recipes.com/modules.php?name=Recipes&rx_id=215
My Pages:-
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
PIX as a home DSL firewall - http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html

I suggest you look through the VPN examples on the Cisco website and the documentation so at least you have an idea of what is going on.

When I tried the below commands, it errors out.  Remember I'm using a PIX501 with version 6.2(2), are these commands for another PIX or for my PIX501?

HamFarm-PIX(config)# crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
usage: crypto ipsec transform-set <trans-name> [ ah-md5-hmac|ah-sha-hmac ]
            [ esp-des|esp-3des|esp-null ] [ esp-md5-hmac|esp-sha-hmac ]
        crypto ipsec transform-set <trans-name> mode transport
Type help or '?' for a list of available commands.
HamFarm-PIX(config)#
HamFarm-PIX(config)# crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA

ERROR: transform set with tag "ESP-AES-256-SHA" does not exist.
HamFarm-PIX(config)#
amFarm-PIX(config)# crypto map outside_map client authentication LOCAL
Protocol "local" is available only for console authentication
and command authorization
HamFarm-PIX(config)#
HamFarm-PIX(config)# isakmp policy 20 encryption aes-256
Supported values: des, 3des
Usage:  isakmp policy <priority> authen <pre-share|rsa-sig>
        isakmp policy <priority> encrypt <des|3des>
        isakmp policy <priority> hash <md5|sha>
        isakmp policy <priority> group <1|2>
        isakmp policy <priority> lifetime <seconds>
        isakmp key <key-string> address <ip> [netmask <mask>] [no-xauth] [no-con
fig-mode]
        isakmp enable <if_name>
        isakmp identity <address|hostname|key-id> [<key-id-string>]
        isakmp keepalive <seconds> [<retry seconds>]
        isakmp client configuration address-pool local <poolname> [<pif_name>]
        isakmp peer fqdn|ip <fqdn|ip> [no-xauth] [no-config-mode]
HamFarm-PIX(config)#

You probably dont have AES encryption in that software version. Try the following as it should use the lower des encryption standard

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
!--- IPSEC applies to outside interface
crypto map outside_map interface outside
!--- Use profile 'partnerauth' to authenticate clients
crypto map outside_map client authentication LOCAL
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
!--- Define a split-tunnel ACL so that all traffic to these addresses are sent across the VPN.
!--- All other traffic is sent across the Internet normally.
access-list splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any
!--- Define address pools for the vpn users
ip local pool vpnpool 192.168.100.1-192.168.100.254
!--- Don't perform NAT between internal machines and VPN users
access-list inside_outbound_nat0_acl permit ip 192.168.50.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
vpngroup groupvpn address-pool staffpool
!--- We want staff to be able to access our intenal DNS and WINS server to resolve machine names
vpngroup groupvpn dns-server 192.168.50.1
vpngroup groupvpn wins-server 192.168.50.1
vpngroup groupvpn default-domain mydomain.com
vpngroup groupvpn split-tunnel splitTunnelAcl
!--- Use our internal DNS server for looking up our machines but let the client use its normal
!--- DNS server for other sites.
vpngroup groupvpn split-dns mydomain.com
vpngroup groupvpn idle-time 1800
vpngroup groupvpn password your-group-password-here
user myusername password mypassword

Alright, all the commands worked except one, which is listed below.

HamFarm-PIX(config)# crypto map outside_map client authentication LOCAL
Protocol "local" is available only for console authentication
and command authorization
HamFarm-PIX(config)#


Now, after I get this up and going.  How will my clients access me?  Do I use a microsoft vpn or which vpn client software?

It looks as though your version of the software does not support local authentication. This does not matter as it just means you will only be able to authenticate using the group username/password and wont be able to have an additional username/password for each user.

You need the Cisco VPN client which should have come with your PIX.

Will the vpn client software accept hostname instead of ip address.  i got a dynamic ip address with my cable internet provider, I will have to register with dnsdns.org to get a static hostname.

is there anything I should watch out or configure besides the username/password in the cisco vpn client software?

i got the 6.2(2) ios on my pix501, i just got the license activitation code to upgrade it to 6.3 with aes support.  how do i put in the license key in it?

Yes the vpn client will accept a hostname. There is nothing else that you need to configure. If you have a look on the 'transport' tab you can tick a box to permit local network access.

If you have 6.2(2) you need to upload the new software in order to get 6.3. Then you need to enter the new license code to get the enhanced security option. Details on how to do this will be given in the email when you get the new code.

I tried your DSL home setup for my pix but still can't pass traffic, everytime I do the ip address outside dhcp setroute, it says it can't find it.  here is my running-config



: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname HamFarm-PIX
domain-name HamFarm.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 10baset shutdown
interface ethernet1 10full
<--- More --->
             
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.85.22 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.85.213 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
<--- More --->
             
terminal width 80
Cryptochecksum:23aa9fc3a0858cd119d0f1a28d35d43d
: end

HamFarm-PIX#

Interface ethernet0 is still shut down (disabled).
Entering the following in configuration mode should enable it.

interface ethernet0 10baset

Alright, when I do that, it says this:


HamFarm-PIX#
Allocated IP address = 192.168.85.120,  netmask = 255.255.255.0, gateway = 192.1
68.85.1

Can't set DHCP ip/mask, subnet is the same as interface 1

It looks like your cable company is issuing you with an IP address in the 192.168.85.x network. I suggest you change the IP address on your internal network to something else. such as 10.0.10.0/255.255.255.0.

ip address inside 10.0.10.1 255.255.255.0

You do have the external network interface of the PIX connected directly to the cable modem only?

For now, I"m testing it at my work network, and you're right.  i changed it to that 11.0.10.1 and it gave me this message.

HamFarm-PIX(config)# ip address outside dhcp setroute
....
Allocated IP address = 192.168.85.120,  netmask = 255.255.255.0, gateway = 192.1
68.85.1
HamFarm-PIX(config)#

Does this mean it's working?  and when I try to renew my ip address through a laptop connected to one of it's ports, it can't renew it?  i thought now it would be able to pass traffic, like the internet?

You only showed me the first part of the configuration. If it is also setup to be a DHCP server you will need to change the IP address range the server issues addresses from.

Alright, I got it to assign dhcp addresses to my workstations.  but they can't access the internet.  If it can assign ips, why can't my workstation get internet access?  Here is the running config

sh ru
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname HamFarm-PIX
domain-name HamFarm.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
<--- More --->
             
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.50.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.85.213 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 60
<--- More --->
             
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 60
dhcpd address 192.168.50.100-192.168.50.108 inside
dhcpd dns 205.171.3.65
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 100
Cryptochecksum:3adf541b6ec7e0260304d3b0d546395f
: end

HamFarm-PIX#  

Can you check the PIX has internet connectivity by trying to ping 66.102.9.104 (google) from it.

Can you also go to a workstation and bring up a DOS box and paste the output of the command "ipconfig /all" here.

When I do a ping, this is what it gives me.  All my workstations are able to get ips, but how do i ping?

PIX# ping 66.102.9.104
No route to host 66.102.9.104.
Usage:  ping [if_name] <host>
PIX#

It looks like the PIX has lost the default route it obtained via DHCP. Can you type "show route" on the PIX and paste the output here.
You might also want to type "wri mem" to save the config and reboot the PIX.

PIX# show ip route
System IP Addresses:
        ip address outside 127.0.0.1 255.255.255.255
        ip address inside 192.168.50.1 255.255.255.0
Current IP Addresses:
        ip address outside 127.0.0.1 255.255.255.255
        ip address inside 192.168.50.1 255.255.255.0
PIX#

I can't access internet at all, my workstations can obtain ip from it, but no internet?

It has lost its outside IP address and routing. Can you save the config (wri mem) and reboot the PIX and try again.

Did that multiple times, and still no success.  I tried to start it from scratch, and the above is the current running config.  How can i make it pass internet traffic to other workstations connected to it's ports?

'show ip route' still shows the same entries?
The outside IP address should not be 127.0.0.1. If it is then this indicates that it failed to obtain an IP address via DHCP.

right, when i reload noconfirm, it says it failed to get the dhcp.  i got the pix connected directly to my cable modem.  what could be going wrong?

I am not sure as it did work initially when you first enabled it to get an IP via dhcp. Have you tried powering off the cable modem for a couple of minutes?
I know some of them remember the last machine they spoke to and wont talk to another one until they are rebooted.