ctwalla
asked on
SetUp VPN On PIX 506e
Hello All;
I need help setting up VPN on my pix 506e, I am not good with Firewall’s, I need to set up VPN for employees working from home and branch office to connect to the main office, I will setup both remote Access and Site to Site, for now I need to setup remote access. I was able to login on to my pix 506e @ https://192.168.X.X
Thank you,
I need help setting up VPN on my pix 506e, I am not good with Firewall’s, I need to set up VPN for employees working from home and branch office to connect to the main office, I will setup both remote Access and Site to Site, for now I need to setup remote access. I was able to login on to my pix 506e @ https://192.168.X.X
Thank you,
ASKER
I am sorry, I was out of the office. But I have pix version 6.3(1) and PDM 3.0(1), when I get to the remote Access client (please select the type of VPN client /device to be used) I don't know what to use. I would like to use Microsoft Windows client using L2TP because I am thinking (if I can do it) of having the clients/ employees use there user login information they have in AD used to logon to the network. So that in Active Directory properties under Dial-in, I can allow access to remote access permission (vpn). Since I have limited knowledge of firewall, I need to know if I can have it setup this way.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have not read the links, but I have set up the IAS Server, I did not get the key which is asked when setting up AAA Server in the PIX VPN Wizards setup. where do I get the key and also under AAA server group Name in the same area (add AAA Server)---is this any name I type or the same name I typed during the setup of IAS.
ASKER
Help me with this setting, this what I have setup so far;
remote Access clent
Cisco vpn Client 3.X
vpn client group
Grop Name vpngroup1
Authentication (group Password)
Extened Client Authentication
enable extended Client Authentication
AAA server Grp VPNGroup
NEW -- AAA Srver Group VNPgroup
server IP address (IAS server)
interface inside
interface inside
Key (no key)
Address Pool
pool name vpnpool
range state 192.168.1.XXX
end 192.168.1.XXX (question ---is this the outside ip address from the ISP or inside Ip's)
Attributes Pushed to client
Pri DNS 192.168.1.XX
Secon 192.168.1.XX
pri wins
secon
Defauit Domain Name XXXX.org
IKE Policy
Encryption 3DES
authentication: MD5
DH Group Group 2 (1024 -bit)
Transform set
Encryption: 3des
authentication md5
Address Transiation Expemption
Host/network
IP address
I don't know what to enter but I can browse and I can see inside .o/24 and outside. should I add those ip address to the list.
Please check to see if I have set it well.
thank you.
remote Access clent
Cisco vpn Client 3.X
vpn client group
Grop Name vpngroup1
Authentication (group Password)
Extened Client Authentication
enable extended Client Authentication
AAA server Grp VPNGroup
NEW -- AAA Srver Group VNPgroup
server IP address (IAS server)
interface inside
interface inside
Key (no key)
Address Pool
pool name vpnpool
range state 192.168.1.XXX
end 192.168.1.XXX (question ---is this the outside ip address from the ISP or inside Ip's)
Attributes Pushed to client
Pri DNS 192.168.1.XX
Secon 192.168.1.XX
pri wins
secon
Defauit Domain Name XXXX.org
IKE Policy
Encryption 3DES
authentication: MD5
DH Group Group 2 (1024 -bit)
Transform set
Encryption: 3des
authentication md5
Address Transiation Expemption
Host/network
IP address
I don't know what to enter but I can browse and I can see inside .o/24 and outside. should I add those ip address to the list.
Please check to see if I have set it well.
thank you.
ASKER
I have an error AAA server --no encryption key found using unencrypted mode. what do I do
> Key (no key)
The key is a shared key between the PIX and the IAS server. When you set up the PIX as a client in IAS, you designate the key. It's just a password that they both know.
> NEW -- AAA Srver Group VNPgroup
make sure you selected RADIUS and not TACACS+
>Address Pool
pool name vpnpool
range state 192.168.1.XXX
Never, ever, ever use 192.168.1.x as your VPN pool.
Never, ever use 192.168.1.x as your inside LAN if supporting VPN clients
Always create the VPN pool in a different subnet than your local LAN
Pool name vpnpool
start 192.168.227.1
end 192.168.227.22 <== depends on how many vpn clients you think you'll be supporting at any one time
>Address Transiation Expemption
Host/Network - Inside, Browse and select your Internal LAN / mask
click >> to add to selected column, Finish
Why not use 192.168.1.x, you ask? Because 90% of the clients that you will be supporting in home/hotspot/hotels will *also* have 192.168.1.x as their local LAN. This is by far the most used subnet in the world and the default for the vast majority of home/soho routers, and yes, even the PIX. Bite the bullet now and change your internal lan to something a bit more osbscure ilke 192.168.229.x
The key is a shared key between the PIX and the IAS server. When you set up the PIX as a client in IAS, you designate the key. It's just a password that they both know.
> NEW -- AAA Srver Group VNPgroup
make sure you selected RADIUS and not TACACS+
>Address Pool
pool name vpnpool
range state 192.168.1.XXX
Never, ever, ever use 192.168.1.x as your VPN pool.
Never, ever use 192.168.1.x as your inside LAN if supporting VPN clients
Always create the VPN pool in a different subnet than your local LAN
Pool name vpnpool
start 192.168.227.1
end 192.168.227.22 <== depends on how many vpn clients you think you'll be supporting at any one time
>Address Transiation Expemption
Host/Network - Inside, Browse and select your Internal LAN / mask
click >> to add to selected column, Finish
Why not use 192.168.1.x, you ask? Because 90% of the clients that you will be supporting in home/hotspot/hotels will *also* have 192.168.1.x as their local LAN. This is by far the most used subnet in the world and the default for the vast majority of home/soho routers, and yes, even the PIX. Bite the bullet now and change your internal lan to something a bit more osbscure ilke 192.168.229.x
>I have not read the links, but I have set up the IAS Server,
Please read this link. It tells you exactly how to set up the IAS server, step by step.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml
Please read this link. It tells you exactly how to set up the IAS server, step by step.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml
ASKER
I have setup the IAS server, using the link info above. how do I enter the key which I did not enter when I was setting up the PIX. Also do I need to enable the easy vpn remote under VPN tab --configutation
I have changed the ip address pool--thank you for that info.
Please look at my configuration and tell me if it is ok,
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx encrypted
passwd xxxxxx encrypted
hostname FreeFire
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list EXCHANGE_IN permit tcp any host 66.xx,xx,x eq www
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq smtp
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq www
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.x.x 255.255.255.0 192.168.x.xxx 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.x.xxx 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.xx.xx.x 255.255.255.192
ip address inside 192.168.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.210.1-192.168.210. 25
pdm location 192.168.x.x 255.255.255.255 inside
pdm location 192.168.1.xxx 255.255.255.255 inside
pdm location 192.168.1.xxx 255.255.255.255 inside
pdm location 192.168.1.xxx 255.255.255.255 inside
pdm location 192.168.1.xxx 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.xx.xx.x 192.168.1.xxx netmask 255.255.255.255 0 0
static (inside,outside) 66.xx.xx.x 192.168.1.xxx netmask 255.255.255.255 0 0
access-group EXCHANGE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 66.xx.xx.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server VPNgroup protocol radius
aaa-server VPNgroup (inside) host 192.168.1.xxx timeout 10
http server enable
http 192.168.x.x 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication VPNgroup
crypto map outside_map interface outside
isakmp enable outside
isakmp key ****** address 192.168.1.xxx netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNGroup address-pool vpnpool
vpngroup VPNGroup dns-server 192.168.1.xxx 192.168.1.xxx
vpngroup VPNGroup wins-server 192.168.1.xxx 192.168.1.xxx
vpngroup VPNGroup default-domain xxxxxxxxxxx.com
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password *******
telnet 192.168.x.x 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:a069d8422b8 4a0f6841ea e07a7c3
: end
[OK]
I have changed the ip address pool--thank you for that info.
Please look at my configuration and tell me if it is ok,
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx encrypted
passwd xxxxxx encrypted
hostname FreeFire
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list EXCHANGE_IN permit tcp any host 66.xx,xx,x eq www
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq smtp
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq www
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.x.x 255.255.255.0 192.168.x.xxx 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.x.xxx 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.xx.xx.x 255.255.255.192
ip address inside 192.168.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.210.1-192.168.210.
pdm location 192.168.x.x 255.255.255.255 inside
pdm location 192.168.1.xxx 255.255.255.255 inside
pdm location 192.168.1.xxx 255.255.255.255 inside
pdm location 192.168.1.xxx 255.255.255.255 inside
pdm location 192.168.1.xxx 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.xx.xx.x 192.168.1.xxx netmask 255.255.255.255 0 0
static (inside,outside) 66.xx.xx.x 192.168.1.xxx netmask 255.255.255.255 0 0
access-group EXCHANGE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 66.xx.xx.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server VPNgroup protocol radius
aaa-server VPNgroup (inside) host 192.168.1.xxx timeout 10
http server enable
http 192.168.x.x 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication VPNgroup
crypto map outside_map interface outside
isakmp enable outside
isakmp key ****** address 192.168.1.xxx netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNGroup address-pool vpnpool
vpngroup VPNGroup dns-server 192.168.1.xxx 192.168.1.xxx
vpngroup VPNGroup wins-server 192.168.1.xxx 192.168.1.xxx
vpngroup VPNGroup default-domain xxxxxxxxxxx.com
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password *******
telnet 192.168.x.x 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:a069d8422b8
: end
[OK]
>how do I enter the key which I did not enter when I was setting up the PIX.
aaa-server VPNgroup key mySecretKey
No, you do not need to enable EasyVPN
>vpngroup VPNGroup dns-server 192.168.1.xxx 192.168.1.xxx
>vpngroup VPNGroup wins-server 192.168.1.xxx 192.168.1.xxx
Are these 192.168.1.x IP's still valid?
You don't have to 'hide' your 192.168.x.x. addresses. It just makes it more difficult for us to see the uniqueness of the subnets/masks and help you. Nobody cares what your private IP's are because there are only so many of them and none of them are accessible from anywhere except your local lan.
aaa-server VPNgroup key mySecretKey
No, you do not need to enable EasyVPN
>vpngroup VPNGroup dns-server 192.168.1.xxx 192.168.1.xxx
>vpngroup VPNGroup wins-server 192.168.1.xxx 192.168.1.xxx
Are these 192.168.1.x IP's still valid?
You don't have to 'hide' your 192.168.x.x. addresses. It just makes it more difficult for us to see the uniqueness of the subnets/masks and help you. Nobody cares what your private IP's are because there are only so many of them and none of them are accessible from anywhere except your local lan.
ASKER
uilding configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UNWymiBzcnlfzwoh encrypted
passwd S1AeuoJ.a/5esGG8 encrypted
hostname FreeFire
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq www
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq smtp
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq www
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.xx.xx.x 255.255.255.192
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.227.1-192.168.227. 25
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 192.168.1.150 255.255.255.255 inside
pdm location 192.168.1.157 255.255.255.255 inside
pdm location 192.168.1.158 255.255.255.255 inside
pdm location 192.168.1.112 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.xx.xx.x 192.168.1.157 netmask 255.255.255.255 0 0
static (inside,outside) 66.xx.xx.x 192.168.1.150 netmask 255.255.255.255 0 0
access-group EXCHANGE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 66.63.20.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server VPNgroup protocol radius
aaa-server VPNgroup (inside) host 192.168.1.158 timeout 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication VPNgroup
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.158 netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNGroup address-pool vpnpool
vpngroup VPNGroup dns-server 192.168.1.156 192.168.1.158
vpngroup VPNGroup wins-server 192.168.1.156 192.168.1.156
vpngroup VPNGroup default-domain HOmefreeusa.org
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:8088a069d84 22b84a0f68 41eae07a7c 3
: end
[OK]
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UNWymiBzcnlfzwoh encrypted
passwd S1AeuoJ.a/5esGG8 encrypted
hostname FreeFire
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq www
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq smtp
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq www
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.xx.xx.x 255.255.255.192
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.227.1-192.168.227.
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 192.168.1.150 255.255.255.255 inside
pdm location 192.168.1.157 255.255.255.255 inside
pdm location 192.168.1.158 255.255.255.255 inside
pdm location 192.168.1.112 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.xx.xx.x 192.168.1.157 netmask 255.255.255.255 0 0
static (inside,outside) 66.xx.xx.x 192.168.1.150 netmask 255.255.255.255 0 0
access-group EXCHANGE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 66.63.20.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server VPNgroup protocol radius
aaa-server VPNgroup (inside) host 192.168.1.158 timeout 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication VPNgroup
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.158 netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNGroup address-pool vpnpool
vpngroup VPNGroup dns-server 192.168.1.156 192.168.1.158
vpngroup VPNGroup wins-server 192.168.1.156 192.168.1.156
vpngroup VPNGroup default-domain HOmefreeusa.org
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:8088a069d84
: end
[OK]
These two have to change to match your vpn pool
>access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
>access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.0
access-list outside_crypto_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.0
\\-- these are in the config now, but must be re-entered since we deleted the acls above
nat (inside) 0 access-list inside_outbound_nat0_acl
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto map outside_map interface outside
>PIX Version 6.3(1)
FYI, this is very buggy version. Suggest you update to 6.3(5) asap
>access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
>access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.0
access-list outside_crypto_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.0
\\-- these are in the config now, but must be re-entered since we deleted the acls above
nat (inside) 0 access-list inside_outbound_nat0_acl
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto map outside_map interface outside
>PIX Version 6.3(1)
FYI, this is very buggy version. Suggest you update to 6.3(5) asap
ASKER
where do I change this at.
categories- ipsec
ike
remote Access
categories- ipsec
ike
remote Access
From the command line.
Copy all of the following. Go to Tools | Command line tool | Multi line command and Paste all of it in the window and hit submit
no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
access-list outside_crypto_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
nat (inside) 0 access-list inside_outbound_nat0_acl
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto map outside_map interface outside
Copy all of the following. Go to Tools | Command line tool | Multi line command and Paste all of it in the window and hit submit
no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
access-list outside_crypto_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
nat (inside) 0 access-list inside_outbound_nat0_acl
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto map outside_map interface outside
ASKER
this is the response,
Result of firewall command: "no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240 "
ERROR: extra command argument(s)
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240 "
ERROR: extra command argument(s)
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
ERROR: invalid IP address 255.255.255.224%d
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "access-list outside_crypto_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
ERROR: invalid IP address 255.255.255.224%d
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "nat (inside) 0 access-list inside_outbound_nat0_acl"
ERROR: access-list <inside_outbound_nat0_acl% d> does not exist
Command failed
Result of firewall command: "crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20"
ERROR: unable to locate access-list outside_cryptomap_dyn_20%d
Result of firewall command: "crypto map outside_map interface outside"
Result of firewall command: ""
The command has been sent to the firewall
Result of firewall command: "no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240 "
ERROR: extra command argument(s)
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240 "
ERROR: extra command argument(s)
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
ERROR: invalid IP address 255.255.255.224%d
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "access-list outside_crypto_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
ERROR: invalid IP address 255.255.255.224%d
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "nat (inside) 0 access-list inside_outbound_nat0_acl"
ERROR: access-list <inside_outbound_nat0_acl%
Command failed
Result of firewall command: "crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20"
ERROR: unable to locate access-list outside_cryptomap_dyn_20%d
Result of firewall command: "crypto map outside_map interface outside"
Result of firewall command: ""
The command has been sent to the firewall
ASKER
and this is the new configuration after pasting above
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UNWymiBzcnlfzwoh encrypted
passwd S1AeuoJ.a/5esGG8 encrypted
hostname FreeFire
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list EXCHANGE_IN permit tcp any host 66.63.20.2 eq www
access-list EXCHANGE_IN permit tcp any host 66.63.20.2 eq smtp
access-list EXCHANGE_IN permit tcp any host 66.63.20.4 eq www
access-list EXCHANGE_IN permit tcp any host 66.63.20.4 eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.63.20.3 255.255.255.192
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.227.1-192.168.227. 25
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 192.168.1.150 255.255.255.255 inside
pdm location 192.168.1.157 255.255.255.255 inside
pdm location 192.168.1.158 255.255.255.255 inside
pdm location 192.168.1.112 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.63.20.2 192.168.1.157 netmask 255.255.255.255 0 0
static (inside,outside) 66.63.20.4 192.168.1.150 netmask 255.255.255.255 0 0
access-group EXCHANGE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 66.63.20.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server VPNgroup protocol radius
aaa-server VPNgroup (inside) host 192.168.1.158 timeout 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication VPNgroup
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.158 netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNGroup address-pool vpnpool
vpngroup VPNGroup dns-server 192.168.1.156 192.168.1.158
vpngroup VPNGroup wins-server 192.168.1.156 192.168.1.156
vpngroup VPNGroup default-domain HOmefreeusa.org
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:8088a069d84 22b84a0f68 41eae07a7c 3
: end
[OK]
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UNWymiBzcnlfzwoh encrypted
passwd S1AeuoJ.a/5esGG8 encrypted
hostname FreeFire
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list EXCHANGE_IN permit tcp any host 66.63.20.2 eq www
access-list EXCHANGE_IN permit tcp any host 66.63.20.2 eq smtp
access-list EXCHANGE_IN permit tcp any host 66.63.20.4 eq www
access-list EXCHANGE_IN permit tcp any host 66.63.20.4 eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.63.20.3 255.255.255.192
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.227.1-192.168.227.
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 192.168.1.150 255.255.255.255 inside
pdm location 192.168.1.157 255.255.255.255 inside
pdm location 192.168.1.158 255.255.255.255 inside
pdm location 192.168.1.112 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.63.20.2 192.168.1.157 netmask 255.255.255.255 0 0
static (inside,outside) 66.63.20.4 192.168.1.150 netmask 255.255.255.255 0 0
access-group EXCHANGE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 66.63.20.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server VPNgroup protocol radius
aaa-server VPNgroup (inside) host 192.168.1.158 timeout 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication VPNgroup
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.158 netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNGroup address-pool vpnpool
vpngroup VPNGroup dns-server 192.168.1.156 192.168.1.158
vpngroup VPNGroup wins-server 192.168.1.156 192.168.1.156
vpngroup VPNGroup default-domain HOmefreeusa.org
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:8088a069d84
: end
[OK]
>Result of firewall command: ""
Where did the "" quotes come from?
This is the output from my PIX
Result of firewall command: "no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240 "
Result of firewall command: "no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240 "
Result of firewall command: "access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
Result of firewall command: "access-list outside_crypto_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
Result of firewall command: "nat (inside) 0 access-list inside_outbound_nat0_acl"
Result of firewall command: "crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20"
ERROR: unable to locate access-list outside_cryptomap_dyn_20
Result of firewall command: "crypto map outside_map interface outside"
I fixed the error (typo on my part). Cut/paste the following script
no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
nat (inside) 0 access-list inside_outbound_nat0_acl
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto map outside_map interface outside
Where did the "" quotes come from?
This is the output from my PIX
Result of firewall command: "no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240 "
Result of firewall command: "no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240 "
Result of firewall command: "access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
Result of firewall command: "access-list outside_crypto_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
Result of firewall command: "nat (inside) 0 access-list inside_outbound_nat0_acl"
Result of firewall command: "crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20"
ERROR: unable to locate access-list outside_cryptomap_dyn_20
Result of firewall command: "crypto map outside_map interface outside"
I fixed the error (typo on my part). Cut/paste the following script
no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
nat (inside) 0 access-list inside_outbound_nat0_acl
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto map outside_map interface outside
ASKER
copy and pasted above -->result
Result of firewall command: "no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240 "
ERROR: extra command argument(s)
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240 "
ERROR: extra command argument(s)
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
ERROR: invalid IP address 255.255.255.224%d
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
ERROR: invalid IP address 255.255.255.224%d
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "nat (inside) 0 access-list inside_outbound_nat0_acl"
ERROR: access-list <inside_outbound_nat0_acl% d> does not exist
Command failed
Result of firewall command: "crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20"
ERROR: unable to locate access-list outside_cryptomap_dyn_20%d
Result of firewall command: "crypto map outside_map interface outside"
Result of firewall command: "no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240 "
ERROR: extra command argument(s)
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240 "
ERROR: extra command argument(s)
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
ERROR: invalid IP address 255.255.255.224%d
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
ERROR: invalid IP address 255.255.255.224%d
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "nat (inside) 0 access-list inside_outbound_nat0_acl"
ERROR: access-list <inside_outbound_nat0_acl%
Command failed
Result of firewall command: "crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20"
ERROR: unable to locate access-list outside_cryptomap_dyn_20%d
Result of firewall command: "crypto map outside_map interface outside"
ASKER
>>>>Where did the "" quotes come from?
from the Command Line interface under response. after pasting the command in the Multiple Line command I get this results.
from the Command Line interface under response. after pasting the command in the Multiple Line command I get this results.
Darn. I can't explain why you are getting different results than I am.
Allright. Let's try it another way:
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
nat (inside) 0 access-list 101
crypto dynamic-map outside_dyn_map 20 match address 102
crypto map outside_map interface outside
Allright. Let's try it another way:
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
nat (inside) 0 access-list 101
crypto dynamic-map outside_dyn_map 20 match address 102
crypto map outside_map interface outside
ASKER
pasted the command one by one and this is the results. what do you think
>>>access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
Result of firewall command: "access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
The command has been sent to the firewall
>>>>access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
Result of firewall command: "access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
The command has been sent to the firewall
>>>>nat (inside) 0 access-list 101
Result of firewall command: "nat (inside) 0 access-list 101"
The command has been sent to the firewall
>>>crypto dynamic-map outside_dyn_map 20 match address 102
Result of firewall command: "crypto dynamic-map outside_dyn_map 20 match address 102"
The command has been sent to the firewall
>>>crypto map outside_map interface outside
Result of firewall command: "crypto map outside_map interface outside"
The command has been sent to the firewall
below is the new configuration
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UNWymiBzcnlfzwoh encrypted
passwd S1AeuoJ.a/5esGG8 encrypted
hostname FreeFire
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list EXCHANGE_IN permit tcp any host 66.63.20.2 eq www
access-list EXCHANGE_IN permit tcp any host 66.63.20.2 eq smtp
access-list EXCHANGE_IN permit tcp any host 66.63.20.4 eq www
access-list EXCHANGE_IN permit tcp any host 66.63.20.4 eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.63.20.3 255.255.255.192
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.227.1-192.168.227. 25
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 192.168.1.150 255.255.255.255 inside
pdm location 192.168.1.157 255.255.255.255 inside
pdm location 192.168.1.158 255.255.255.255 inside
pdm location 192.168.1.112 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.63.20.2 192.168.1.157 netmask 255.255.255.255 0 0
static (inside,outside) 66.63.20.4 192.168.1.150 netmask 255.255.255.255 0 0
access-group EXCHANGE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 66.63.20.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server VPNgroup protocol radius
aaa-server VPNgroup (inside) host 192.168.1.158 timeout 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address 102
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication VPNgroup
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.158 netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNGroup address-pool vpnpool
vpngroup VPNGroup dns-server 192.168.1.156 192.168.1.158
vpngroup VPNGroup wins-server 192.168.1.156 192.168.1.156
vpngroup VPNGroup default-domain HOmefreeusa.org
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:8088a069d84 22b84a0f68 41eae07a7c 3
: end
[OK]
>>>access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
Result of firewall command: "access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
The command has been sent to the firewall
>>>>access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
Result of firewall command: "access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
The command has been sent to the firewall
>>>>nat (inside) 0 access-list 101
Result of firewall command: "nat (inside) 0 access-list 101"
The command has been sent to the firewall
>>>crypto dynamic-map outside_dyn_map 20 match address 102
Result of firewall command: "crypto dynamic-map outside_dyn_map 20 match address 102"
The command has been sent to the firewall
>>>crypto map outside_map interface outside
Result of firewall command: "crypto map outside_map interface outside"
The command has been sent to the firewall
below is the new configuration
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UNWymiBzcnlfzwoh encrypted
passwd S1AeuoJ.a/5esGG8 encrypted
hostname FreeFire
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list EXCHANGE_IN permit tcp any host 66.63.20.2 eq www
access-list EXCHANGE_IN permit tcp any host 66.63.20.2 eq smtp
access-list EXCHANGE_IN permit tcp any host 66.63.20.4 eq www
access-list EXCHANGE_IN permit tcp any host 66.63.20.4 eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.63.20.3 255.255.255.192
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.227.1-192.168.227.
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 192.168.1.150 255.255.255.255 inside
pdm location 192.168.1.157 255.255.255.255 inside
pdm location 192.168.1.158 255.255.255.255 inside
pdm location 192.168.1.112 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.63.20.2 192.168.1.157 netmask 255.255.255.255 0 0
static (inside,outside) 66.63.20.4 192.168.1.150 netmask 255.255.255.255 0 0
access-group EXCHANGE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 66.63.20.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server VPNgroup protocol radius
aaa-server VPNgroup (inside) host 192.168.1.158 timeout 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address 102
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication VPNgroup
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.158 netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNGroup address-pool vpnpool
vpngroup VPNGroup dns-server 192.168.1.156 192.168.1.158
vpngroup VPNGroup wins-server 192.168.1.156 192.168.1.156
vpngroup VPNGroup default-domain HOmefreeusa.org
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:8088a069d84
: end
[OK]
OK. Looks good. Time to give it a whirl with the client and see what happens.
ASKER
Thank you irmoore,
I just tested inside the network, I used the ip address for the ISA server, but I don't get the network drives, how can I have the network drive mapped and also how can I monitor who is log-in to the network using the VPN connection.
What was the commands that you had me paste in the PIX?
I just tested inside the network, I used the ip address for the ISA server, but I don't get the network drives, how can I have the network drive mapped and also how can I monitor who is log-in to the network using the VPN connection.
What was the commands that you had me paste in the PIX?
ASKER
Ok, it can work inside my network but not outside my network, maybe I am missing some think here. can I set a outside IP address (from the ISP) to the VPN Server so that I can give it to the clients.
>can I set a outside IP address (from the ISP) to the VPN Server so that I can give it to the clients.
Now we're talking apples and oranges.
I thought we were working to set up the PIX so that you can use the Cisco VPN client to connect directly to the PIX. This is the first time you've mentioned that you want to pass through the PIX and connect to an internal Windows VPN server...
>can I set a outside IP address (from the ISP) to the VPN Server so that I can give it to the clients.
Clients use the outside IP of the PIX
Now we're talking apples and oranges.
I thought we were working to set up the PIX so that you can use the Cisco VPN client to connect directly to the PIX. This is the first time you've mentioned that you want to pass through the PIX and connect to an internal Windows VPN server...
>can I set a outside IP address (from the ISP) to the VPN Server so that I can give it to the clients.
Clients use the outside IP of the PIX
ASKER
Ok, if I am going to use the Cisco VPN Client to connect, what IP address do I use.
ASKER
I am sorry I did not read this
>>>Clients use the outside IP of the PIX
let me test with the PIX outside IP and see if it will work
>>>Clients use the outside IP of the PIX
let me test with the PIX outside IP and see if it will work
It will only work from outside the network. You cannot test it from inside..
ASKER
Iam getting an error
unable to estabish the VPN connection. the VPN server may be unreachable
unable to estabish the VPN connection. the VPN server may be unreachable
Can you ping this IP
>ip address outside 66.63.20.3
From your client?
>ip address outside 66.63.20.3
From your client?
ASKER
I can ping it and even get a reply back
ASKER
This is what I have config for clients
--->>Network connections
--->>Create a new connection
---->>connect to network @ wkplace
---->>VPN, compnay Name --->workVPN
--->>IP ---listed ^above etc
login and password used -user login info in AD
am I missing some think here?
--->>Network connections
--->>Create a new connection
---->>connect to network @ wkplace
---->>VPN, compnay Name --->workVPN
--->>IP ---listed ^above etc
login and password used -user login info in AD
am I missing some think here?
You're missing the Cisco VPN client installed on the PC.
If you want to use the Windows client, then you need to make changes to your PIX configuration to accept the PPTP client:
Use the VPN Wizard
Remote Access VPN
Outside
Microsoft Windows Client using PPTP
[x] MSCHAP
* Authenticate using RADIUS/VPNgroup
Pool name [vpnpool]
Primary DNS [192.168.1.156 ]
Secondardy DNS [192.168.1.158 ]
Primary WINS [192.168.1.156 ]
Secondary WINS [192.168.1.158 ]
Host/Network expempt from NAT
Browse, select inside LAN 192.168.1.0 / 255.255.255.0
>> add to selected column
MPPE Encryption
* MPPE is Optional
Finish.
Now try using your Microsoft VPN client
If you want to use the Windows client, then you need to make changes to your PIX configuration to accept the PPTP client:
Use the VPN Wizard
Remote Access VPN
Outside
Microsoft Windows Client using PPTP
[x] MSCHAP
* Authenticate using RADIUS/VPNgroup
Pool name [vpnpool]
Primary DNS [192.168.1.156 ]
Secondardy DNS [192.168.1.158 ]
Primary WINS [192.168.1.156 ]
Secondary WINS [192.168.1.158 ]
Host/Network expempt from NAT
Browse, select inside LAN 192.168.1.0 / 255.255.255.0
>> add to selected column
MPPE Encryption
* MPPE is Optional
Finish.
Now try using your Microsoft VPN client
ASKER
I am having a problem with verifying username and password
ASKER
when I setup the PPTP, I get this error
--->ERR]no vpdn group L2TP-VPDN-GROUP
vpdn group L2TP-VPDN-GROUP does not exist
Can you help me please, I have to have this working today
--->ERR]no vpdn group L2TP-VPDN-GROUP
vpdn group L2TP-VPDN-GROUP does not exist
Can you help me please, I have to have this working today
ASKER
Irmoore
I need your help with is command
--->access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
from the above commands you told me to paste, Did you mean access-list 101 not 102
I need your help with is command
--->access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
from the above commands you told me to paste, Did you mean access-list 101 not 102
No. 101 and 102 are identical at this point, but are applied to 2 different processes.
101 is applied to nat 0 process
102 is applied to the VPN process
101 is applied to nat 0 process
102 is applied to the VPN process
This document will walk you through using the command line
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml