• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1564
  • Last Modified:

How to setup Cisco VPN Client to tunnel to Pix 515E

I have a couple vendors that will need to tunnel in via the VPN Client to access accounting software and etc.
I would like to configure the Pix 515E to accept a couple users in to the LAN.  I understand I need to setup a
RADIUS Server.  I have a Win2003 Server I will use for RADIUS.  What do I need to setup on the Pix to allow
them in.  Cisco documentation appears to be very cryptic to follow.  Plus I didn't see anything for RADIUS setup.
Please help?  I was asked to make this happen in the next two days.  
0
rick_me27
Asked:
rick_me27
  • 3
  • 2
1 Solution
 
lrmooreCommented:
This document is pretty striaghtforward and shows exatly how to setup a Win2k server. Identical config on Win2k3 server

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml
0
 
rick_me27Author Commented:
Yes I found this ealier today and plan to use it as a guide tonight when I work on this.  Is there anything in particular I need to allow on the screening router.  I am having a T1 installed next week and I will be bring up the 2650 infront on the Pix.
I know I need to change default route and etc but what about for VPN access?
0
 
lrmooreCommented:
If you have a screening access router, you need to permit udp 500, tcp 50 (esp), udp 10000 and udp 4500 from any.

example

<inbound acl>
access-list 101 permit esp any host <ip address of PIX outside>
access-list 101 permit udp any host <ip address of PIX outside> eq 500
access-list 101 permit udp any host <ip address of PIX outside> eq 4500
access-list 101 permit udp any host <ip address of PIX outside> eq 1000
0
 
rick_me27Author Commented:
Thanks so much.  What is ESP?
0
 
lrmooreCommented:
udp port 500 = isakmp phase 1
esp / tcp port 50 = encapsulating security payload - this is the actual encrypted data stream, phase 2
Unless the client is behind a NAT device, then udp 4500 = ipsec payload
Older client software behind NAT device uses udp 10000 for encrypted payload
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now