Solved

VPN on Cisco Pix 515e

Posted on 2004-09-14
11
173 Views
Last Modified: 2013-11-16
What is the best way to set up a VPN to allow remote users from home to access the network?  I've tried setting up a simple vpn setup and connect fine; however, I cannot access email or anything on the network.  It pulls an IP address from the pool and assigns the WINS configurations, however, it does not add our gateway.  I'm not sure what I missed, but would like to start over "correctly".  Thanks for any help you can offer.
0
Comment
Question by:AdminBWC
  • 7
  • 4
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12060614
If you use the configuration here, and the Cisco VPN client, it is a great solution:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

Pay particular attention to the fact that the VPN pool is different from the local LAN subnet..

The other "gotcha" to watch out for is using the most common IP subnets - 10.10.10.x, 10.1.1.x, 10.0.0.x, 192.168.0.x, 192.168.1.x on your inside PIX. Since these are also the most  common on home broadband networks, having the same on both sides is inherently problematic..
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12076445
Are you still working on this? Any updates to your status?

0
 

Author Comment

by:AdminBWC
ID: 12077173
I am still working on this.  I do have a question though.  Do I have to use a VPN client?  Also, I failed to mention the PIX is set up with a DMZ.  Does this make a difference?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12077499
No, you don't have to use any IPSEC client software, you can use Microsoft PPTP VPN client that comes with most Windows versions.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

DMZ does not make a difference. If VPN users need access to both the inside and the DMZ, it will only affect how you craft your access-lists...

If you use the Microsoft client, make sure you have the properties checked "use default gateway on remote network" and you should be able to access your inside hosts.
0
 

Author Comment

by:AdminBWC
ID: 12084443
Ok, I can get connected, but I cannot browse the network, access email or anything else on the network.  The IP address assigned comes from the pool of IPs. Any suggestions?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12085057
On the VPN client, select Properties, Networking tab, TCP/IP, Properties, Advanced button, Use Default gateway on remote network - checked?

Is the pool of IP's a different subnet than your local LAN?
0
 

Author Comment

by:AdminBWC
ID: 12192879
Ok, I'm connected and working fine with VPN - Cisco helped me add/correct my commands on the PIX.  There's only one problem - outside email will not come through.  Exchange mail comes in fine, but SMTP/POP3 errors out.  Any suggestions?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12192927
> Exchange mail comes in fine, but SMTP/POP3 errors out
Does it error out on the client while connected to the VPN?
Do you have the "use default gateway on remote network" option checked? If yes, then this is expected behavior and only manual manipulation of the route table on the PC will fix it, and this will have to be done every time a VPn connection is established.
0
 

Author Comment

by:AdminBWC
ID: 12199178
Yes, Cisco gave the commands to do this, but I think I'd like to take a different route.  Can you help with Outlook Web Mail over VPN?  It works inside the network just fine by typing exchangeservername\user, but I can't get it to work from home over VPN.

I think our problem is this:
We have our Exchange and AD on one server and our IIS, SMTP and POP3 accounts within a DMZ on another server.  Is there a way to get Outlook Web Mail working in the VPN?

Thanks for all your help with this.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 150 total points
ID: 12201411
The server that you connect for OWA is actually located in the DMZ?
You would need to add the DMZ subnet to the nat-0 access-list
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12280440
Are you still working on this? Can we be of any more assistance?
Can you close out this question?
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now