Configuring Cisco Pix 501 VPN
I am new to cisco pix firewalls and have a couple of questions regarding use on a home network.
Using the interface I want to set up a VPN tunnel to my office network where we have an esoft instagate 604. I know the esoft inside out however, the cisco is causing issues.
I have set my wireless router as the dhcp server and given the PIX a static IP.
Then on the external interface of the PIX i have put my Public IP?? Is this right.
I then set up a vpn to the office with a shared key but not getting ping responses
Questions
1. Can i use a cisco pix 501 on home DSL connections?
2. I have a cisco wireless router, do i have to configure in a pass-through mode of some type so that it does not block the vpn?
Any help would be much appreciated.
Thanks
Using the interface I want to set up a VPN tunnel to my office network where we have an esoft instagate 604. I know the esoft inside out however, the cisco is causing issues.
I have set my wireless router as the dhcp server and given the PIX a static IP.
Then on the external interface of the PIX i have put my Public IP?? Is this right.
I then set up a vpn to the office with a shared key but not getting ping responses
Questions
1. Can i use a cisco pix 501 on home DSL connections?
2. I have a cisco wireless router, do i have to configure in a pass-through mode of some type so that it does not block the vpn?
Any help would be much appreciated.
Thanks
ASKER
Thanks for the advice, i enabled single port forwarding on the CISCO ROUTER
Port: 500 > 192.168.1.1 (PIX)
On the esoft firewall i have set the IKE and IPSEC encryption as 3DES / MD5 (Group 2 *Do not know what this means)
I went through the wizard on the PIX and set the security encryption the same.
Also set a simple pre-share key on both and the PIX to use as authentication.
However, still no joy on a ping so doing something wrong for sure.
Carl
Port: 500 > 192.168.1.1 (PIX)
On the esoft firewall i have set the IKE and IPSEC encryption as 3DES / MD5 (Group 2 *Do not know what this means)
I went through the wizard on the PIX and set the security encryption the same.
Also set a simple pre-share key on both and the PIX to use as authentication.
However, still no joy on a ping so doing something wrong for sure.
Carl
i havent personally use esoft instagate 604 and only have done a few asa -pix shiva - adsl routers vpn tunnels. but all have the same standard config..
if security profile matches, then you should also check ipsec rule (what traffic are allowed and this needs to be like exact mirror). e.g:
A: source 10.2.0.0/16 dest:10.1.0.0/16
B: source 10.1.0.0/16 dest 10.2.0.0/16
-check if Deffie Helman group are the same at both end (you are using group2)
-check keepalive
-check ACL to allow vpn traffic through (inside/outside interface)
finally after everything is confirmed, you can start running debug at pix site,
commands:
debug crypto ipsec 255
debug crypto isakmp 255
look at the logs and see what happened to the packets
if security profile matches, then you should also check ipsec rule (what traffic are allowed and this needs to be like exact mirror). e.g:
A: source 10.2.0.0/16 dest:10.1.0.0/16
B: source 10.1.0.0/16 dest 10.2.0.0/16
-check if Deffie Helman group are the same at both end (you are using group2)
-check keepalive
-check ACL to allow vpn traffic through (inside/outside interface)
finally after everything is confirmed, you can start running debug at pix site,
commands:
debug crypto ipsec 255
debug crypto isakmp 255
look at the logs and see what happened to the packets
ASKER
Ok thanks, just a couple more questions regarding the port fowarding.
I had to assign the outside interface a static 192 IP from the router to work.
So my internal network was a 192.168.1.0 and my external ip is set as 192.168.10.0 to negotiate with my router. I can get out to the net now and everything seems correct as far as the physical set up is concerned.
With this in mind should i set up the tunnels remote network from work to negotiate with the 192.168.1.0 (internal) or the 192.168.10.0 (router)
This comes back to the port forwarding i suppose....i set this up on the router to soingle port forward 4500 to the PIX 192.168.1.1
Do i have to get the pix to listen on a particular port (using 4500) i so how do i do this on the pix?
I have also connected throught the console and hyper terminal if you have any commands related to this.
Thanks for your help.
I had to assign the outside interface a static 192 IP from the router to work.
So my internal network was a 192.168.1.0 and my external ip is set as 192.168.10.0 to negotiate with my router. I can get out to the net now and everything seems correct as far as the physical set up is concerned.
With this in mind should i set up the tunnels remote network from work to negotiate with the 192.168.1.0 (internal) or the 192.168.10.0 (router)
This comes back to the port forwarding i suppose....i set this up on the router to soingle port forward 4500 to the PIX 192.168.1.1
Do i have to get the pix to listen on a particular port (using 4500) i so how do i do this on the pix?
I have also connected throught the console and hyper terminal if you have any commands related to this.
Thanks for your help.
To avoid having to unnecessarily deal with ports and DSL router/gateways, I always recommend either (1) bridging the dsl router or (2) place the attached firewall/router (in your case the 501) in the DSL router's DMZ...
In the first case, the PIX would need to provide the required PPP authentication (login/pwd), while in the latter, the attached Cisco would be provided a public IP via the DSL router..
P2E
In the first case, the PIX would need to provide the required PPP authentication (login/pwd), while in the latter, the attached Cisco would be provided a public IP via the DSL router..
P2E
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all for your help.
Yes, you will need to pass-through or port forward some port, to allow vpn tunnels:
here are some port that you need to port forward:
500,4500,1701,50,51 (mainly only use 500, 50,51)
alternatively you can use dsl dmz mode if your adsl router supports it, but it will affect your home connection.
here's a useful website on how to do port forward for different routers, www.portforward.com