Cisco PIX 515e 7.0(1) VPN Server to Remote Cisco VPN Client 4.8

Hello,

Can anyone tell me how to setup a VPN service from a PIX 515e running 7.0(1) to a cisco vpn client.  I've never used a PIX before.  I've tried many solutions from the internet but most of them have variations of what I don't really need.  I simply want to access the internal lan 10.0.0.0/24 from an external lan 192.168.0.0/24.  I'm doing this for a school project but I'm confused.  I need the complete pix config from scratch.  The client host is running windows xp pro sp2...and the internal host is running windows 2003.  I also have another question...Do I need a router between the pix and the remote client or can I use just the pix for simplicity.

-Rene Enriquez
enriquez_reneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

td_milesCommented:
I would suggest you follow the sample config at:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

It has both a VPN client part and a PIX-to-PIX tunnel as well. If you configure exactly as is, then it will still work with the client anyway. See how you go, ask questions if you need to.
enriquez_reneAuthor Commented:
i'm way ahead of u dude but ive tried this lab and i got an error saying: creating secure channel then it disconnects...so far this is the only lab that i actually got a lil progress from...it at least did try to create the connection...
td_milesCommented:
ok, time to get you to post a copy of your config and we'll have a look at it.
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

enriquez_reneAuthor Commented:
i'll post it tommarow when i'm in class.  thanks for replying td miles
enriquez_reneAuthor Commented:
I went ahead and dropped the class because my instructor wasnt really instructing...i'll give you the points nevertheless for trying to help me...can you help me setup my personal cisco 871w router to allow vpn access?  i have the config for that...i used the gui to do most of the work except for the static maps of some ports going thru nat.  here's the config:


sh run
Building configuration...

Current configuration : 6242 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname shyfire
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$XOX8$dNIiIxK9E5u4WyMMV7QQo0
!
username shyfire privilege 15 secret 5 $1$P7Vy$ai5FzuNL1de/2/3A5Xwcc.
clock timezone PCTime -8
 --More--         clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool1
   import all
   network 10.10.10.0 255.255.255.0
   dns-server 68.87.66.196 68.87.76.178
   default-router 10.10.10.1
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
 --More--         ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name bounceme.net
ip name-server 68.87.66.196
ip name-server 68.87.76.178
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
 --More--         !
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group shyfire
 key rehndawg
 dns 68.87.66.196 68.87.76.178
 domain reneshome.com
 pool SDM_POOL_1
 acl 102
 include-local-lan
!
 --More--         !
crypto ipsec transform-set transform esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set transform
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 no cdp enable
!
 --More--         interface FastEthernet2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address dhcp client-id FastEthernet4
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_1
 --More--         !
interface Dot11Radio0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no cdp enable
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 --More--          ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 30.30.30.1 30.30.30.20
ip classless
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.10.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 10.10.10.2 443 interface FastEthernet4 443
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
 --More--         access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip host 10.10.10.0 any
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.1
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.2
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.3
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.4
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.5
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.6
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.7
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.8
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.9
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.10
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.11
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.12
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.13
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.14
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.15
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.16
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.17
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.18
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.19
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.20
 --More--         access-list 103 permit ip 10.10.10.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport preferred all
 transport output telnet
line aux 0
 transport preferred all
 transport output telnet
line vty 0 4
 transport preferred all
 transport input telnet ssh
 transport output all
!
 --More--         scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

shyfire#sh run  
Building configuration...

Current configuration : 6410 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname shyfire
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$XOX8$dNIiIxK9E5u4WyMMV7QQo0
!
username shyfire privilege 15 secret 5 $1$P7Vy$ai5FzuNL1de/2/3A5Xwcc.
clock timezone PCTime -8
 --More--         clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
 --More--         aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool1
   import all
   network 10.10.10.0 255.255.255.0
   dns-server 68.87.66.196 68.87.76.178
   default-router 10.10.10.1
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
 --More--         ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name bounceme.net
ip name-server 68.87.66.196
ip name-server 68.87.76.178
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
 --More--         !
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group shyfire
 key rehndawg
 dns 68.87.66.196 68.87.76.178
 domain reneshome.com
 pool SDM_POOL_1
 acl 102
 include-local-lan
!
!
 --More--         crypto ipsec transform-set transform esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set transform
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 no cdp enable
!
interface FastEthernet2
 --More--          no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address dhcp client-id FastEthernet4
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_1
!
 --More--         interface Dot11Radio0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no cdp enable
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 --More--         !
ip local pool SDM_POOL_1 30.30.30.1 30.30.30.20
ip classless
!
ip http server
ip http port 8080
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source static tcp 10.10.10.2 80 interface FastEthernet4 80
ip nat inside source static tcp 10.10.10.2 8090 interface FastEthernet4 8090
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.10.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 10.10.10.2 443 interface FastEthernet4 443
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
 --More--         access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip host 10.10.10.0 any
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.1
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.2
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.3
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.4
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.5
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.6
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.7
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.8
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.9
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.10
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.11
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.12
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.13
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.14
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.15
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.16
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.17
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.18
 --More--         access-list 103 deny   ip host 10.10.10.0 host 30.30.30.19
access-list 103 deny   ip host 10.10.10.0 host 30.30.30.20
access-list 103 permit ip 10.10.10.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport preferred all
 transport output telnet
line aux 0
 transport preferred all
 transport output telnet
line vty 0 4
 transport preferred all
 transport input telnet ssh
 --More--          transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

shyfire#
td_milesCommented:
the config looks fairly good from the crypto side of things. A couple of points:

1. You probably shouldn't use 30.30.30.x for your VPN IP addresses. It's not going to stop it from working, but you should use the RFC private IP address ranges for this.
2. Your FastEthernet4 interface is shutdown, use the following commands to enable it:

conf t
int fa4
no shutdown

3. You access-group 101 inbound on your fa4 interface, but no acl 101 ?
4. You should disable route cacheing on your fa4 interface:

 no ip route-cache
 no ip mroute-cache

Make these changes, and see how you go. Try to connect with VPN client and see what happens.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware

From novice to tech pro — start learning today.