Commands needed to open a secure VPN connection on a PIX 501


 I need to configure the VPN for a PIX501 but, well I have no Idea what should I do... AND I was really looking fore a cake recip for it. Since this could be very usefull for other people, since I gess other people also could be looking for this cake recipe solution I think it doesn't hurt to ask... HELP!!! This pix is connected to a router that is not doing much.. so I don't think any configuration should be neede for the router...

Here is what I already have... I've used *** for security pourposes.

PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *************** encrypted
passwd ************** encrypted
hostname *********
domain-name *********.***
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list acl_ext permit tcp any host ***.***.***.*** eq www
access-list acl_ext permit tcp any host ***.***.***.*** eq ftp
access-list acl_ext permit tcp any host ***.***.***.*** eq pcanywhere-data
access-list acl_ext permit udp any host ***.***.***.*** eq pcanywhere-status
access-list acl_ext permit tcp any host ***.***.***.*** eq 3389
access-list acl_ext permit tcp any host ***.***.***.*** eq 5900
access-list acl_ext permit tcp any host ***.***.***.*** eq ssh
access-list acl_ext permit tcp any host ***.***.***.*** eq 8787
access-list acl_ext permit tcp any host ***.***.***.*** eq 9000
access-list acl_ext permit udp any host ***.***.***.*** eq 22
access-list acl_ext permit udp any host ***.***.***.*** eq 9000
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside ***.***.***.111
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm location inside
pdm location inside
pdm location inside
pdm location ***.***.105.*** outside
pdm location ***.***.***.112 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 ***.***.***.***
nat (inside) 1 0 0
alias (inside) ***.***.***.***
static (inside,outside) tcp ***.***.***.*** 9000 9000 netmask 0 0
static (inside,outside) udp ***.***.***.*** 9000 9000 netmask 0 0
static (inside,outside) tcp ***.***.***.*** www www netmask 0 0
static (inside,outside) tcp ***.***.***.*** ftp ftp netmask 0 0
static (inside,outside) tcp ***.***.***.*** ssh ssh netmask 0 0
static (inside,outside) udp ***.***.***.*** 22 22 netmask 0 0
static (inside,outside) tcp ***.***.***.*** pcanywhere-data pcanywhere-data netmask 0 0
static (inside,outside) udp ***.***.***.*** pcanywhere-status pcanywhere-status netmask 0 0
static (inside,outside) tcp ***.***.***.*** 3389 3389 netmask 0 0
static (inside,outside) tcp ***.***.***.*** 5600 5600 netmask 0 0
static (inside,outside) tcp ***.***.***.*** 8787 3389 netmask 0 0
access-group acl_ext in interface outsideroute outside ***.***.***.103 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http outside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet inside
telnet timeout 5
ssh outside
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns **.**.**.**
dhcpd lease 36000
dhcpd ping_timeout 750
dhcpd domain *********.***
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What kind of VPN? IPSEC or PPTP? If IPSEC, is it remote access(using cisco VPN client) or site to site?
markps_1Author Commented:
It is remove access using cisco vpn client....
Are You Protected from Q3's Internet Threats?

Every quarter, WatchGuard's Threat Lab releases a security report that analyzes the top threat trends impacting companies around the world. For Q3, we saw that 6.8% of the top 100K websites use insecure SSL protocols. Read the full report to start protecting your business today!

markps_1Author Commented:
Hi Keith... it won't be pix to pix.. it will be only pix to cisco vpn client.. I'm sorry I forgot to mention that.
This is as simple as it can get:

Configuring Cisco Secure PIX Firewall 6.0 and Cisco VPN 3000 Clients Using IPSec

The PIX version used on that sample is 6.2 but nevermind that since it's the same. The pix commands in boldface
is what you need. The only thing I would add on that configuration is the command:

isakmp nat-t

This command will allow your VPN users behind PAT devices to be able to negotiate transparent tunnling and be able to pass traffic.

If you have any questions regarding the configuration sample, don't hesitate to ask.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith AlabasterEnterprise ArchitectCommented:
Yep, good link.
markps_1Author Commented:
It sound easy... I've seen many pix with VPN already configured but I couldn't separate what was doing that task from those big configuration lists. It seems that this is my cake recipe right?

access-list 101 permit ip
ip local pool ippool
nat (inside) 0 access-list 101
sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside

isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-t

vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server
vpngroup vpn3000 default-domain ******.***
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup vpn3000 split-tunnel 101

do you see anything on my posted config list that would conflict with it? like (I know this is basic) but will   "nat (inside) 1 0 0" will it be overwritten by  the "nat (inside) 0 access-list 101" command or something simmilar?
Keith AlabasterEnterprise ArchitectCommented:
No, the NAT 0 means don't translate (nonat) and NAT 1 will be associated with your Global 1 statement.
Also you will not be assigning an access-group command to the access-list 101 statements either.
markps_1Author Commented:
keith as I understand access-group is not needed for the vpn right?

shouldn't there be anything on the vpn settings to indicate witch outside address and port should be the vpn address?
Am sure Keith won't mind me jumpin in ;-)

<<access-group is not needed for the vpn right?
Correct.  The access-list 101 is specifiying interesting traffic and is applied as a nonat rule in the line
nat (inside) 0 access-list 101

Its called policy nat

<<shouldn't there be anything on the vpn settings to indicate witch outside address and port should be the vpn address?
No - the pix will only terminate crypto sessions on the outside interface.  You have already enable phase 1 and phase 2 to run on this interface ;
isakmp enable outside
crypto map mymap interface outside

the VPN client needs to be configured with the PIX outside ip address.


markps_1Author Commented:
hi, I've added exactly as described and i'm getting

"Secure VPN Connection terminated locally by the Client"
"Reason 412 The remote peer is no long responding"

 I'm connecting to the pix address set on  the ip address outside command...

 I can connect via SSH to that address so it shows that this is the correct address for the pix.

any clue?
To find where you are going wrong - can you do the following:

On the pix:
conf t
logging on
debug crypto isakmp

If you are connected to the pix via console cable - also type
logging console 7

When you try to vpn in to the pix, you should see the isakmp phase 1 negotiations taking place on the pix - capture this text and post it here.

Also - please post your full config in case there is anything thats causing an issue.

markps_1Author Commented:
hi nodisco,

  Nothing shows up on the debug...

the configuration of my firewall is on the top of this page....

and here is the config of the router... I'm not sure if the problem is here...

Using 1167 out of 29688 bytes
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname crlrtr1
enable secret ********************.
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
ip name-server **.**.**.**
ip name-server **.**.**.**
no ftp-server write-enable
interface FastEthernet0
 description connected to EthernetLAN
 ip address ***.***.***.***
 speed 100
interface Serial0
 no ip address
 encapsulation frame-relay IETF
 service-module t1 remote-alarm-enable
 frame-relay lmi-type ansi
interface Serial0.1 point-to-point
 description connected to Internet
 ip unnumbered FastEthernet0
 frame-relay interface-dlci 44
ip classless
ip route Serial0.1
ip http server
snmp-server community recall RO
snmp-server community perform1x RW
snmp-server location **********************
snmp-server enable traps tty
line con 0
 exec-timeout 0 0
 password ********
line aux 0
line vty 0 1
 password *********
line vty 2 4
Router config is fine - if you are not getting anything from the debug, then the vpn client is not even reaching the pix in the first place.

Couple of checks
- are you testing this from outside your own network?  it will not work from inside
- to make sure your debugging is definetly on - try typing
debug icmp trace
logging on
sh debug

Then ping an outside ip address and you should see the debug picking up the icmp traffic.  Turn it off when complete:
undebug icmp trace

markps_1Author Commented:
I was testing from inside and it wouldn't connect.. but now... WOW, it works like a charm... A+ for you guys!
Keith AlabasterEnterprise ArchitectCommented:
Thanks :)
ditto - glad you got working.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.