• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 221
  • Last Modified:

Need help with Cisco VPN/PIX 501 setup??

I recently bought a PIX 501 firewall for home use.  The company I work for has allowed the support staff to VPN into their network.  Of course, when I disconnect my PIX, I can VPN in fine, but of course, that is a hassle.  I want to VPN in while keeping my home LAN as secure as possible.  What commands would I need to implement on my PIX to gain VPN access to my company's network.

My Setup:
Broadband with the PIX acquiring a DHCP address from the cable company.

W2K PC w/VPN Client --- PIX501 --- Cable Modem ------ (INTERNET) ------ CO Firewall --- CO PIX or VPN Conc --- CO LAN

Currently have only a few ports open for gaming.
One more question.  Does the PDM VPN Wizard help out with this.  I don't prefer to use wizards but will if it will work.
Any assistance would be greatly appreciated.  Thank you.
0
drobinson_92562
Asked:
drobinson_92562
  • 3
  • 3
  • 2
1 Solution
 
lrmooreCommented:
I don't think the wizard will help.
Are you using Microsoft PPTP VPN ?
  Yes - add the following:
     fixup protocol pptp 1723

 No, using Cisco IPSEC VPN client, add the following:
    isakmp nat-traversal 20

0
 
csimondsCommented:
You'll need a static IP for your PIX and both the inside and outside addresses of your company's PIX. That's how they find each other and set up the encryption.

--Chuck
0
 
csimondsCommented:
That's not very clear is it....what I meant to say is you will need a static IP for your PIX and you will need to know both of the addresses on your company's PIX.

--Chuck
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
drobinson_92562Author Commented:
Thanks for the responses.  My bust for leaving some info out.  I am a nubie at this.  I have the IP of my firewall and the firewall at work.  I am also using Cisco's VPN Cleint.  The ver is 4.0.5.  I don't know the ports to open or the commands to use.  Here is my config.  Hopefully that will help out.  I will answer any questions you have.  Thanks in advance.  DAR

XXXXXXXX# sh star
: Saved
: Written by enable_15 at 19:41:44.479 PST Fri Nov 12 2004
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXX encrypted
passwd XXXXXXXX encrypted
hostname XXXXXXXX
domain-name XXXXXXXX
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list bf_in permit tcp any any eq 29900
access-list bf_in permit tcp any any eq 28900
access-list bf_in permit udp any any range 14567 14570
access-list bf_in permit udp any any range 23000 23009
access-list bf_in permit udp any any eq 22000
access-list bf_in permit udp any any eq 27900
access-list bf_in permit udp any any eq 6515
access-list bf_in permit udp any any eq 6500
access-list bf_in permit icmp any any
access-list bf_in permit udp any any range 27005 27015
access-list bf_in permit tcp any any eq 2213
access-list bf_in permit udp any any eq 15567
access-list bf_in permit udp any any eq 15690
access-list bf_in permit udp any any eq 15667
access-list bf_in permit udp any any eq 14690
access-list bf_in permit tcp any any eq 6667
access-list bf_in permit tcp any any eq 3783
access-list bf_in permit tcp any any eq 29901
access-list bf_in permit tcp any any eq 13139
access-list bf_in permit esp any any
access-list bf_in permit ah any any
access-list bf_in permit udp any any eq isakmp
pager lines 24
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside XXX.XXX.XXX.1 XXX.XXX.XXX.XXX
ip audit info action alarm
ip audit attack action alarm
pdm location XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX inside
pdm location XXX.XXX.XXX.3 XXX.XXX.XXX.XXX inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) udp interface 27015 XXX.XXX.XXX.XXX 27015 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 27010 XXX.XXX.XXX.XXX 27010 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 27012 XXX.XXX.XXX.XXX 27012 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 27005 XXX.XXX.XXX.XXX 27005 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 14567 XXX.XXX.XXX.XXX 14567 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 14690 XXX.XXX.XXX.XXX 14690 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 23000 XXX.XXX.XXX.XXX 23000 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 23001 XXX.XXX.XXX.XXX 23001 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 23002 XXX.XXX.XXX.XXX 23002 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 23003 XXX.XXX.XXX.XXX 23003 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 23004 XXX.XXX.XXX.XXX 23004 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 23005 XXX.XXX.XXX.XXX 23005 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 23006 XXX.XXX.XXX.XXX 23006 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 23007 XXX.XXX.XXX.XXX 23007 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 23008 XXX.XXX.XXX.XXX 23008 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 23009 XXX.XXX.XXX.XXX 23009 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) tcp interface 28900 XXX.XXX.XXX.XXX 28900 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) tcp interface 29900 XXX.XXX.XXX.XXX 29900 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 22000 XXX.XXX.XXX.XXX 22000 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 14568 XXX.XXX.XXX.XXX 14568 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 14569 XXX.XXX.XXX.XXX 14569 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 14570 XXX.XXX.XXX.XXX 14570 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 6515 XXX.XXX.XXX.XXX 6515 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 6500 XXX.XXX.XXX.XXX 6500 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 27900 XXX.XXX.XXX.XXX 27900 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) tcp interface 2213 XXX.XXX.XXX.XXX 2213 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 15567 XXX.XXX.XXX.XXX 15567 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 15690 XXX.XXX.XXX.XXX 15690 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface 15667 XXX.XXX.XXX.XXX 15667 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) tcp interface 6667 XXX.XXX.XXX.XXX 6667 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) tcp interface 3783 XXX.XXX.XXX.XXX 3783 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) tcp interface 29901 XXX.XXX.XXX.XXX 29901 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) tcp interface 13139 XXX.XXX.XXX.XXX 13139 netmask XXX.XXX.XXX.XXX 0 0
static (inside,outside) udp interface isakmp XXX.XXX.XXX.3 isakmp netmask XXX.XXX.XXX.XXX 0 0
access-group bf_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server XXX.XXX.XXX.XXX source outside
http server enable
http XXX.XXX.XXX.0 XXX.XXX.XXX.XXX inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp nat-traversal 20
telnet XXX.XXX.XXX.0 XXX.XXX.XXX.XXX inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address XXX.XXX.XXX.XXX-XXX.XXX.XXX.XXX inside
dhcpd dns XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
dhcpd lease 1048575
dhcpd ping_timeout 750
dhcpd domain anydomain.com
dhcpd enable inside
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXX
XXXXXXXX#
0
 
lrmooreCommented:
If this is the pix in front of your client, there is nothing else you need to add.
You can try:
   fixup protocol esp-ike

How about the config of the PIX at work?
0
 
drobinson_92562Author Commented:
Thanks for all of your help!  Still not sure what the answer was though, because I tried the connection with both of LRMOORE suggestions and it worked, and I removed each line, one at a time, and it worked.  Go figure.  I also don't know about the VPN device at work because, it's not too hard to figure out, I don't manage it.  I'd like to blow the whole thing away and see what is making it work, but that will have to wait for next weekend.  

What line's in my config deal with VPN access.  I had heard that a few UDP ports and ip prot ports had to be opened.

Thanks again!
0
 
lrmooreCommented:
These are the only lines that have anything to do with your VPN:
   >static (inside,outside) udp interface isakmp XXX.XXX.XXX.3 isakmp netmask XXX.XXX.XXX.XXX 0 0
That static is not even needed and it will restrict you to use just that one PC to make VPN connections out.
  >isakmp nat-traversal 20  <== permits multiple inside hosts to get out via VPN
  >fixup protocol esp-ike     <== permits tcp VPN connections to remote ends that do not support UDP

As long as the VPN client is on the inside of the PIX, there is virtually nothing that you need to configure. It's all up to the remote end.
0
 
drobinson_92562Author Commented:
LRMOORE,
You are totally right.  After I put both lines back in to the config, it worked like a charm.  I removed the "static" just in case I need to VPN from another machine, but the .3 is the only one I have the client loaded on.  I should've given you an A.  Thanks again.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now