[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Configuring Cisco PIX 501 for VPN

Posted on 2004-11-18
Medium Priority
Last Modified: 2013-11-16
I'm attempting to set up what I normally would consider a simple VPN using the PIX 501.  I tried running through the "VPN Wizard" and got thoroughly confused so it's time to pose the question to you.

I'm setting this up for a small business with about 10 remote users.  All clients are running Windows XP Pro SP2 and using the Cisco VPN Client v. 4.0.5.  The business has one Windows 2003 Domain controller that also doubles as an Exchange Server 2003.  With your help I've been able to allow OWA and SMTP mail through to the internal server, but need help setting up the VPN so the remote clients can access their network files, printers, etc from anywhere.

I want the VPN users to dynamically be assigned private (internal) addresses on the LAN and need them to be able to search AD resources, shares, etc.  Additionally they need to be able to access the public internet while simultaneously accessing the private network resources.

Some specifics:

Internal server IP:
PIX External IP:
internal domain name - x.corp
NETBIOS domain name - x-corp (some of this is likely irrelevant to the configuration, but just want to be specific)

Wasn't sure if XP SP2 would present any "gotchas" either.

Question by:yert69
  • 4
  • 2
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 12620029
Here's the reference link:

Your config will look something like this. Notice I have used the link only as a guide and added a few entries.

  access-list 101 permit ip
  access-list 102 permit ip
/- yes, I know all acls are identical. Each will be applied to a separate process

  ip local pool VPNPOOL
  nat (inside) 0 access-list 101
  sysopt connection permit-ipsec
  crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
  crypto dynamic-map dynmap 10 set transform-set MYSET
  crypto map mymap 10 ipsec-isakmp dynamic dynmap

  crypto map mymap interface outside
  isakmp enable outside
  isakmp identity address
  isakmp nat-traversal 30
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash md5
  isakmp policy 10 group 2
 isakmp policy 10 lifetime 86400
vpngroup VPNUSERS address-pool ippool
vpngroup VPNUSERS dns-server 192.168.1.x
vpngroup VPNUSERS wins-server 192.168.1.z
vpngroup VPNUSERS default-domain x.corp
vpngroup VPNUSERS idle-time 1800
vpngroup VPNUSERS password ********
vpngroup VPNUSERS split-tunnel 102
vpngroup VPNUSERS split-dns x.corp

Some GOTCHA's...
1) using 192.168.1.x as the inside LAN will give you some headaches. Go get yourself a big bottle of pain meds now. Why? Because if your intent is to support remote users, and these users have broadband at home with a router, chances are very high that their home local LAN will also be 192.168.1.x. They will be able to establish a VPN connection, but will not be able to send any traffic over the tunnel.
2) NetBios broadcasts don't cross the VPN tunnel. Using WINS is highly suggested, or use a LMHOSTS and/or HOSTS file on each client.
LVL 12

Expert Comment

ID: 12620190
lrmoore I would like to discuss something personal with you if you dont mind.. Please email mmaiato@kumatech.ca and I will let you know what Im talking about...

Author Comment

ID: 12621526
I am not actually using 192.168.1.x for the private addresses, just used it for example.  I realize that WOULD be a nightmare.

If I use WINS will I need to allow anything else through the PIX?

Would you be able to explain the purpose of some (or all) of the config?  I'm especially about the access-list lines and the 192.168.2.x part of the command in particular.  
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

LVL 79

Expert Comment

ID: 12621679
I'll try..The document in the link provides more details...

/-- setup pool of IP's for the VPN clients, not the same as your local LAN:
 ip local pool VPNPOOL

/-- first access-list is applied to nat 0 - to bypass NAT between your local LAN and the VPN POOL addresses
 access-list 101 permit ip
 nat (inside) 0 access-list 101

/-- second acl is applied to the VPN client for split-tunneling. Without this, your requirement for the client to continue normal internet browsing would not be possible..
  access-list 102 permit ip
  vpngroup VPNUSERS split-tunnel 102

>If I use WINS will I need to allow anything else through the PIX?
No, but I did forget one line in my first post. You'll need to add this:
    sysopt  connection permit-ipsec
That command basically permits all traffic between local LAN and VPN clients.

Author Comment

ID: 12621788
One more question . . .

Can I set the VPNPOOL to assign a DNS server?  If so, couldn't I specify one on the private network and thus have name resolution on Active Directory?  The forwarders on that DNS server would then take care of internet requests, right?  I'm asking because I'm not sure about this.  
LVL 79

Expert Comment

ID: 12621972
Yes, that's what this line is for:
>vpngroup VPNUSERS dns-server 192.168.1.x

LVL 79

Expert Comment

ID: 13703186
How's it going? Have you found a solution? Do you need more information?
Can you close this question?


Thanks for attending to this long-forgotten question.


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month18 days, 21 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question