dnguyen81
asked on
PIX to PIX v 5.1.5 and VPN Client
I currently have a L2L VPN going using two PIX 520s. I need to know how to add VPN Clients to the picture. I am also using PIX OS version 5.1(5). I have been doing considerable reading on Cisco's website and EE but this is all too confusing. What are my options and how would I go about configuring what I need. Thank you for your assistance in advance.
ASKER
Thanks for your quick reply... I looked at that article from Cisco too. It requires PIX OS 6.3. I'm running PIX OS 5.1(5). In my version of the PIX OS, they do not have the vpngroup command available. That's what I am running into trouble on. Below is my config.....
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
enable password ************* encrypted
passwd ************** encrypted
hostname PiX
domain-name pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.8.10 Excalibur-DC
name 192.168.8.12 Exchange-Server
name 192.168.8.15 SERVER-EX01
access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq www
access-list inbound permit tcp any interface outside eq smtp
access-list inbound permit tcp any interface outside eq pop3
access-list inbound permit tcp any interface outside eq ftp
access-list inbound permit tcp any interface outside eq 3389
access-list inbound permit tcp any interface outside eq 5901
access-list inbound permit tcp any interface outside eq 5900
access-list inbound permit icmp any any
access-list inbound permit tcp any interface outside eq 5500
access-list outbound_NO_NAT permit tcp 192.168.8.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outbound_VPN_Clients permit tcp 192.168.8.0 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside dhcp setroute
ip address inside 192.168.8.254 255.255.255.0
no ip address intf2
no ip address intf3
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_users 192.168.200.200-192.168.20
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list outbound_NO_NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_VPN_MAP 1 set transform-set DES-MD5
crypto map NGUYENS_VPN_MAP 10 ipsec-isakmp dynamic DYN_VPN_MAP
crypto map NGUYENS_VPN_MAP client configuration address initiate
crypto map NGUYENS_VPN_MAP client configuration address respond
crypto map NGUYENS_VPN_MAP interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local VPN_users outside
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.8.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
terminal width 80
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
enable password ************* encrypted
passwd ************** encrypted
hostname PiX
domain-name pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.8.10 Excalibur-DC
name 192.168.8.12 Exchange-Server
name 192.168.8.15 SERVER-EX01
access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq www
access-list inbound permit tcp any interface outside eq smtp
access-list inbound permit tcp any interface outside eq pop3
access-list inbound permit tcp any interface outside eq ftp
access-list inbound permit tcp any interface outside eq 3389
access-list inbound permit tcp any interface outside eq 5901
access-list inbound permit tcp any interface outside eq 5900
access-list inbound permit icmp any any
access-list inbound permit tcp any interface outside eq 5500
access-list outbound_NO_NAT permit tcp 192.168.8.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outbound_VPN_Clients permit tcp 192.168.8.0 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside dhcp setroute
ip address inside 192.168.8.254 255.255.255.0
no ip address intf2
no ip address intf3
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_users 192.168.200.200-192.168.20
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list outbound_NO_NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_VPN_MAP 1 set transform-set DES-MD5
crypto map NGUYENS_VPN_MAP 10 ipsec-isakmp dynamic DYN_VPN_MAP
crypto map NGUYENS_VPN_MAP client configuration address initiate
crypto map NGUYENS_VPN_MAP client configuration address respond
crypto map NGUYENS_VPN_MAP interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local VPN_users outside
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.8.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
terminal width 80
ASKER
SOrry, IGNORE the previous config..... it was a test pix.. Here is the correct one. NOTICE that I do not have any statements in there for the VPN Clients yet.... just the L2L config
Building configuration...
: Saved
:
PIX Version 5.1(5)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security40
nameif ethernet3 dmz2 security60
enable password ********** encrypted
passwd ********** encrypted
hostname PIX
domain-name SEC
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sqlnet 1433
no fixup protocol smtp 25
names
access-list NO_NAT permit ip 192.168.0.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list NO_NAT permit ip 10.1.1.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list NO_NAT permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list NO_NAT permit ip 10.1.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.1.1.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list outside_cryptomap_30 permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap_30 permit ip 10.1.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list acl_inside_out permit ip any any
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
logging history warnings
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
ip address outside xxx.xxx.xxx.114 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip address dmz1 10.1.1.1 255.255.255.0
ip address dmz2 10.1.2.1 255.255.255.0
failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
failover ip address dmz2 0.0.0.0
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.118
global (dmz1) 1 10.1.1.250
global (dmz2) 1 10.1.2.250
nat (inside) 0 access-list NO_NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 10000
nat (dmz1) 0 access-list NO_NAT
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 10000
nat (dmz2) 1 0.0.0.0 0.0.0.0 0 10000
static (dmz1,outside) xxx.xxx.xxx.116 10.1.1.100 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.117 10.1.1.110 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.115 192.168.0.13 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.120 10.1.1.101 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.1.1.200 192.168.0.13 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.119 10.1.1.102 netmask 255.255.255.255 0 0
access-group acl_inside_out in interface inside
conduit permit icmp any any
conduit permit gre any any
conduit permit tcp host xxx.xxx.xxx.117 eq www any
conduit permit tcp host xxx.xxx.xxx.117 eq 443 any
conduit permit tcp host xxx.xxx.xxx.115 eq smtp any
conduit permit tcp host xxx.xxx.xxx.115 eq pop3 any
conduit permit tcp host xxx.xxx.xxx.115 eq 1723 any
conduit permit tcp host xxx.xxx.xxx.115 eq www any
conduit permit tcp host xxx.xxx.xxx.116 eq 443 any
conduit permit tcp host xxx.xxx.xxx.116 eq www any
conduit permit udp host xxx.xxx.xxx.116 eq domain any
conduit permit udp host xxx.xxx.xxx.117 eq domain any
conduit permit tcp host xxx.xxx.xxx.115 eq 143 any
conduit permit tcp host xxx.xxx.xxx.116 eq ftp any
conduit permit tcp host xxx.xxx.xxx.120 eq www any
conduit permit tcp host xxx.xxx.xxx.120 eq 443 any
conduit permit tcp host xxx.xxx.xxx.116 eq 1723 any
conduit permit tcp host 10.1.1.200 eq smtp any
conduit permit tcp host 10.1.1.200 eq 1433 any
conduit permit tcp host xxx.xxx.xxx.119 eq www any
conduit permit tcp host xxx.xxx.xxx.119 eq 443 any
conduit permit tcp host xxx.xxx.xxx.115 eq 443 any
conduit permit tcp host xxx.xxx.xxx.117 eq ftp any
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.113 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
snmp-server host inside 192.168.0.70
snmp-server host inside 192.168.0.74
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt security fragguard
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set des esp-des esp-md5-hmac
crypto map my_map 20 ipsec-isakmp
crypto map my_map 20 match address outside_cryptomap_20
crypto map my_map 20 set peer xxx.xxx.253.98
crypto map my_map 20 set transform-set des
crypto map my_map 30 ipsec-isakmp
crypto map my_map 30 match address outside_cryptomap_30
crypto map my_map 30 set peer xxx.xxx.106.217
crypto map my_map 30 set transform-set des
crypto map my_map interface outside
isakmp enable outside
isakmp key ********* address xxx.xxx.253.98 netmask 255.255.255.255
isakmp key ********* address xxx.xxx.106.217 netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash md5
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet 10.1.1.0 255.255.255.0 dmz1
telnet 192.168.125.0 255.255.255.0 inside
telnet 192.168.125.1 255.255.255.255 inside
telnet timeout 60
terminal width 80
Cryptochecksum:e2c6bbce10f
Building configuration...
: Saved
:
PIX Version 5.1(5)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security40
nameif ethernet3 dmz2 security60
enable password ********** encrypted
passwd ********** encrypted
hostname PIX
domain-name SEC
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sqlnet 1433
no fixup protocol smtp 25
names
access-list NO_NAT permit ip 192.168.0.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list NO_NAT permit ip 10.1.1.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list NO_NAT permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list NO_NAT permit ip 10.1.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.1.1.0 255.255.255.0 192.168.125.0 255.255.255.0
access-list outside_cryptomap_30 permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap_30 permit ip 10.1.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list acl_inside_out permit ip any any
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
logging history warnings
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
ip address outside xxx.xxx.xxx.114 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip address dmz1 10.1.1.1 255.255.255.0
ip address dmz2 10.1.2.1 255.255.255.0
failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
failover ip address dmz2 0.0.0.0
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.118
global (dmz1) 1 10.1.1.250
global (dmz2) 1 10.1.2.250
nat (inside) 0 access-list NO_NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 10000
nat (dmz1) 0 access-list NO_NAT
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 10000
nat (dmz2) 1 0.0.0.0 0.0.0.0 0 10000
static (dmz1,outside) xxx.xxx.xxx.116 10.1.1.100 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.117 10.1.1.110 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.115 192.168.0.13 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.120 10.1.1.101 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.1.1.200 192.168.0.13 netmask 255.255.255.255 0 0
static (dmz1,outside) xxx.xxx.xxx.119 10.1.1.102 netmask 255.255.255.255 0 0
access-group acl_inside_out in interface inside
conduit permit icmp any any
conduit permit gre any any
conduit permit tcp host xxx.xxx.xxx.117 eq www any
conduit permit tcp host xxx.xxx.xxx.117 eq 443 any
conduit permit tcp host xxx.xxx.xxx.115 eq smtp any
conduit permit tcp host xxx.xxx.xxx.115 eq pop3 any
conduit permit tcp host xxx.xxx.xxx.115 eq 1723 any
conduit permit tcp host xxx.xxx.xxx.115 eq www any
conduit permit tcp host xxx.xxx.xxx.116 eq 443 any
conduit permit tcp host xxx.xxx.xxx.116 eq www any
conduit permit udp host xxx.xxx.xxx.116 eq domain any
conduit permit udp host xxx.xxx.xxx.117 eq domain any
conduit permit tcp host xxx.xxx.xxx.115 eq 143 any
conduit permit tcp host xxx.xxx.xxx.116 eq ftp any
conduit permit tcp host xxx.xxx.xxx.120 eq www any
conduit permit tcp host xxx.xxx.xxx.120 eq 443 any
conduit permit tcp host xxx.xxx.xxx.116 eq 1723 any
conduit permit tcp host 10.1.1.200 eq smtp any
conduit permit tcp host 10.1.1.200 eq 1433 any
conduit permit tcp host xxx.xxx.xxx.119 eq www any
conduit permit tcp host xxx.xxx.xxx.119 eq 443 any
conduit permit tcp host xxx.xxx.xxx.115 eq 443 any
conduit permit tcp host xxx.xxx.xxx.117 eq ftp any
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.113 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol tacacs+
snmp-server host inside 192.168.0.70
snmp-server host inside 192.168.0.74
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt security fragguard
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set des esp-des esp-md5-hmac
crypto map my_map 20 ipsec-isakmp
crypto map my_map 20 match address outside_cryptomap_20
crypto map my_map 20 set peer xxx.xxx.253.98
crypto map my_map 20 set transform-set des
crypto map my_map 30 ipsec-isakmp
crypto map my_map 30 match address outside_cryptomap_30
crypto map my_map 30 set peer xxx.xxx.106.217
crypto map my_map 30 set transform-set des
crypto map my_map interface outside
isakmp enable outside
isakmp key ********* address xxx.xxx.253.98 netmask 255.255.255.255
isakmp key ********* address xxx.xxx.106.217 netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash md5
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet 10.1.1.0 255.255.255.0 dmz1
telnet 192.168.125.0 255.255.255.0 inside
telnet 192.168.125.1 255.255.255.255 inside
telnet timeout 60
terminal width 80
Cryptochecksum:e2c6bbce10f
Bad news my friend - Cisco VPN client is only supported on PIX version 6 and above:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html
http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html
ASKER
that sucks!!! I do have Cisco Secure VPN Client v 1.0 and v1.1 .... But it won't install on Windows XP. I guess my only other option is to upgrade my flash card to a 16mb card so it can support PIX OS 5.2+ .....
What are the commands for PIX to PIX (L2L) and VPN client if I do get a newer version of PIX OS?
What are the commands for PIX to PIX (L2L) and VPN client if I do get a newer version of PIX OS?
Latest version of PIX OS is 7.11 but its a different beast altogether to the 5.0 and 6.0 releases. I would advise going to 6.3(5) for the minute - download the 7.0 version also - you don't have to install it just yet!
The URL I originally posted shows how to setup the VPN client with explanations under each line - is there anything specific you need help on?
The URL I originally posted shows how to setup the VPN client with explanations under each line - is there anything specific you need help on?
ASKER
Yes....... How come the Crypto map for the VPN Client does not have a match address statement?
ALso, is it highly recommended that you a different subnet for your VPN Client address pool from your inside network?
Would I also need a route statement from the VPN Client address pool to the inside network?
Thanks!!!
ALso, is it highly recommended that you a different subnet for your VPN Client address pool from your inside network?
Would I also need a route statement from the VPN Client address pool to the inside network?
Thanks!!!
ASKER
Also, explain to me what no-Xauth and no-config-mode means?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
5.1(5) is quite an old software image - have you got CCO to download a later version?
Here is a doc re setting up an IPSec tunnel with a vpn client also attached. Note that PIX firewall do not redirect traffic so if you have a VPN client setup to PIX520 A - it will not be able to see the network behind PIX520 B. You would need to setup a seperate vpn client to the PIX520 B. The doc shows the relevant access-lists and vpngroup settings you will need for the vpn client.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml
If you have any specific Qs that you are unclear on - pls post
hope this helps