We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Configuring Cisco Pix 501 VPN

FlyingFortress
on
Medium Priority
681 Views
Last Modified: 2012-05-06
I am new to cisco pix firewalls and have a couple of questions regarding use on a home network.
Using the interface I want to set up a VPN tunnel to my office network where we have an esoft instagate 604. I know the esoft inside out however, the cisco is causing issues.

I have set my wireless router as the dhcp server and given the PIX a static IP.
Then on the external interface of the PIX i have put my Public IP?? Is this right.

I then set up a vpn to the office with a shared key but not getting ping responses

Questions
1. Can i use a cisco pix 501 on home DSL connections?
2. I have a cisco wireless router, do i have to configure in a pass-through mode of some type so that it does not block the vpn?

Any help would be much appreciated.
Thanks

Comment
Watch Question

Commented:
Yes it would work on the DSL connection, we are using it everywhere around the world in our company.

Yes, you will need to pass-through or port forward some port, to allow vpn tunnels:

here are some port that you need to port forward:
500,4500,1701,50,51  (mainly only use 500, 50,51)

alternatively you can use dsl dmz mode if your adsl router supports it, but it will affect your home connection.

here's a useful website on how to do port forward for different routers, www.portforward.com

Author

Commented:
Thanks for the advice, i enabled single port forwarding on the CISCO ROUTER
Port: 500 > 192.168.1.1 (PIX)

On the esoft firewall i have set the IKE and IPSEC encryption as 3DES / MD5  (Group 2 *Do not know what this means)
I went through the wizard on the PIX and set the security encryption the same.

Also set a simple pre-share key on both and the PIX to use as authentication.

However, still no joy on a ping so doing something wrong for sure.

Carl


Commented:
i havent personally use esoft instagate 604 and only have done a few asa -pix shiva - adsl routers vpn tunnels. but all have the same standard config..

if security profile matches, then you should also check ipsec rule (what traffic are allowed and this needs to be like exact mirror). e.g:
A: source 10.2.0.0/16 dest:10.1.0.0/16
B: source 10.1.0.0/16 dest 10.2.0.0/16

-check if Deffie Helman group are the same at both end (you are using group2)
-check keepalive
-check ACL to allow vpn traffic through (inside/outside interface)

finally after everything is confirmed, you can start running debug at pix site,
commands:
debug crypto ipsec 255
debug crypto isakmp 255

look at the logs and see what happened to the packets

Author

Commented:
Ok thanks, just a couple more questions regarding the port fowarding.

I had to assign the outside interface a static 192 IP from the router to work.
So my internal network was a 192.168.1.0 and my external ip is set as 192.168.10.0 to negotiate with my router. I can get out to the net now and everything seems correct as far as the physical set up is concerned.

With this in mind should i set up the tunnels remote network from work to negotiate with the 192.168.1.0 (internal) or the 192.168.10.0 (router)

This comes back to the port forwarding i suppose....i set this up on the router to soingle port forward 4500 to the PIX 192.168.1.1
Do i have to get the pix to listen on a particular port (using 4500) i so how do i do this on the pix?

I have also connected throught the console and hyper terminal if you have any commands related to this.

Thanks for your help.







Press2EscSystems Integrator

Commented:
To avoid having to unnecessarily deal with ports and DSL router/gateways, I always recommend either (1) bridging the dsl router or (2) place the attached firewall/router (in your case the 501) in the DSL router's DMZ...  
In the first case, the PIX would need to provide the required PPP authentication (login/pwd), while in the latter, the attached Cisco would be provided a public IP via the DSL router..
P2E
Commented:
Depends whether you would still use the ADSL still for regular browsing (other pcs connected behind the ADSL still able to browse), Ipsec port forwarding is recommended as this will not be possible on ADSL DMZ mode.

Q.With this in mind should i set up the tunnels remote network from work to negotiate with the 192.168.1.0 (internal) or the 192.168.10.0 (router)
A.You will need 192.168.1.0 /16 on your ipsec tunnel (inside network behind ASA)

Q.This comes back to the port forwarding i suppose....i set this up on the router to soingle port forward 4500 to the PIX 192.168.1.1
Do i have to get the pix to listen on a particular port (using 4500) i so how do i do this on the pix?
A. You will need port forward to the outside pix interface, for the following ports: UDP: 4500,500,1701 , tcp/udp:50,51. (mainly only 500)
Q.Do i have to get the pix to listen on a particular port (using 4500) i so how do i do this on the pix?
A. It's done automatically when you configure ipsec lan 2 lan tunnel on pix.

your connection will be something like:

(your pc)--->192.168.1.1(ASA)192.168.10.100---> 192.168.10.1(ADSL)--->Internet

your ASA will have 192.168.10.1 default gateway
#route outside 0.0.0.0 0.0.0.0 192.168.10.1

your PC will have 192.168.1.1 gateway



Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Thank you all for your help.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.