PIX-501 PPPoe/VPN configuration?
Hi, I would like to reuse a PIX-501 in a small office with a static IP PPPoE DSL connection. (my config below)...
I can connect to the ISP via PPPoE and function normally however cannot allow incoming VPN for road warriors.
Am I incorrect in assuming this device will not work for both a PPPoe connection and VPN, and would a PIX-506 or Sonicwall be a functional alternative?
TIA
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname username@bslv1.nts.com
vpdn group pppoe_group ppp authentication pap
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username username@bslv1.nts.com password williethejackass
see I am unable to configure a PIX-501 to allow VPN connection
I can connect to the ISP via PPPoE and function normally however cannot allow incoming VPN for road warriors.
Am I incorrect in assuming this device will not work for both a PPPoe connection and VPN, and would a PIX-506 or Sonicwall be a functional alternative?
TIA
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname username@bslv1.nts.com
vpdn group pppoe_group ppp authentication pap
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username username@bslv1.nts.com password williethejackass
see I am unable to configure a PIX-501 to allow VPN connection
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have attempted to enter a vpn_in group and whan enabling on the outside I get this feedback
(config)# vpdn enable outside
Can not enable vpdn on the same interface as PPPoE.
sysopt connection permit-pptp
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname user@res1.nts.com
vpdn group pppoe_group ppp authentication pap
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn group vpn_in accept dialin pptp
vpdn group vpn_in ppp authentication chap
vpdn group vpn_in ppp authentication mschap
vpdn group vpn_in ppp encryption mppe 40
vpdn group vpn_in client configuration address local vpdn-pool
vpdn group vpn_in client configuration dns 192.168.1.3
vpdn group vpn_in pptp echo 60
vpdn group vpn_in client authentication local
vpdn username user@res1.nts.com password *********
vpdn username test password *********
(config)# vpdn enable outside
Can not enable vpdn on the same interface as PPPoE.
sysopt connection permit-pptp
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname user@res1.nts.com
vpdn group pppoe_group ppp authentication pap
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn group vpn_in accept dialin pptp
vpdn group vpn_in ppp authentication chap
vpdn group vpn_in ppp authentication mschap
vpdn group vpn_in ppp encryption mppe 40
vpdn group vpn_in client configuration address local vpdn-pool
vpdn group vpn_in client configuration dns 192.168.1.3
vpdn group vpn_in pptp echo 60
vpdn group vpn_in client authentication local
vpdn username user@res1.nts.com password *********
vpdn username test password *********
OK... well that sucks..
I'm 100% positive that you can support pppoe vpdn and IPSEC client at the same time..
I cut/pasted your config into my PIX, and it did not complain when I entered "vpdn enable outside"
PIX 6.3(5)
What version PIX OS are you using?
I'm 100% positive that you can support pppoe vpdn and IPSEC client at the same time..
I cut/pasted your config into my PIX, and it did not complain when I entered "vpdn enable outside"
PIX 6.3(5)
What version PIX OS are you using?
ASKER
Thanks for yor interest, I have pasted the sh ver and sh ru
casa(config)# sh ver
Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 13-Aug-03 13:55 by morlee
jackfish up 5 hours 10 mins
Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
0: ethernet0: address is 000a.b7bc.4b94, irq 9
1: ethernet1: address is 000a.b7bc.4b95, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 50
Throughput: Unlimited
IKE peers: 10
This PIX has a Restricted (R) license
: Saved
: Written by enable_15 at 12:25:11.574 CST Sat Nov 25 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Nae57tgnghHUuaGNNFrtW1aM encrypted
passwd VUu7dfh7fgh60UvPYLh6sh3 encrypted
hostname jackfish
domain-name somename.net
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq smtp
access-list inbound permit tcp any any eq ftp
access-list inbound permit tcp any any eq pop3
access-list inbound permit tcp any any eq www
access-list inbound deny ip any any
access-list no_nat permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 40
logging on
logging timestamp
logging buffered critical
logging trap warnings
logging history warnings
logging queue 0
logging host inside 192.168.1.11
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp permit any unreachable outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action drop
ip local pool pptp-pool 192.168.100.240-192.168.10
no pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 55555 192.168.1.8 22 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.7 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.1.1 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.7 pop3 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route inside 192.168.88.0 255.255.255.0 192.168.88.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
sysopt noproxyarp inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 60
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname <somename>@res1.nts.com
vpdn group pppoe_group ppp authentication pap
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username sdfgsg@res1.nts.com password ****************
terminal with 80
banner deleted
banner motd Attention:
Cryptochecksum:ba879743fab
: end
casa(config)# sh ver
Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 13-Aug-03 13:55 by morlee
jackfish up 5 hours 10 mins
Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
0: ethernet0: address is 000a.b7bc.4b94, irq 9
1: ethernet1: address is 000a.b7bc.4b95, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 50
Throughput: Unlimited
IKE peers: 10
This PIX has a Restricted (R) license
: Saved
: Written by enable_15 at 12:25:11.574 CST Sat Nov 25 2006
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Nae57tgnghHUuaGNNFrtW1aM encrypted
passwd VUu7dfh7fgh60UvPYLh6sh3 encrypted
hostname jackfish
domain-name somename.net
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq smtp
access-list inbound permit tcp any any eq ftp
access-list inbound permit tcp any any eq pop3
access-list inbound permit tcp any any eq www
access-list inbound deny ip any any
access-list no_nat permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 40
logging on
logging timestamp
logging buffered critical
logging trap warnings
logging history warnings
logging queue 0
logging host inside 192.168.1.11
icmp permit any echo-reply outside
icmp permit any information-reply outside
icmp permit any mask-reply outside
icmp permit any parameter-problem outside
icmp permit any source-quench outside
icmp permit any time-exceeded outside
icmp permit any timestamp-reply outside
icmp permit any unreachable outside
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.1.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action drop
ip local pool pptp-pool 192.168.100.240-192.168.10
no pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 55555 192.168.1.8 22 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.7 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.1.1 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.7 pop3 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route inside 192.168.88.0 255.255.255.0 192.168.88.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
sysopt noproxyarp inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 60
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname <somename>@res1.nts.com
vpdn group pppoe_group ppp authentication pap
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username sdfgsg@res1.nts.com password ****************
terminal with 80
banner deleted
banner motd Attention:
Cryptochecksum:ba879743fab
: end
ASKER
Thanks Larry, I wimped out and installed an old netscape and went the PDM route and was able to configure the VPN.
Cheers,
MM
Cheers,
MM
>Cisco PIX Firewall Version 6.3(3)
This is a very buggy version.. suggest update to 6.3(5)
LOL! The the VPN wizard does a nice job.
This is a very buggy version.. suggest update to 6.3(5)
LOL! The the VPN wizard does a nice job.
ASKER
I am not sure is GRE/VPN is allowed it is a business connection so I will check.
I have found other posts and will try your older dial-in group examples.