Solved

Creating remote user and remote site VPN tunnels to Cisco Pix 525.

Posted on 2006-11-07
5
1,393 Views
Last Modified: 2013-11-16
Hi all,

I have a Cisco PIX 525 firewall which needs setting up for VPN access from both remote users creating a MS VPN tunnel from an XP machine as well as a static VPN tunnel from remote sites with static IP addresses. Below is a copy of the existing configuration on the firewall. I want the PIX to handle the VPN setup, so needs a list of users on it. The IP range to be passed out to remote users is 10.0.2.190-10.0.2.199. There are some existing references to VPN stuff on the existing configuration as this was inherited from a previous consultant. The remote users need to connect to 62.253.220.43. Again, there are references to this in the access list and NAT table, but these can be altered as required.

Many thanks for all your help

Bob (config below...)

PIX Version 7.0(4)
!
hostname LUPIXFW-01
domain-name luton.watford
enable password yyB04azV5FZ8k/yT encrypted
names
!
interface Ethernet0
description External Interface - gateway at 62.253.220.60
nameif External
security-level 0
ip address 62.253.220.1 255.255.255.192
!
interface Ethernet1
description Interface for 10.0.0.0/24 subnet
nameif Intsub1
security-level 100
ip address 10.0.0.5 255.255.255.0
!
interface Ethernet2
description Interface for 10.0.2.0/24 subnet
nameif Intsub2
security-level 100
ip address 10.0.2.1 255.255.255.0
!
interface GigabitEthernet0
description Temporarily Disabled
shutdown
no nameif
no security-level
no ip address
!
passwd dwBY9HLvwmE7Vmpf encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup External
dns domain-lookup Intsub1
dns domain-lookup Intsub2
dns name-server 10.0.0.1
dns name-server 10.0.2.11
dns name-server 10.0.0.12
dns name-server 10.0.0.3
same-security-traffic permit inter-interface
object-group service Mail.Watford.Co.Uk_10.0.0.1_TCP tcp
description Mail.Waford.Co.Uk (62.253.220.4) Inbound TCP Ports To 10.0.0.1
port-object eq pptp
port-object eq 47
port-object eq 3389
port-object eq ftp
port-object eq nntp
port-object eq imap4
port-object eq domain
object-group service Mail.Watford.Co.Uk_10.0.0.1_UDP udp
description Mail.Watford.Co.Uk (62.253.220.4) Inbound UDP Ports To 10.0.0.1
port-object eq 1701
port-object eq domain
object-group service Mail.Watford.Co.Uk_10.0.0.10_TCP tcp
description Mail.Watford.Co.Uk (62.253.220.4) Inbound TCP Ports To 10.0.0.10
port-object eq pop3
port-object eq www
object-group service Starbug_10.0.2.102_TCP tcp
description Starbug (62.253.220.3) Inbound TCP Ports To 10.0.2.102
port-object eq 2200
port-object eq ftp
port-object eq 9663
object-group service WatfordVPN_10.0.2.88_TCP tcp
description Watford-VPN (62.253.220.43) Inbound TCP Ports To 10.0.2.88
port-object eq pptp
port-object eq 1701
object-group service WatfordVPN_10.0.2.88_UDP udp
description Watford-VPN (62.253.220.43) Inbound UDP Ports To 10.0.2.88
port-object eq 1701
port-object eq 1723
object-group service Masterpack_10.0.2.10_TCP tcp
description Masterpack (62.253.220.18) Inbound TCP Ports To 10.0.2.10
port-object eq telnet
port-object eq ftp
port-object eq 3468
port-object eq https
object-group service Test.Savastore_10.0.2.202_TCP tcp
description Test.Savastore (62.253.220.26) Inbound TCP Ports To 10.0.2.202
port-object eq 8797
port-object eq www
port-object eq 8799
port-object eq https
object-group service Hoasting_10.0.2.210_TCP tcp
description Hoasting (62.253.220.12) Inbound TCP Ports To 10.0.2.210
port-object eq smtp
port-object eq 3389
port-object eq pop3
port-object eq www
object-group service Gandalf_10.0.0.6_TCP tcp
description Gandalf (62.253.220.22)  Inbound TCP Ports To 10.0.0.6
port-object eq www
port-object eq https
object-group service Xchange01_10.0.2.30_TCP tcp
description Xchange01 (62.253.220.7) Inbound TCP Ports To 10.0.2.30
port-object eq www
object-group service NeilCrowther_10.0.0.99_UDP udp
description Neil Crowther (62.253.220.25) Inbound UDP Ports To 10.0.0.99
port-object eq 4665
port-object eq 39582
port-object eq 4672
port-object eq 1200
port-object eq 27015
object-group service NeilCrowther_10.0.0.99_TCP tcp
description Neil Crowther (62.253.220.25) Inbound TCP Ports To 10.0.0.99
port-object eq 4662
port-object eq 4711
port-object eq 4661
port-object eq 29900
port-object eq 27015
port-object eq 55125
port-object eq 39582
port-object eq 55124
port-object eq 55123
port-object eq 3389
port-object eq 16567
object-group service Ironmail_10.0.0.21_TCP tcp
description Ironmail (62.253.220.45) Inbound TCP Ports To 10.0.0.21
port-object eq 10443
port-object eq 465
port-object eq 995
port-object eq smtp
port-object eq imap4
port-object eq 993
port-object eq www
port-object eq ssh
port-object eq ftp-data
port-object eq pop3
port-object eq 20022
object-group service Web-Servers_10.0.2.15_TCP tcp
description Web-Servers (62.253.220.14) Inbound TCP Ports To 10.0.2.15
port-object eq 2803
port-object eq 8232
port-object eq 2801
port-object eq 7244
port-object eq www
port-object eq https
port-object eq 1234
object-group service Agodfrey_10.0.2.110_TCP tcp
description Agodfrey (62.253.220.44) Inbound TCP Port To 10.0.2.110
port-object eq 3389
object-group service Dalius_10.0.2.87_TCP tcp
description Dalius (62.253.220.9) Inbound TCP Ports To 10.0.2.87
port-object eq 3389
object-group service Luton-TS001_10.0.0.95_TCP tcp
description Luton-TS001 (62.253.220.35) Inbound TCP Ports To 10.0.0.95
port-object eq 3389
port-object eq www
port-object eq https
object-group service Hades_10.0.2.23_TCP tcp
description Hades (62.253.220.20) Inbound TCP Ports To 10.0.2.23
port-object eq 10001
port-object eq pcanywhere-data
port-object eq www
port-object eq https
port-object eq 9734
port-object eq 800
object-group service Hades_10.0.2.23_UDP udp
description Hades (62.253.220.20) Inbound UDP Ports To 10.0.2.23
port-object eq pcanywhere-status
object-group service Intsub1_Network_TCP tcp
description Intsub1 (10.0.0.0/24) Inbound TCP Ports
port-object eq 8080
port-object eq ident
port-object eq 77
object-group service Intsub1_Network_UDP udp
description Intsub1 (10.0.0.0/24) Inbound UDP Ports
port-object range 1024 65535
port-object eq domain
object-group service Intsub2_Network_TCP tcp
description Intsub2 (10.0.2.0/24) Inbound TCP Ports
port-object eq 8080
port-object eq ident
port-object eq 77
object-group service Intsub2_Network_UDP udp
description Intsub2 (10.0.2.0/24) Inbound UDP Ports
port-object range 1024 65535
port-object eq domain
object-group service Starbug_10.0.2.15_TCP tcp
description Starbug (62.253.220.3) Inbound TCP Ports To 10.0.2.15
port-object eq 9090
object-group service Mail.Watford.Co.Uk_10.0.0.21_TCP tcp
description Mail.Waford.Co.Uk (62.253.220.4) Inbound TCP Ports To 10.0.0.21
port-object eq smtp
port-object eq 20022
object-group service Xchange01_10.0.2.46_TCP tcp
description Xchange01 (62.253.220.7) Inbound TCP Ports To 10.0.2.46
port-object eq ftp
object-group service HadesUDP udp
object-group service Andrews_10.0.0.24_TCP tcp
description Watford-VPN (62.253.220.11) Inbound TCP Ports To 10.0.0.24
port-object eq 3389
object-group service Old-Web-TCP tcp
port-object eq www
object-group service Mail_Host_10.0.0.3 tcp
port-object eq smtp
object-group service Redten_web tcp
port-object eq www
port-object eq https
object-group service RedTenInternet_10.0.2.21_TCP tcp
description Red Ten Internet (62.253.209.129) Inbound TCP Ports To 10.0.2.21
port-object eq www
port-object eq https
port-object eq kshell
object-group service RedTen_10.0.2.24_TCP tcp
description Red Ten (62.253.209.130) Inbound TCP Ports To 10.0.2.24
port-object eq www
object-group service MailRedTen_10.0.0.14_TCP tcp
description Red Ten Mail (62.253.209.131) Inbound TCP Ports To 10.0.0.14
port-object eq smtp
access-list acl-out extended permit icmp any any
access-list External_access_in extended permit icmp any any unreachable
access-list External_access_in extended permit icmp any any time-exceeded
access-list External_access_in extended permit icmp any any traceroute
access-list External_access_in extended permit ip any host 62.253.220.43
access-list External_access_in extended permit icmp any any echo-reply
access-list External_access_in extended permit tcp any host 62.253.220.14
object-group Web-Servers_10.0.2.15_TCP
access-list External_access_in extended permit tcp any host 62.253.220.4
object-group Mail.Watford.Co.Uk_10.0.0.10_TCP
access-list External_access_in extended permit tcp any host 62.253.220.4
object-group Mail.Watford.Co.Uk_10.0.0.1_TCP
access-list External_access_in extended permit udp any host 62.253.220.4
object-group Mail.Watford.Co.Uk_10.0.0.1_UDP
access-list External_access_in extended permit tcp any host 62.253.220.20
object-group Hades_10.0.2.23_TCP
access-list External_access_in extended permit udp any host 62.253.220.20
object-group Hades_10.0.2.23_UDP
access-list External_access_in extended permit tcp any host 62.253.220.43
object-group WatfordVPN_10.0.2.88_TCP
access-list External_access_in extended permit tcp any host 62.253.220.22
object-group Gandalf_10.0.0.6_TCP
access-list External_access_in extended permit tcp any host 62.253.220.18
object-group Masterpack_10.0.2.10_TCP
access-list External_access_in extended permit tcp any host 62.253.220.25
object-group NeilCrowther_10.0.0.99_TCP
access-list External_access_in extended permit udp any host 62.253.220.25
object-group NeilCrowther_10.0.0.99_UDP
access-list External_access_in extended permit tcp any host 62.253.220.26
object-group Test.Savastore_10.0.2.202_TCP
access-list External_access_in extended permit tcp any host 62.253.220.7
object-group Xchange01_10.0.2.30_TCP
access-list External_access_in extended permit tcp any host 62.253.220.35
object-group Luton-TS001_10.0.0.95_TCP
access-list External_access_in extended permit tcp any host 62.253.220.44
object-group Agodfrey_10.0.2.110_TCP
access-list External_access_in extended permit tcp any host 62.253.220.4
object-group Ironmail_10.0.0.21_TCP
access-list External_access_in extended permit tcp any host 62.253.220.9
object-group Dalius_10.0.2.87_TCP
access-list External_access_in extended permit tcp any host 62.253.220.12
object-group Hoasting_10.0.2.210_TCP
access-list External_access_in extended permit tcp any host 62.253.220.3
object-group Starbug_10.0.2.102_TCP
access-list External_access_in extended permit tcp any host 62.253.220.3
object-group Starbug_10.0.2.15_TCP
access-list External_access_in extended permit tcp any host 62.253.220.45
object-group Mail.Watford.Co.Uk_10.0.0.21_TCP
access-list External_access_in extended permit tcp any host 62.253.220.7
object-group Xchange01_10.0.2.46_TCP
access-list External_access_in extended permit udp any host 62.253.220.43
object-group WatfordVPN_10.0.2.88_UDP
access-list External_access_in extended permit tcp any host 62.253.220.11
object-group Andrews_10.0.0.24_TCP
access-list External_access_in extended permit tcp any host 62.253.220.5
object-group Old-Web-TCP
access-list External_access_in extended permit tcp any host 62.253.209.129
object-group RedTenInternet_10.0.2.21_TCP
access-list External_access_in extended permit tcp any host 62.253.209.131
object-group MailRedTen_10.0.0.14_TCP
access-list External_access_in extended permit tcp any host 62.253.209.130
object-group RedTen_10.0.2.24_TCP
access-list External_access_in extended permit gre any host 62.253.220.43
access-list outbound extended permit ip interface Intsub1 any
access-list outbound extended permit ip interface Intsub2 any
access-list Intsub1_nat0_outbound extended permit ip any 10.0.2.128
255.255.255.128
access-list External_cryptomap_dyn_20 extended permit ip any 10.0.2.128
255.255.255.128
!
ftp-map inbound_ftp
!
pager lines 24
logging enable
logging buffered notifications
logging from-address PixFw@watford.co.uk
logging recipient-address Neil@watford.co.uk level errors
logging recipient-address Mike@Watford.co.uk level errors
mtu External 1500
mtu Intsub1 1500
mtu Intsub2 1500
ip local pool VPNUsers 10.0.2.190-10.0.2.199 mask 255.255.0.0
failover
failover key *****
icmp permit any External
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (External) 1 interface
nat (Intsub1) 0 access-list Intsub1_nat0_outbound
nat (Intsub1) 1 10.0.0.0 255.255.255.0
nat (Intsub2) 1 10.0.2.0 255.255.255.0
static (Intsub2,External) tcp 62.253.220.14 www 10.0.2.15 www netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.14 https 10.0.2.15 https netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.14 2801 10.0.2.15 2801 netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.14 7244 10.0.2.15 7244 netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.14 8232 10.0.2.15 8232 netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.14 2803 10.0.2.15 2803 netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.14 1234 10.0.2.15 1234 netmask
255.255.255.255
static (Intsub1,External) tcp 62.253.220.4 www 10.0.0.10 www netmask
255.255.255.255
static (Intsub1,External) tcp 62.253.220.4 pop3 10.0.0.10 pop3 netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.20 www 10.0.2.23 www netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.20 https 10.0.2.23 https netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.20 800 10.0.2.23 800 netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.20 pcanywhere-data 10.0.2.23
pcanywhere-data netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.20 9734 10.0.2.23 9734 netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.20 10001 10.0.2.23 10001 netmask
255.255.255.255
static (Intsub2,External) udp 62.253.220.20 pcanywhere-status 10.0.2.23
pcanywhere-status netmask 255.255.255.255
static (Intsub2,External) tcp 62.253.220.18 ftp 10.0.2.10 ftp netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.18 telnet 10.0.2.10 telnet netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.18 https 10.0.2.10 https netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.18 3468 10.0.2.10 3468 netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.26 www 10.0.2.202 www netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.26 https 10.0.2.202 https netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.26 8797 10.0.2.202 8797 netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.26 8799 10.0.2.203 8799 netmask
255.255.255.255
static (Intsub1,External) tcp 62.253.220.22 www 10.0.0.6 www netmask
255.255.255.255
static (Intsub1,External) tcp 62.253.220.22 https 10.0.0.6 https netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.7 www 10.0.2.30 www netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.9 3389 10.0.2.87 3389 netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.12 smtp 10.0.2.210 smtp netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.12 www 10.0.2.210 www netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.12 pop3 10.0.2.210 pop3 netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.12 3389 10.0.2.210 3389 netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.3 ftp 10.0.2.102 ftp netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.3 2200 10.0.2.102 2200 netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.3 9663 10.0.2.102 9663 netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.3 www 10.0.2.15 9090 netmask
255.255.255.255
static (Intsub1,External) tcp 62.253.220.14 www 10.0.2.15 www netmask
255.255.255.255
static (Intsub1,External) tcp 62.253.220.4 smtp 10.0.0.21 smtp netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.7 ftp 10.0.2.46 ftp netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.220.5 www 10.0.2.19 www netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.209.129 www 10.0.2.21 www netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.209.129 https 10.0.2.21 klogin netmask
255.255.255.255
static (Intsub1,External) tcp 62.253.209.131 smtp 10.0.0.14 smtp netmask
255.255.255.255
static (Intsub1,External) tcp 62.253.220.4 3389 10.0.0.1 3389 netmask
255.255.255.255
static (Intsub1,External) tcp 62.253.220.45 20022 10.0.0.21 20022 netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.209.130 www 10.0.2.29 www netmask
255.255.255.255
static (Intsub2,External) tcp 62.253.209.129 kshell 10.0.2.21 kshell netmask
255.255.255.255
static (Intsub1,External) 62.253.220.25 10.0.0.99 netmask 255.255.255.255
static (Intsub2,External) 62.253.220.44 10.0.2.110 netmask 255.255.255.255
static (Intsub1,External) 62.253.220.35 10.0.0.95 netmask 255.255.255.255
static (Intsub2,External) 62.253.220.40 10.0.2.40 netmask 255.255.255.255
static (Intsub1,External) 62.253.220.24 10.0.0.53 netmask 255.255.255.255
static (Intsub1,External) 62.253.220.2 10.0.0.4 netmask 255.255.255.255
static (Intsub1,External) 62.253.220.11 10.0.0.24 netmask 255.255.255.255
static (Intsub2,External) 62.253.220.43 10.0.2.88 netmask 255.255.255.255
access-group External_access_in in interface External
rip Intsub1 passive version 1
rip Intsub1 default version 1
route External 0.0.0.0 0.0.0.0 62.253.220.60 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Test internal
username test password P4ttSyrm33SV8TYp encrypted privilege 0
username test attributes
vpn-group-policy Test
username administrator password DIDoj/44tMeFMFGd encrypted privilege 15
username VPVCB password Gn4o76xpvJ.LhSd. encrypted
username vpnsheffield password rwIeSYYGLMx./p9L encrypted
username andrews password VWz7WydquTjZz/aD encrypted privilege 15
http server enable
http 0.0.0.0 0.0.0.0 External
http 10.0.0.0 255.255.255.0 Intsub1
http 10.0.2.0 255.255.255.0 Intsub2
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment chain 1 External
fragment chain 1 Intsub1
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map External_dyn_map 20 match address
External_cryptomap_dyn_20
crypto dynamic-map External_dyn_map 20 set transform-set ESP-DES-SHA
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map External_map interface External
isakmp enable External
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group Test type ipsec-ra
tunnel-group Test general-attributes
address-pool VPNUsers
default-group-policy Test
tunnel-group Test ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.0.0.0 255.255.255.0 Intsub1
telnet 10.0.2.0 255.255.255.0 Intsub2
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 External
ssh timeout 30
console timeout 0
!
class-map ftp_port
match port tcp eq ftp
!
!
policy-map ftp_policy
class ftp_port
  inspect ftp
!
service-policy ftp_policy interface External
smtp-server 10.0.0.1 10.0.0.10
Cryptochecksum:9f1b9f6722d1405c47f3a339364fbad9
: end
0
Comment
Question by:Bob Sampson
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 280 total points
ID: 17894327
>which needs setting up for VPN access from both remote users creating a MS VPN tunnel from an XP machine
Sorry. Not going to happen with PIX 7.x
With previous 6.x versions this was simple to set up. Cisco has removed all support for Microsoft PPTP VPN from 7.x. It may re-appear in later versions, but right now it is gone.
0
 
LVL 2

Author Comment

by:Bob Sampson
ID: 17899509
OK, that answers that bit  ;-). Thanks LRMOORE.

So, if I want to do it with the Cisco VPN client for the remote users and a VPN tunnel from a Cisco ADSL router, how would I go about it?

Thanks for the help

Bob
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17899835
Use the wizard. The ASDM VPN wizards make it a piece of cake!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video discusses moving either the default database or any database to a new volume.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now