Solved

SetUp VPN On PIX 506e

Posted on 2006-11-06
37
475 Views
Last Modified: 2013-11-16
Hello All;

I need help setting up VPN on my pix 506e, I am not good with Firewall’s, I need to set up VPN for employees working from home and branch office to connect to the main office, I will setup both remote Access and Site to Site, for now I need to setup remote access.  I was able to login on to my pix 506e @ https://192.168.X.X



Thank you,
0
Comment
Question by:ctwalla
  • 22
  • 15
37 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Since you can access the pix with a web browser, that means that you have the PDM GUI. Can you tell what version you have when it opens? If you have PDM 3.x then you have a great VPN Wizard to help walk you through it step by step.
This document will walk you through using the command line
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml
0
 

Author Comment

by:ctwalla
Comment Utility
I am sorry, I was out of the office.  But I have pix version 6.3(1) and PDM 3.0(1), when I get to the remote Access client (please select the type of VPN client /device to be used) I don't know what to use. I would like to use Microsoft Windows client using L2TP because I am thinking (if I can do it) of having the clients/ employees use there user login information they have in AD used to logon to the network. So that in Active Directory properties under Dial-in, I can allow access to remote access permission (vpn).  Since I have limited knowledge of firewall, I need to know if I can  have it setup this way.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
Yes you can, but you have to set up one of your Windows servers as a Radius server (just install IAS that comes with Windows 2000/2003)
I would suggest using the Cisco IPSEC client:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

You can use Microsoft PPTP VPN client if you want:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml
0
 

Author Comment

by:ctwalla
Comment Utility

I have not read the links, but I have set up the IAS Server, I did not get the key which is asked when setting up AAA Server in the PIX VPN Wizards setup.  where do I get the key and also under AAA server group Name in the same area (add AAA Server)---is this any name I type or the same name I typed during the setup of IAS.

0
 

Author Comment

by:ctwalla
Comment Utility
Help me with this setting, this what I have setup so far;
remote Access clent
  Cisco vpn Client 3.X

vpn client group
  Grop Name vpngroup1
   Authentication  (group Password)

Extened Client Authentication
  enable extended Client Authentication
     AAA server Grp VPNGroup
        NEW   -- AAA Srver Group VNPgroup
                     server IP address (IAS server)
                      interface   inside
interface  inside
                       Key   (no key)
Address Pool
            pool name vpnpool
            range state 192.168.1.XXX
                    end    192.168.1.XXX  (question   ---is this the outside ip address from the ISP or inside Ip's)
Attributes Pushed to client
     Pri DNS  192.168.1.XX
    Secon     192.168.1.XX
    pri wins
    secon

Defauit Domain Name XXXX.org

IKE Policy

Encryption   3DES
authentication:  MD5
DH Group  Group 2 (1024 -bit)

Transform set
   
Encryption:  3des
authentication md5

Address Transiation Expemption
 
Host/network
IP address

I don't know what to enter but I can browse and I can see inside .o/24 and outside.  should I add those ip address to the list.

Please check to see if I have set it well.

thank you.
0
 

Author Comment

by:ctwalla
Comment Utility
I have an error AAA server --no encryption key found using unencrypted mode. what do I do
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>  Key   (no key)
The key is a shared key between the PIX and the IAS server. When you set up the PIX as a client in IAS, you designate the key. It's just a password that they both know.

> NEW   -- AAA Srver Group VNPgroup
make sure you selected RADIUS and not TACACS+


>Address Pool
            pool name vpnpool
            range state 192.168.1.XXX
Never, ever, ever use 192.168.1.x as your VPN pool.
Never, ever use 192.168.1.x as your inside LAN if supporting VPN clients
Always create the VPN pool in a different subnet than your local LAN

Pool name vpnpool
 start 192.168.227.1
 end 192.168.227.22 <== depends on how many vpn clients you think you'll be supporting at any one time

>Address Transiation Expemption
Host/Network - Inside, Browse and select your Internal LAN / mask
click >> to add to selected column, Finish

Why not use 192.168.1.x, you ask? Because 90% of the clients that you will be supporting in home/hotspot/hotels will *also* have 192.168.1.x as their local LAN. This is by far the most used subnet in the world and the default for the vast majority of home/soho routers, and yes, even the PIX. Bite the bullet now and change your internal lan to something a bit more osbscure ilke 192.168.229.x
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>I have not read the links, but I have set up the IAS Server,
Please read this link. It tells you exactly how to set up the IAS server, step by step.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

0
 

Author Comment

by:ctwalla
Comment Utility
I have setup the IAS server, using the link info above.  how do I enter the key which I did not enter when I was setting up the PIX.  Also do I need to enable the easy vpn remote under VPN tab --configutation

I have changed the ip address pool--thank you for that info.


Please look at my configuration and tell me if it is ok,

Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxx   encrypted
passwd xxxxxx encrypted
hostname FreeFire
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list EXCHANGE_IN permit tcp any host 66.xx,xx,x eq www
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq smtp
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq www
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.x.x 255.255.255.0 192.168.x.xxx 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.x.xxx 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.xx.xx.x 255.255.255.192
ip address inside 192.168.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.210.1-192.168.210.25
pdm location 192.168.x.x 255.255.255.255 inside
pdm location 192.168.1.xxx 255.255.255.255 inside
pdm location 192.168.1.xxx 255.255.255.255 inside
pdm location 192.168.1.xxx 255.255.255.255 inside
pdm location 192.168.1.xxx 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.xx.xx.x 192.168.1.xxx netmask 255.255.255.255 0 0
static (inside,outside) 66.xx.xx.x 192.168.1.xxx netmask 255.255.255.255 0 0
access-group EXCHANGE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 66.xx.xx.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server VPNgroup protocol radius
aaa-server VPNgroup (inside) host 192.168.1.xxx timeout 10
http server enable
http 192.168.x.x 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication VPNgroup
crypto map outside_map interface outside
isakmp enable outside
isakmp key ****** address 192.168.1.xxx netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNGroup address-pool vpnpool
vpngroup VPNGroup dns-server 192.168.1.xxx 192.168.1.xxx
vpngroup VPNGroup wins-server 192.168.1.xxx 192.168.1.xxx
vpngroup VPNGroup default-domain xxxxxxxxxxx.com
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password *******
telnet 192.168.x.x 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:a069d8422b84a0f6841eae07a7c3
: end
[OK]
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>how do I enter the key which I did not enter when I was setting up the PIX.
aaa-server VPNgroup key mySecretKey

No, you do not need to enable EasyVPN

>vpngroup VPNGroup dns-server 192.168.1.xxx 192.168.1.xxx
>vpngroup VPNGroup wins-server 192.168.1.xxx 192.168.1.xxx
Are these 192.168.1.x IP's still valid?

You don't have to 'hide' your 192.168.x.x. addresses. It just makes it more difficult for us to see the uniqueness of the subnets/masks and help you. Nobody cares what your private IP's are because there are only so many of them and none of them are accessible from anywhere except your local lan.
0
 

Author Comment

by:ctwalla
Comment Utility
uilding configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UNWymiBzcnlfzwoh encrypted
passwd S1AeuoJ.a/5esGG8 encrypted
hostname FreeFire
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq www
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq smtp
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq www
access-list EXCHANGE_IN permit tcp any host 66.xx.xx.x eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.xx.xx.x 255.255.255.192
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.227.1-192.168.227.25
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 192.168.1.150 255.255.255.255 inside
pdm location 192.168.1.157 255.255.255.255 inside
pdm location 192.168.1.158 255.255.255.255 inside
pdm location 192.168.1.112 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.xx.xx.x 192.168.1.157 netmask 255.255.255.255 0 0
static (inside,outside) 66.xx.xx.x 192.168.1.150 netmask 255.255.255.255 0 0
access-group EXCHANGE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 66.63.20.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server VPNgroup protocol radius
aaa-server VPNgroup (inside) host 192.168.1.158 timeout 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication VPNgroup
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.158 netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNGroup address-pool vpnpool
vpngroup VPNGroup dns-server 192.168.1.156 192.168.1.158
vpngroup VPNGroup wins-server 192.168.1.156 192.168.1.156
vpngroup VPNGroup default-domain HOmefreeusa.org
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:8088a069d8422b84a0f6841eae07a7c3
: end
[OK]
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
These two have to change to match your vpn pool
>access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
>access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240

no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.0
access-list outside_crypto_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.0

\\-- these are in the config now, but must be re-entered since we deleted the acls above
nat (inside) 0 access-list inside_outbound_nat0_acl
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto map outside_map interface outside

>PIX Version 6.3(1)
FYI, this is very buggy version. Suggest you update to 6.3(5) asap

0
 

Author Comment

by:ctwalla
Comment Utility
where do I change this at.
categories-  ipsec
                  ike
                  remote Access
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
From the command line.

Copy all of the following. Go to Tools | Command line tool | Multi line command and Paste all of it in the window and hit submit


no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
access-list outside_crypto_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
nat (inside) 0 access-list inside_outbound_nat0_acl
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto map outside_map interface outside
0
 

Author Comment

by:ctwalla
Comment Utility
this is the response,

Result of firewall command: "no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240 "
 
ERROR: extra command argument(s)
Usage:      [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
      <protocol>|object-group <protocol_obj_grp_id>
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<icmp_type> | object-group <icmp_type_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed

Result of firewall command: "no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240 "
 
ERROR: extra command argument(s)
Usage:      [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
      <protocol>|object-group <protocol_obj_grp_id>
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<icmp_type> | object-group <icmp_type_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed

Result of firewall command: "access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
 
ERROR: invalid IP address 255.255.255.224%d
Usage:      [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
      <protocol>|object-group <protocol_obj_grp_id>
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<icmp_type> | object-group <icmp_type_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed

Result of firewall command: "access-list outside_crypto_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
 
ERROR: invalid IP address 255.255.255.224%d
Usage:      [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
      <protocol>|object-group <protocol_obj_grp_id>
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<icmp_type> | object-group <icmp_type_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed

Result of firewall command: "nat (inside) 0 access-list inside_outbound_nat0_acl"
 
ERROR: access-list <inside_outbound_nat0_acl%d> does not exist
Command failed

Result of firewall command: "crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20"
 
ERROR: unable to locate access-list outside_cryptomap_dyn_20%d

Result of firewall command: "crypto map outside_map interface outside"
 

Result of firewall command: ""
 
The command has been sent to the firewall
0
 

Author Comment

by:ctwalla
Comment Utility
and this is the new configuration after pasting above

Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UNWymiBzcnlfzwoh encrypted
passwd S1AeuoJ.a/5esGG8 encrypted
hostname FreeFire
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list EXCHANGE_IN permit tcp any host 66.63.20.2 eq www
access-list EXCHANGE_IN permit tcp any host 66.63.20.2 eq smtp
access-list EXCHANGE_IN permit tcp any host 66.63.20.4 eq www
access-list EXCHANGE_IN permit tcp any host 66.63.20.4 eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.63.20.3 255.255.255.192
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.227.1-192.168.227.25
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 192.168.1.150 255.255.255.255 inside
pdm location 192.168.1.157 255.255.255.255 inside
pdm location 192.168.1.158 255.255.255.255 inside
pdm location 192.168.1.112 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.63.20.2 192.168.1.157 netmask 255.255.255.255 0 0
static (inside,outside) 66.63.20.4 192.168.1.150 netmask 255.255.255.255 0 0
access-group EXCHANGE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 66.63.20.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server VPNgroup protocol radius
aaa-server VPNgroup (inside) host 192.168.1.158 timeout 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication VPNgroup
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.158 netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNGroup address-pool vpnpool
vpngroup VPNGroup dns-server 192.168.1.156 192.168.1.158
vpngroup VPNGroup wins-server 192.168.1.156 192.168.1.156
vpngroup VPNGroup default-domain HOmefreeusa.org
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:8088a069d8422b84a0f6841eae07a7c3
: end
[OK]

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>Result of firewall command: ""

Where did the "" quotes come from?
 
This is the output from my PIX
Result of firewall command: "no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240 "

Result of firewall command: "no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240 "

Result of firewall command: "access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"

Result of firewall command: "access-list outside_crypto_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"

Result of firewall command: "nat (inside) 0 access-list inside_outbound_nat0_acl"

Result of firewall command: "crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20"
 
ERROR: unable to locate access-list outside_cryptomap_dyn_20

Result of firewall command: "crypto map outside_map interface outside"
 
I fixed the error (typo on my part). Cut/paste the following script

no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
nat (inside) 0 access-list inside_outbound_nat0_acl
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto map outside_map interface outside


0
 

Author Comment

by:ctwalla
Comment Utility
copy and pasted above -->result

Result of firewall command: "no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240 "
 
ERROR: extra command argument(s)
Usage:      [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
      <protocol>|object-group <protocol_obj_grp_id>
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<icmp_type> | object-group <icmp_type_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed

Result of firewall command: "no access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240 "
 
ERROR: extra command argument(s)
Usage:      [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
      <protocol>|object-group <protocol_obj_grp_id>
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<icmp_type> | object-group <icmp_type_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed

Result of firewall command: "access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
 
ERROR: invalid IP address 255.255.255.224%d
Usage:      [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
      <protocol>|object-group <protocol_obj_grp_id>
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<icmp_type> | object-group <icmp_type_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed

Result of firewall command: "access-list outside_cryptomap_dyn_20 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
 
ERROR: invalid IP address 255.255.255.224%d
Usage:      [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
      <protocol>|object-group <protocol_obj_grp_id>
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<operator> <port> [<port>] | object-group <service_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
      <sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
      <dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
      [<icmp_type> | object-group <icmp_type_obj_grp_id>]
      [log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed

Result of firewall command: "nat (inside) 0 access-list inside_outbound_nat0_acl"
 
ERROR: access-list <inside_outbound_nat0_acl%d> does not exist
Command failed

Result of firewall command: "crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20"
 
ERROR: unable to locate access-list outside_cryptomap_dyn_20%d

Result of firewall command: "crypto map outside_map interface outside"
 
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:ctwalla
Comment Utility
>>>>Where did the "" quotes come from?

from the Command Line interface under response.  after pasting the command in the Multiple Line command I get this results.

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Darn. I can't explain why you are getting different results than I am.

Allright. Let's try it another way:

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
nat (inside) 0 access-list 101
crypto dynamic-map outside_dyn_map 20 match address 102
crypto map outside_map interface outside

0
 

Author Comment

by:ctwalla
Comment Utility
pasted the command one by one and this is the results.  what do you think

>>>access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224

Result of firewall command: "access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
 
The command has been sent to the firewall

>>>>access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224

Result of firewall command: "access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224"
 
The command has been sent to the firewall

>>>>nat (inside) 0 access-list 101

Result of firewall command: "nat (inside) 0 access-list 101"
 
The command has been sent to the firewall

>>>crypto dynamic-map outside_dyn_map 20 match address 102

Result of firewall command: "crypto dynamic-map outside_dyn_map 20 match address 102"
 
The command has been sent to the firewall

>>>crypto map outside_map interface outside
Result of firewall command: "crypto map outside_map interface outside"
 
The command has been sent to the firewall

below is the new configuration
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UNWymiBzcnlfzwoh encrypted
passwd S1AeuoJ.a/5esGG8 encrypted
hostname FreeFire
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list EXCHANGE_IN permit tcp any host 66.63.20.2 eq www
access-list EXCHANGE_IN permit tcp any host 66.63.20.2 eq smtp
access-list EXCHANGE_IN permit tcp any host 66.63.20.4 eq www
access-list EXCHANGE_IN permit tcp any host 66.63.20.4 eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.1.112 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.112 255.255.255.240
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.63.20.3 255.255.255.192
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.227.1-192.168.227.25
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 192.168.1.150 255.255.255.255 inside
pdm location 192.168.1.157 255.255.255.255 inside
pdm location 192.168.1.158 255.255.255.255 inside
pdm location 192.168.1.112 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.63.20.2 192.168.1.157 netmask 255.255.255.255 0 0
static (inside,outside) 66.63.20.4 192.168.1.150 netmask 255.255.255.255 0 0
access-group EXCHANGE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 66.63.20.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server VPNgroup protocol radius
aaa-server VPNgroup (inside) host 192.168.1.158 timeout 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address 102
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication VPNgroup
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.158 netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNGroup address-pool vpnpool
vpngroup VPNGroup dns-server 192.168.1.156 192.168.1.158
vpngroup VPNGroup wins-server 192.168.1.156 192.168.1.156
vpngroup VPNGroup default-domain HOmefreeusa.org
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:8088a069d8422b84a0f6841eae07a7c3
: end
[OK]




0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
OK. Looks good. Time to give it a whirl with the client and see what happens.
0
 

Author Comment

by:ctwalla
Comment Utility
Thank you irmoore,

I just tested inside the network, I used the ip address for the ISA server, but I don't get the network drives, how can I have the network drive mapped and also how can I monitor who is log-in to the network using the VPN connection.

What was the commands that you had me paste in the PIX?
0
 

Author Comment

by:ctwalla
Comment Utility
Ok, it can work inside my network but not outside my network, maybe I am missing some think here.  can I set a outside IP address (from the ISP) to the VPN Server so that I can give it to the clients.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>can I set a outside IP address (from the ISP) to the VPN Server so that I can give it to the clients.

Now we're talking apples and oranges.
I thought we were working to set up the PIX so that you can use the Cisco VPN client to connect directly to the PIX. This is the first time you've mentioned that you want to pass through the PIX and connect to an internal Windows VPN server...

>can I set a outside IP address (from the ISP) to the VPN Server so that I can give it to the clients.
Clients use the outside IP of the PIX

0
 

Author Comment

by:ctwalla
Comment Utility
Ok, if I am going to use the Cisco VPN Client to connect, what IP address do I use.
0
 

Author Comment

by:ctwalla
Comment Utility
I am sorry I did not read this
>>>Clients use the outside IP of the PIX

let me test with the PIX outside IP and see if it will work
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
It will only work from outside the network. You cannot test it from inside..
0
 

Author Comment

by:ctwalla
Comment Utility
Iam getting an error

unable to estabish the VPN connection. the VPN server may be unreachable
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Can you ping this IP
>ip address outside 66.63.20.3
From your client?
0
 

Author Comment

by:ctwalla
Comment Utility
I can ping it and even get a reply back
0
 

Author Comment

by:ctwalla
Comment Utility
This is what I have config for clients
--->>Network connections
    --->>Create a new connection
     ---->>connect to network @ wkplace
        ---->>VPN,  compnay Name --->workVPN
            --->>IP  ---listed ^above  etc
login and password used -user login info in AD

am I missing some think here?
 
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You're missing the Cisco VPN client installed on the PC.

If you want to use the Windows client, then you need to make changes to your PIX configuration to accept the PPTP client:
Use the VPN Wizard

Remote Access VPN
   Outside
Microsoft Windows Client using PPTP
  [x] MSCHAP
 * Authenticate using RADIUS/VPNgroup

Pool name [vpnpool]

Primary DNS [192.168.1.156 ]
Secondardy DNS [192.168.1.158 ]
Primary WINS [192.168.1.156 ]
Secondary WINS [192.168.1.158 ]

Host/Network expempt from NAT
Browse, select inside LAN 192.168.1.0 / 255.255.255.0
 >> add to selected column

MPPE Encryption
 * MPPE is Optional

Finish.

Now try using your Microsoft VPN client



0
 

Author Comment

by:ctwalla
Comment Utility
I am having a problem with verifying username and password
0
 

Author Comment

by:ctwalla
Comment Utility
when I setup the PPTP, I get this error

--->ERR]no vpdn group L2TP-VPDN-GROUP
      vpdn group L2TP-VPDN-GROUP does not exist

Can you help me please, I have to have this working today
0
 

Author Comment

by:ctwalla
Comment Utility
Irmoore
  I need your help with is command
  --->access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.227.0 255.255.255.224

from the above commands you told me to paste, Did you mean access-list 101 not 102
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
No. 101 and 102 are identical at this point, but are applied to 2 different processes.
101 is applied to nat 0 process
102 is applied to the VPN process
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now