PIX to PIX v 5.1.5 and VPN Client

I currently have a L2L VPN going using two PIX 520s.  I need to know how to add VPN Clients to the picture.  I am also using PIX OS version 5.1(5).  I have been doing considerable reading on Cisco's website and EE but this is all too confusing.  What are my options and how would I go about configuring what I need.  Thank you for your assistance in advance.
dnguyen81Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nodiscoCommented:
Hi there

5.1(5) is quite an old software image - have you got CCO to download a later version?

Here is a doc re setting up an IPSec tunnel with a vpn client also attached.  Note that PIX firewall do not redirect traffic so if you have a VPN client setup to PIX520 A - it will not be able to see the network behind PIX520 B.  You would need to setup a seperate vpn client to the PIX520 B.  The doc shows the relevant access-lists and vpngroup settings you will need for the vpn client.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml

If you have any specific Qs that you are unclear on - pls post
hope this helps
0
dnguyen81Author Commented:
Thanks for your quick reply... I looked at that article from Cisco too.  It requires PIX OS 6.3.  I'm running PIX OS 5.1(5).  In my version of the PIX OS, they do not have the vpngroup command available.  That's what I am running into trouble on.  Below is my config.....

interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
enable password ************* encrypted
passwd ************** encrypted
hostname PiX
domain-name pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.8.10 Excalibur-DC
name 192.168.8.12 Exchange-Server
name 192.168.8.15 SERVER-EX01
access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq www
access-list inbound permit tcp any interface outside eq smtp
access-list inbound permit tcp any interface outside eq pop3
access-list inbound permit tcp any interface outside eq ftp
access-list inbound permit tcp any interface outside eq 3389
access-list inbound permit tcp any interface outside eq 5901
access-list inbound permit tcp any interface outside eq 5900
access-list inbound permit icmp any any
access-list inbound permit tcp any interface outside eq 5500
access-list outbound_NO_NAT permit tcp 192.168.8.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outbound_VPN_Clients permit tcp 192.168.8.0 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside dhcp setroute
ip address inside 192.168.8.254 255.255.255.0
no ip address intf2
no ip address intf3
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_users 192.168.200.200-192.168.200.210
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list outbound_NO_NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_VPN_MAP 1 set transform-set DES-MD5
crypto map NGUYENS_VPN_MAP 10 ipsec-isakmp dynamic DYN_VPN_MAP
crypto map NGUYENS_VPN_MAP client configuration address initiate
crypto map NGUYENS_VPN_MAP client configuration address respond
crypto map NGUYENS_VPN_MAP interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local VPN_users outside
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.8.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
terminal width 80
0
dnguyen81Author Commented:
SOrry, IGNORE the previous config..... it was a test pix..  Here is the correct one.  NOTICE that I do not have any statements in there for the VPN Clients yet.... just the L2L config

Building configuration...
: Saved
:
PIX Version 5.1(5)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security40
nameif ethernet3 dmz2 security60
enable password ********** encrypted
passwd ********** encrypted
hostname PIX
domain-name SEC
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sqlnet 1433
no fixup protocol smtp 25
names
access-list NO_NAT permit ip 192.168.0.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list NO_NAT permit ip 10.1.1.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list NO_NAT permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list NO_NAT permit ip 10.1.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.1.1.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list outside_cryptomap_30 permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap_30 permit ip 10.1.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list acl_inside_out permit ip any any
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
logging history warnings
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
ip address outside xxx.xxx.xxx.114 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip address dmz1 10.1.1.1 255.255.255.0
ip address dmz2 10.1.2.1 255.255.255.0
failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
failover ip address dmz2 0.0.0.0
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.118
global (dmz1) 1 10.1.1.250
global (dmz2) 1 10.1.2.250
nat (inside) 0 access-list NO_NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 10000
nat (dmz1) 0 access-list NO_NAT
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 10000
nat (dmz2) 1 0.0.0.0 0.0.0.0 0 10000
static (dmz1,outside) xxx.xxx.xxx.116 10.1.1.100 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.117 10.1.1.110 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.115 192.168.0.13 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.120 10.1.1.101 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.1.1.200 192.168.0.13 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.119 10.1.1.102 netmask 255.255.255.255 0 0
access-group acl_inside_out in interface inside
conduit permit icmp any any
conduit permit gre any any
conduit permit tcp host xxx.xxx.xxx.117 eq www any
conduit permit tcp host xxx.xxx.xxx.117 eq 443 any
conduit permit tcp host xxx.xxx.xxx.115 eq smtp any
conduit permit tcp host xxx.xxx.xxx.115 eq pop3 any
conduit permit tcp host xxx.xxx.xxx.115 eq 1723 any
conduit permit tcp host xxx.xxx.xxx.115 eq www any
conduit permit tcp host xxx.xxx.xxx.116 eq 443 any
conduit permit tcp host xxx.xxx.xxx.116 eq www any
conduit permit udp host xxx.xxx.xxx.116 eq domain any
conduit permit udp host xxx.xxx.xxx.117 eq domain any
conduit permit tcp host xxx.xxx.xxx.115 eq 143 any
conduit permit tcp host xxx.xxx.xxx.116 eq ftp any
conduit permit tcp host xxx.xxx.xxx.120 eq www any
conduit permit tcp host xxx.xxx.xxx.120 eq 443 any
conduit permit tcp host xxx.xxx.xxx.116 eq 1723 any
conduit permit tcp host 10.1.1.200 eq smtp any
conduit permit tcp host 10.1.1.200 eq 1433 any
conduit permit tcp host xxx.xxx.xxx.119 eq www any
conduit permit tcp host xxx.xxx.xxx.119 eq 443 any
conduit permit tcp host xxx.xxx.xxx.115 eq 443 any
conduit permit tcp host xxx.xxx.xxx.117 eq ftp any
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.113 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
snmp-server host inside 192.168.0.70
snmp-server host inside 192.168.0.74
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt security fragguard
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set des esp-des esp-md5-hmac
crypto map my_map 20 ipsec-isakmp
crypto map my_map 20 match address outside_cryptomap_20
crypto map my_map 20 set peer xxx.xxx.253.98
crypto map my_map 20 set transform-set des
crypto map my_map 30 ipsec-isakmp
crypto map my_map 30 match address outside_cryptomap_30
crypto map my_map 30 set peer xxx.xxx.106.217
crypto map my_map 30 set transform-set des
crypto map my_map interface outside
isakmp enable outside
isakmp key ********* address xxx.xxx.253.98 netmask 255.255.255.255
isakmp key ********* address xxx.xxx.106.217 netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash md5
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet 10.1.1.0 255.255.255.0 dmz1
telnet 192.168.125.0 255.255.255.0 inside
telnet 192.168.125.1 255.255.255.255 inside
telnet timeout 60
terminal width 80
Cryptochecksum:e2c6bbce10fbd36cb7e7c3b36aea676b
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

nodiscoCommented:
Bad news my friend - Cisco VPN client is only supported on PIX version 6 and above:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html

0
dnguyen81Author Commented:
that sucks!!!  I do have Cisco Secure VPN Client v 1.0 and v1.1  ....  But it won't install on Windows XP.  I guess my only other option is to upgrade my flash card to a 16mb card so it can support PIX OS 5.2+ .....  

What are the commands for PIX to PIX (L2L) and VPN client if I do get a newer version of PIX OS?
0
nodiscoCommented:
Latest version of PIX OS is 7.11 but its a different beast altogether to the 5.0 and 6.0 releases.  I would advise going to 6.3(5) for the minute - download the 7.0 version also - you don't have to install it just yet!

The URL I originally posted shows how to setup the VPN client with explanations under each line - is there anything specific you need help on?
0
dnguyen81Author Commented:
Yes.......  How come the Crypto map for the VPN Client does not have a match address statement?  
ALso, is it highly recommended that you a different subnet for your VPN Client address pool from your inside network?  
Would I also need a route statement from the VPN Client address pool to the inside network?
Thanks!!!
0
dnguyen81Author Commented:
Also, explain to me what no-Xauth and no-config-mode means?
0
nodiscoCommented:
<<Yes.......  How come the Crypto map for the VPN Client does not have a match address statement?  
Is it using a dynamic crypto policy - notice that there is an access-list permitting traffic from inside to the pool address - this allows "interesting traffic" to traverse the link
access-list 100 permit ip 10.2.2.0 255.255.255.0 192.168.1.0 255.255.255.0

<<ALso, is it highly recommended that you a different subnet for your VPN Client address pool from your inside network?  
Highly!  If you keep them seperate the pix knows where to send the traffice - its not on the inside network - it can cause problems if you put them on the same range

<<Would I also need a route statement from the VPN Client address pool to the inside network?
No - once the vpn client is connected - its on the pix and the inside is a connected interface - no need for a route.

<<Also, explain to me what no-Xauth and no-config-mode means?
I have never used either - here is Ciscos explanation for you
no-config-mode
 This is only to be used if you enabled the IKE Mode Configuration feature, and you have an IPSec peer that is a gateway. This option associates a given pre-shared key with a gateway and allows an exception to the IKE Mode Configuration feature enabled by the crypto map client configuration address command.
 
no-xauth
 This is only to be used if you enabled the Xauth feature, and you have an IPSec peer that is a gateway. This option associates a given pre-shared key with a gateway and allows an exception to the Xauth feature enabled by the crypto map client authentication command.
 

hth
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.