Cisco Pix 506 VPN configuration

I have a Pix 506 and do not know how to configure it for VPN.  I want to set it up to accept a VPN connect from a windows XP machine.  I also can not get it to accept a new telnet password.  I am a beginner with this so I will need it spelled out for me.  It someone could type out exactly what I need to put in so I can just cut and paste that would be great.  Here is a copy of my config.  If you need any other info just let me know


pix# show run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password NuLKvvWGg.x9HEKO encrypted
passwd wNw/yxvDZ.Np6tCu encrypted
hostname pix
domain-name unknown.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.0.2-192.168.0.252 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.0.2 192.168.1.50 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.3 192.168.1.51 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.0.10 192.168.1.2 netmask 255.255.255.255 0 0
conduit permit tcp host 192.168.0.2 eq 3389 any
conduit permit tcp host 192.168.0.3 eq 3389 any
conduit permit tcp host 192.168.0.10 eq 5900 any
conduit permit tcp host 192.168.0.10 eq 5800 any
route outside 0.0.0.0 0.0.0.0 192.168.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:3ee43e3ac3ead508c1af41d971a7d738
: end
pix#
riverraidAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

periferralCommented:
I highly recommend you download and install PIX Device Manager on your PIX. Once installed you need to enable http server and a host that can access the PIX using PDM. PDM is a UI to manage the PIX. It has a VPN wizard that can guide you step by step to configure you device.
It is a free download from the cisco website
harbor235Commented:
You will also need to download the Cisco easyvpn client software for your XP machine. Here are some good docs:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

harbor235 ;}
OMongeCommented:
Hello there,
In order to allow the inbound traffic from a Windows VPN client, you'd need to open a few ports:

access-list inbound permit gre any any
access-list inbound permit tcp any <public ip add> eq pptp

access-group inbound in interface outside

I hope this helps,

Greets,
OMonge.
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

riverraidAuthor Commented:
I have the PDM software installed on the Pix but can not seem to access it once I put it in line.  I also was never able to access it from any machine on this network.  I was only able to access it from my personal laptop.  I also had the same password problems when I was going through the PDM.  Any ideas why the PDM will not work from these machines?
chchuaCommented:
Hi Riverraid,
        PIX having security to control only allow some (or all IPs if u specific as 0.0.0.0 0.0.0.0 ) IPs to access PDM.
        I dont see a command call "http <IP address> <Subnet> <Interface>" in your configure.
        For the moment, if u need to allow any of the PCs in 192.168.1.0 segment able to access PDM, pls key in the command "http 192.168.1.0 255.255.255.0 inside" in your config via console or telnet. Then u try again with PDM.

Cheers.
chchua
riverraidAuthor Commented:
I added that line but it is still no go.  I type in https://192.168.1.1 and it should start loading the PDM right?
chchuaCommented:
Yes, If you are in the LAN. Oppss.. i didn't see the command "http server enable"  in your config. Pls check if it is in. If i was not mistake u mention was manage to use the PDM with your laptop?
chchuaCommented:
Yup. u didn't mention that. Anyway, make sure u have "http server enable" and "http <lan IP> <subnet> inside". then it will work.
riverraidAuthor Commented:
that worked but i did not have the user name and password.  What are the default user name and password?
chchuaCommented:
Have you got enable password yet? then  just key in the enable password (no username needed).
chchuaCommented:
If you dont use any password when console in, just leave the username and password empty.
riverraidAuthor Commented:
I got in but now it loads the initial "Loading PIX Device Manager, Please Wait"  and then never goes anywhere.  Any ideas why this happens?
chchuaCommented:
Is either your Microsoft virtual machine not working or JAVA runtime not compatible. Try download Java from this link.

http://www.java.com/en/download/index.jsp

chchua
Cheers
riverraidAuthor Commented:
the Java download worked almost.  Now I get an error at the bottom of the PDM window that says "exception: java.security.AccessControlException: access denied (java.util.PropertyPermission java.version read."  What is the next step?
chchuaCommented:
May I know what is your PDM version? (not PIXOS version).
FYI,  PDM ver 3.02 is not compatible with Java 1.5

2 way to solve this erro.
1 ) Upgrade your PDM to latest version like PDM version 3.04
2) Downgrade Java runtime to 1.4.1_04 or any 1.4. version from http://java.sun.com/products/archive/j2se/1.4.1_07/

You are almost there friend.
Cheers
chchua
periferralCommented:
yeah def some mismatch with the java version. All versions of PDM should work fine with the latests Java version for 1.4 series.

chchuaCommented:
Hi Riverraid,
          So far, is everything goes fine? Let me know if i can help. If everything as per your expectation and start work. Pls accept my answer. Appreciated that.

cheer
chchua

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
riverraidAuthor Commented:
i will be trying tonight and i will let you know
riverraidAuthor Commented:
how do i upgrade the PDM version
periferralCommented:
did you already download the latest version from the cisco website. If not, then its a free download from cisco.
Once youve downloaded it.. put it on your tftpserver. then open pix console and type

copy tftp://<tftp_ip_address>/<name_of_pdmimage> flash:pdm

you should see the tftp begin..
once done you dont need to reload. just fire up the browser and https to the pix ip addr
OMongeCommented:
Actually the easiest way to do a PDM  upgrade will be,


- Download a TFTP server application from http://tftpd32.jounin.net 
- Go to Cisco's website and download the image PDM-304.bin (http://www.cisco.com/cgi-bin/tablebuild.pl/pix)
- Put the image under the root directory of the TFTP server
- Check connectivity to the inside interface of the PIX, ping the inside interface, if successful check the next point.
- On the PIX, issue the command: copy tftp flash:pdm
- When it prompts you for the server IP address, type in the address of the TFTP server
- When it prompts you for the file name, type in <filename>.bin
- Proceed? Type in Ok.

Greets,

OMonge.
riverraidAuthor Commented:
I do not have the proper access to get the newer PDM version so i downgraded the Java version and it worked I am going to run the VPN wizard tomorrow but I will go ahead and give you the points chchua.
riverraidAuthor Commented:
any last recommendations on the VPN wixard?
chchuaCommented:
Is quite straight forward for the VPN wizard, It design to make ur VPN setup more eaiser. Even my 1st time customer also can create  a VPN via wizard.


For site to site,
1) Make sure the peer IP of remote site is correct.
2) Make sure both site choose the identical IKE and IPSec policy (MD5, SHA.....).
3) Choose or key in the correct internal network u want protect.
4) Choose or key in the correct remote network subnet u want to protect

For Cisco VPN client
1) Make sure choose the correct version of client u intent to uses (Normally will be the first one which is Cisco VPN client ver 3.0 and above)
2) For IKE and IPSec Policy, u may decide the combination, the VPN client program will follow the policy u choose.
3) Give a IP pool. (Preferable different from LAN Subnet, sometime customer require me to use part of the internal IP, it works too.)
3) Ok, Here a bit tricky, Choose the correct internal network which u like the VPN client to see. At the bottom of this page will have and option about "Split tunnel", u will choose this option if u need your VPN client to access the internet same time to VPN tunnel.

Last but not least, if you VPN client is NATed or PATed behind a router like Wireless broandband router, DSL router..... Go to VPN tab of PDM, Select IKE Policy, Make sure "NAT Tranversal" is select.

well? I think all this quite close to help you get it work (althoug it got lot more story to tell but i keep it simple and make sure it works, that's more important).
Anyway, my pleasure to help u. Let me know if u need more infor.

Cheers
Chchua.
riverraidAuthor Commented:
can anyone tell me where i cna get a copy of the cisco vpn client since i can not log into cisco and download it?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.