Configuring Cisco PIX 501 for VPN

I'm attempting to set up what I normally would consider a simple VPN using the PIX 501.  I tried running through the "VPN Wizard" and got thoroughly confused so it's time to pose the question to you.

I'm setting this up for a small business with about 10 remote users.  All clients are running Windows XP Pro SP2 and using the Cisco VPN Client v. 4.0.5.  The business has one Windows 2003 Domain controller that also doubles as an Exchange Server 2003.  With your help I've been able to allow OWA and SMTP mail through to the internal server, but need help setting up the VPN so the remote clients can access their network files, printers, etc from anywhere.

I want the VPN users to dynamically be assigned private (internal) addresses on the LAN and need them to be able to search AD resources, shares, etc.  Additionally they need to be able to access the public internet while simultaneously accessing the private network resources.

Some specifics:

Internal server IP: 192.168.1.10 255.255.255.0
PIX External IP:  60.102.157.115 255.255.255.240
internal domain name - x.corp
NETBIOS domain name - x-corp (some of this is likely irrelevant to the configuration, but just want to be specific)

Wasn't sure if XP SP2 would present any "gotchas" either.

yert69Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Here's the reference link:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

Your config will look something like this. Notice I have used the link only as a guide and added a few entries.

  access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
 
/- yes, I know all acls are identical. Each will be applied to a separate process

  ip local pool VPNPOOL 192.168.2.100-192.168.2.200
  nat (inside) 0 access-list 101
  sysopt connection permit-ipsec
  crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
  crypto dynamic-map dynmap 10 set transform-set MYSET
  crypto map mymap 10 ipsec-isakmp dynamic dynmap

  crypto map mymap interface outside
  isakmp enable outside
  isakmp identity address
  isakmp nat-traversal 30
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash md5
  isakmp policy 10 group 2
 isakmp policy 10 lifetime 86400
!
vpngroup VPNUSERS address-pool ippool
vpngroup VPNUSERS dns-server 192.168.1.x
vpngroup VPNUSERS wins-server 192.168.1.z
vpngroup VPNUSERS default-domain x.corp
vpngroup VPNUSERS idle-time 1800
vpngroup VPNUSERS password ********
vpngroup VPNUSERS split-tunnel 102
vpngroup VPNUSERS split-dns x.corp

Some GOTCHA's...
1) using 192.168.1.x as the inside LAN will give you some headaches. Go get yourself a big bottle of pain meds now. Why? Because if your intent is to support remote users, and these users have broadband at home with a router, chances are very high that their home local LAN will also be 192.168.1.x. They will be able to establish a VPN connection, but will not be able to send any traffic over the tunnel.
2) NetBios broadcasts don't cross the VPN tunnel. Using WINS is highly suggested, or use a LMHOSTS and/or HOSTS file on each client.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HousenetCommented:
lrmoore I would like to discuss something personal with you if you dont mind.. Please email mmaiato@kumatech.ca and I will let you know what Im talking about...
0
yert69Author Commented:
I am not actually using 192.168.1.x for the private addresses, just used it for example.  I realize that WOULD be a nightmare.

If I use WINS will I need to allow anything else through the PIX?

Would you be able to explain the purpose of some (or all) of the config?  I'm especially about the access-list lines and the 192.168.2.x part of the command in particular.  
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

lrmooreCommented:
I'll try..The document in the link provides more details...

/-- setup pool of IP's for the VPN clients, not the same as your local LAN:
 ip local pool VPNPOOL 192.168.2.100-192.168.2.200

/-- first access-list is applied to nat 0 - to bypass NAT between your local LAN and the VPN POOL addresses
 access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
 nat (inside) 0 access-list 101

/-- second acl is applied to the VPN client for split-tunneling. Without this, your requirement for the client to continue normal internet browsing would not be possible..
  access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
  vpngroup VPNUSERS split-tunnel 102

>If I use WINS will I need to allow anything else through the PIX?
No, but I did forget one line in my first post. You'll need to add this:
    sysopt  connection permit-ipsec
That command basically permits all traffic between local LAN and VPN clients.
 
0
yert69Author Commented:
One more question . . .

Can I set the VPNPOOL to assign a DNS server?  If so, couldn't I specify one on the private network and thus have name resolution on Active Directory?  The forwarders on that DNS server would then take care of internet requests, right?  I'm asking because I'm not sure about this.  
0
lrmooreCommented:
Yes, that's what this line is for:
>vpngroup VPNUSERS dns-server 192.168.1.x

0
lrmooreCommented:
How's it going? Have you found a solution? Do you need more information?
Can you close this question?

http://www.experts-exchange.com/help.jsp#hs5

Thanks for attending to this long-forgotten question.

<-8}
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.