Configuring Cisco PIX 501 for VPN

Posted on 2004-11-18
Last Modified: 2013-11-16
I'm attempting to set up what I normally would consider a simple VPN using the PIX 501.  I tried running through the "VPN Wizard" and got thoroughly confused so it's time to pose the question to you.

I'm setting this up for a small business with about 10 remote users.  All clients are running Windows XP Pro SP2 and using the Cisco VPN Client v. 4.0.5.  The business has one Windows 2003 Domain controller that also doubles as an Exchange Server 2003.  With your help I've been able to allow OWA and SMTP mail through to the internal server, but need help setting up the VPN so the remote clients can access their network files, printers, etc from anywhere.

I want the VPN users to dynamically be assigned private (internal) addresses on the LAN and need them to be able to search AD resources, shares, etc.  Additionally they need to be able to access the public internet while simultaneously accessing the private network resources.

Some specifics:

Internal server IP:
PIX External IP:
internal domain name - x.corp
NETBIOS domain name - x-corp (some of this is likely irrelevant to the configuration, but just want to be specific)

Wasn't sure if XP SP2 would present any "gotchas" either.

Question by:yert69
    LVL 79

    Accepted Solution

    Here's the reference link:

    Your config will look something like this. Notice I have used the link only as a guide and added a few entries.

      access-list 101 permit ip
      access-list 102 permit ip
    /- yes, I know all acls are identical. Each will be applied to a separate process

      ip local pool VPNPOOL
      nat (inside) 0 access-list 101
      sysopt connection permit-ipsec
      crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
      crypto dynamic-map dynmap 10 set transform-set MYSET
      crypto map mymap 10 ipsec-isakmp dynamic dynmap

      crypto map mymap interface outside
      isakmp enable outside
      isakmp identity address
      isakmp nat-traversal 30
      isakmp policy 10 authentication pre-share
      isakmp policy 10 encryption 3des
      isakmp policy 10 hash md5
      isakmp policy 10 group 2
     isakmp policy 10 lifetime 86400
    vpngroup VPNUSERS address-pool ippool
    vpngroup VPNUSERS dns-server 192.168.1.x
    vpngroup VPNUSERS wins-server 192.168.1.z
    vpngroup VPNUSERS default-domain x.corp
    vpngroup VPNUSERS idle-time 1800
    vpngroup VPNUSERS password ********
    vpngroup VPNUSERS split-tunnel 102
    vpngroup VPNUSERS split-dns x.corp

    Some GOTCHA's...
    1) using 192.168.1.x as the inside LAN will give you some headaches. Go get yourself a big bottle of pain meds now. Why? Because if your intent is to support remote users, and these users have broadband at home with a router, chances are very high that their home local LAN will also be 192.168.1.x. They will be able to establish a VPN connection, but will not be able to send any traffic over the tunnel.
    2) NetBios broadcasts don't cross the VPN tunnel. Using WINS is highly suggested, or use a LMHOSTS and/or HOSTS file on each client.
    LVL 12

    Expert Comment

    lrmoore I would like to discuss something personal with you if you dont mind.. Please email and I will let you know what Im talking about...

    Author Comment

    I am not actually using 192.168.1.x for the private addresses, just used it for example.  I realize that WOULD be a nightmare.

    If I use WINS will I need to allow anything else through the PIX?

    Would you be able to explain the purpose of some (or all) of the config?  I'm especially about the access-list lines and the 192.168.2.x part of the command in particular.  
    LVL 79

    Expert Comment

    I'll try..The document in the link provides more details...

    /-- setup pool of IP's for the VPN clients, not the same as your local LAN:
     ip local pool VPNPOOL

    /-- first access-list is applied to nat 0 - to bypass NAT between your local LAN and the VPN POOL addresses
     access-list 101 permit ip
     nat (inside) 0 access-list 101

    /-- second acl is applied to the VPN client for split-tunneling. Without this, your requirement for the client to continue normal internet browsing would not be possible..
      access-list 102 permit ip
      vpngroup VPNUSERS split-tunnel 102

    >If I use WINS will I need to allow anything else through the PIX?
    No, but I did forget one line in my first post. You'll need to add this:
        sysopt  connection permit-ipsec
    That command basically permits all traffic between local LAN and VPN clients.

    Author Comment

    One more question . . .

    Can I set the VPNPOOL to assign a DNS server?  If so, couldn't I specify one on the private network and thus have name resolution on Active Directory?  The forwarders on that DNS server would then take care of internet requests, right?  I'm asking because I'm not sure about this.  
    LVL 79

    Expert Comment

    Yes, that's what this line is for:
    >vpngroup VPNUSERS dns-server 192.168.1.x

    LVL 79

    Expert Comment

    How's it going? Have you found a solution? Do you need more information?
    Can you close this question?

    Thanks for attending to this long-forgotten question.


    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Suggested Solutions

    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now