[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1421
  • Last Modified:

Commands needed to open a secure VPN connection on a PIX 501

Hi,

 I need to configure the VPN for a PIX501 but, well I have no Idea what should I do... AND I was really looking fore a cake recip for it. Since this could be very usefull for other people, since I gess other people also could be looking for this cake recipe solution I think it doesn't hurt to ask... HELP!!! This pix is connected to a router that is not doing much.. so I don't think any configuration should be neede for the router...

Here is what I already have... I've used *** for security pourposes.

PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *************** encrypted
passwd ************** encrypted
hostname *********
domain-name *********.***
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_ext permit tcp any host ***.***.***.*** eq www
access-list acl_ext permit tcp any host ***.***.***.*** eq ftp
access-list acl_ext permit tcp any host ***.***.***.*** eq pcanywhere-data
access-list acl_ext permit udp any host ***.***.***.*** eq pcanywhere-status
access-list acl_ext permit tcp any host ***.***.***.*** eq 3389
access-list acl_ext permit tcp any host ***.***.***.*** eq 5900
access-list acl_ext permit tcp any host ***.***.***.*** eq ssh
access-list acl_ext permit tcp any host ***.***.***.*** eq 8787
access-list acl_ext permit tcp any host ***.***.***.*** eq 9000
access-list acl_ext permit udp any host ***.***.***.*** eq 22
access-list acl_ext permit udp any host ***.***.***.*** eq 9000
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside ***.***.***.111 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.25 255.255.255.255 inside
pdm location 192.168.1.200 255.255.255.255 inside
pdm location 192.168.1.220 255.255.255.255 inside
pdm location 192.168.1.201 255.255.255.255 inside
pdm location ***.***.105.*** 255.255.255.255 outside
pdm location ***.***.***.112 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 ***.***.***.***
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 192.168.1.200 ***.***.***.*** 255.255.255.255
static (inside,outside) tcp ***.***.***.*** 9000 192.168.1.200 9000 netmask 255.255.255.255 0 0
static (inside,outside) udp ***.***.***.*** 9000 192.168.1.200 9000 netmask 255.255.255.255 0 0
static (inside,outside) tcp ***.***.***.*** www 192.168.1.200 www netmask 255.255.255.255 0 0
static (inside,outside) tcp ***.***.***.*** ftp 192.168.1.200 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp ***.***.***.*** ssh 192.168.1.200 ssh netmask 255.255.255.255 0 0
static (inside,outside) udp ***.***.***.*** 22 192.168.1.200 22 netmask 255.255.255.255 0 0
static (inside,outside) tcp ***.***.***.*** pcanywhere-data 192.168.1.25 pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp ***.***.***.*** pcanywhere-status 192.168.1.25 pcanywhere-status netmask 255.255.255.255 0 0
static (inside,outside) tcp ***.***.***.*** 3389 192.168.1.201 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp ***.***.***.*** 5600 192.168.1.201 5600 netmask 255.255.255.255 0 0
static (inside,outside) tcp ***.***.***.*** 8787 192.168.1.15 3389 netmask 255.255.255.255 0 0
access-group acl_ext in interface outsideroute outside 0.0.0.0 0.0.0.0 ***.***.***.103 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.50-192.168.1.199 inside
dhcpd dns **.**.**.** 192.168.1.10
dhcpd lease 36000
dhcpd ping_timeout 750
dhcpd domain *********.***
dhcpd auto_config outside
dhcpd enable inside
terminal width 80


Thanks!!!
0
markps_1
Asked:
markps_1
  • 7
  • 4
  • 4
  • +1
5 Solutions
 
stressedout2004Commented:
What kind of VPN? IPSEC or PPTP? If IPSEC, is it remote access(using cisco VPN client) or site to site?
0
 
markps_1Author Commented:
It is remove access using cisco vpn client....
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
markps_1Author Commented:
Hi Keith... it won't be pix to pix.. it will be only pix to cisco vpn client.. I'm sorry I forgot to mention that.
0
 
stressedout2004Commented:
This is as simple as it can get:

Configuring Cisco Secure PIX Firewall 6.0 and Cisco VPN 3000 Clients Using IPSec
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

The PIX version used on that sample is 6.2 but nevermind that since it's the same. The pix commands in boldface
is what you need. The only thing I would add on that configuration is the command:

isakmp nat-t

This command will allow your VPN users behind PAT devices to be able to negotiate transparent tunnling and be able to pass traffic.

If you have any questions regarding the configuration sample, don't hesitate to ask.



0
 
Keith AlabasterCommented:
Yep, good link.
0
 
markps_1Author Commented:
It sound easy... I've seen many pix with VPN already configured but I couldn't separate what was doing that task from those big configuration lists. It seems that this is my cake recipe right?

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ip local pool ippool 192.168.2.1-192.168.2.254
nat (inside) 0 access-list 101
sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside

isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-t

vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 192.168.1.10
vpngroup vpn3000 default-domain ******.***
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup vpn3000 split-tunnel 101

do you see anything on my posted config list that would conflict with it? like (I know this is basic) but will   "nat (inside) 1 0.0.0.0 0.0.0.0 0 0" will it be overwritten by  the "nat (inside) 0 access-list 101" command or something simmilar?
0
 
Keith AlabasterCommented:
No, the NAT 0 means don't translate (nonat) and NAT 1 will be associated with your Global 1 statement.
Also you will not be assigning an access-group command to the access-list 101 statements either.
0
 
markps_1Author Commented:
keith as I understand access-group is not needed for the vpn right?

shouldn't there be anything on the vpn settings to indicate witch outside address and port should be the vpn address?
0
 
nodiscoCommented:
Am sure Keith won't mind me jumpin in ;-)

<<access-group is not needed for the vpn right?
Correct.  The access-list 101 is specifiying interesting traffic and is applied as a nonat rule in the line
nat (inside) 0 access-list 101

Its called policy nat


<<shouldn't there be anything on the vpn settings to indicate witch outside address and port should be the vpn address?
No - the pix will only terminate crypto sessions on the outside interface.  You have already enable phase 1 and phase 2 to run on this interface ;
isakmp enable outside
crypto map mymap interface outside

the VPN client needs to be configured with the PIX outside ip address.

hth


0
 
markps_1Author Commented:
hi, I've added exactly as described and i'm getting

"Secure VPN Connection terminated locally by the Client"
"Reason 412 The remote peer is no long responding"

 I'm connecting to the pix address set on  the ip address outside command...

 I can connect via SSH to that address so it shows that this is the correct address for the pix.

any clue?
0
 
nodiscoCommented:
To find where you are going wrong - can you do the following:

On the pix:
conf t
logging on
debug crypto isakmp

If you are connected to the pix via console cable - also type
logging console 7

When you try to vpn in to the pix, you should see the isakmp phase 1 negotiations taking place on the pix - capture this text and post it here.

Also - please post your full config in case there is anything thats causing an issue.


0
 
markps_1Author Commented:
hi nodisco,

  Nothing shows up on the debug...

the configuration of my firewall is on the top of this page....

and here is the config of the router... I'm not sure if the problem is here...


Using 1167 out of 29688 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname crlrtr1
!
boot-start-marker
boot-end-marker
!
enable secret ********************.
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip name-server **.**.**.**
ip name-server **.**.**.**
no ftp-server write-enable
!
!
!
!
interface FastEthernet0
 description connected to EthernetLAN
 ip address ***.***.***.*** 255.255.255.248
 speed 100
 full-duplex
!
interface Serial0
 no ip address
 encapsulation frame-relay IETF
 service-module t1 remote-alarm-enable
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 description connected to Internet
 ip unnumbered FastEthernet0
 frame-relay interface-dlci 44
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
ip http server
!
snmp-server community recall RO
snmp-server community perform1x RW
snmp-server location **********************
snmp-server enable traps tty
!
line con 0
 exec-timeout 0 0
 password ********
 login
line aux 0
line vty 0 1
 password *********
 login
line vty 2 4
 login
!
!
end
0
 
nodiscoCommented:
Router config is fine - if you are not getting anything from the debug, then the vpn client is not even reaching the pix in the first place.

Couple of checks
- are you testing this from outside your own network?  it will not work from inside
- to make sure your debugging is definetly on - try typing
debug icmp trace
logging on
sh debug

Then ping an outside ip address and you should see the debug picking up the icmp traffic.  Turn it off when complete:
undebug icmp trace



0
 
markps_1Author Commented:
I was testing from inside and it wouldn't connect.. but now... WOW, it works like a charm... A+ for you guys!
0
 
Keith AlabasterCommented:
Thanks :)
0
 
nodiscoCommented:
ditto - glad you got working.
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

  • 7
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now