?
Solved

Is there a basic setup using the VPN wizard for the Cisco pix 506e

Posted on 2005-04-07
6
Medium Priority
?
271 Views
Last Modified: 2013-11-16
This works but then read what I put at the end. Thanks



Stepping through the Wizard:
  Select type: Remote AccessVPN
   Select interface: outside
Next
 * Cisco VPN client
Next
  Group Name:  MYVPNGROUP
  * Pre shared key
      mygrouppassword
      mygrouppassword
Next
  Enable Extended Client Authentication  <== uncheck this box
  nothing is checked on this page
Next
 Pool name:  MYVPNPOOL
  Range start:  192.168.22.1
           end:     192.168.22.22
Next
  Fill in your local primary DNS server, WINS server and default domain name
Next
 Select:  3DES |  MD5  | Group2(1024bit)
Next
 3DES  | MD5
Next
  Host/Network
  *ip address
    Interface inside
    ip address 192.168.1.0  <== whatever is your local LAN
    mask: 255.255.255.0
 Add >>
  X Enable split tunneling
Finish

When you setup the client:
New Entry
  Connection:  <whatever>
  Descript:  <whatever>
  Host:  OUTSIDE IP of PIX
Authentication
  * Group auth
       Name: MYVPNGROUP
       Pass:  mygrouppassword
       Confirm: mygrouppassword
Transport Tab
  X Enable Transparent Tunneling
     * IpSec over UDP (NAT/PAT)
Save
Connect

You should not see another username/password prompt again. It should just connect staight away.
You may have to enable NAT Traversal.
From the Main GUI window, VPN tab
  IKE
     Policies
        Right about the center of the window there is a chekbox
                                     [X] Enable NAT traversal
       Apply
        Save

Done


Thank you, you definetly have me on the right track. However, setting it up with your config it worked fine until I change something and then nothing will work. I have to completely reset the 506/E and then run the VPN wizard again using your config and it will connect. I tried changing the IP address pool to mine with your config and then it won't work. If I try to go back to your pool it still won't work. I again have to completely reset the 506/E and then run the wizard again. It seems like if I change anything I then have to go back and reset the Pix and start over.
0
Comment
Question by:itspecearthlink
  • 3
  • 2
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13731580
So, if you run the wizard, but change the pool to something else, like 192.168.1.18 192.168.1.99, then it won't work?
I just pulled arbitrary numbers out of a hat for the example.
It does not like it if you try to use the pool from the same subnet as your local lan.
If you want to change it after you run the wizard, it is best to do it from the command line. This way you can remove the crypto map from the interface, make your changes, then reapply the map to the interface.

If you start fresh from the top with your own ip pool, group name and password, then it won't work?
If you change it on the PIX, then you have to change it on the client, too..

If it works just this way, why change it?

0
 

Author Comment

by:itspecearthlink
ID: 13731853
Thanks, makes sense. and yes I was using a pool from the same subnet as the local lan
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 14354280
Are you still working on this?
Have you found a solution?
Do you need more information?

This question will be classified as abandoned soon if we don't get some feedback from you.

Can you close out this question? See here for details:
http://www.experts-exchange.com/help.jsp#hs5

Thanks for your attention!
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Expert Comment

by:jburbach
ID: 15049506
I am doing the same thing above with a 501 Pix. I am tryingto create a VPN conection with the wizard. I have followed the steps abovr and I still get a 412 error VPN, the local peer is no longer responding. Can I not connect from inside my network? Do I have to be remote?

Thanks
Jon
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 15051515
Jon,
You should post your own question, but the answer is simple. Yes, you must actually be physically remote. You cannot connect to the outside interface from inside your network to test.
0
 

Author Comment

by:itspecearthlink
ID: 15051599
Sorry.... Yes The above solved my problem and I am able to connect with no problem
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question