Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Configuring Cisco Pix 501 VPN

Posted on 2009-02-12
7
Medium Priority
?
592 Views
Last Modified: 2012-05-06
I am new to cisco pix firewalls and have a couple of questions regarding use on a home network.
Using the interface I want to set up a VPN tunnel to my office network where we have an esoft instagate 604. I know the esoft inside out however, the cisco is causing issues.

I have set my wireless router as the dhcp server and given the PIX a static IP.
Then on the external interface of the PIX i have put my Public IP?? Is this right.

I then set up a vpn to the office with a shared key but not getting ping responses

Questions
1. Can i use a cisco pix 501 on home DSL connections?
2. I have a cisco wireless router, do i have to configure in a pass-through mode of some type so that it does not block the vpn?

Any help would be much appreciated.
Thanks

0
Comment
Question by:FlyingFortress
  • 3
  • 3
7 Comments
 
LVL 6

Expert Comment

by:ricks_v
ID: 23628063
Yes it would work on the DSL connection, we are using it everywhere around the world in our company.

Yes, you will need to pass-through or port forward some port, to allow vpn tunnels:

here are some port that you need to port forward:
500,4500,1701,50,51  (mainly only use 500, 50,51)

alternatively you can use dsl dmz mode if your adsl router supports it, but it will affect your home connection.

here's a useful website on how to do port forward for different routers, www.portforward.com

0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 23631304
Thanks for the advice, i enabled single port forwarding on the CISCO ROUTER
Port: 500 > 192.168.1.1 (PIX)

On the esoft firewall i have set the IKE and IPSEC encryption as 3DES / MD5  (Group 2 *Do not know what this means)
I went through the wizard on the PIX and set the security encryption the same.

Also set a simple pre-share key on both and the PIX to use as authentication.

However, still no joy on a ping so doing something wrong for sure.

Carl


0
 
LVL 6

Expert Comment

by:ricks_v
ID: 23642477
i havent personally use esoft instagate 604 and only have done a few asa -pix shiva - adsl routers vpn tunnels. but all have the same standard config..

if security profile matches, then you should also check ipsec rule (what traffic are allowed and this needs to be like exact mirror). e.g:
A: source 10.2.0.0/16 dest:10.1.0.0/16
B: source 10.1.0.0/16 dest 10.2.0.0/16

-check if Deffie Helman group are the same at both end (you are using group2)
-check keepalive
-check ACL to allow vpn traffic through (inside/outside interface)

finally after everything is confirmed, you can start running debug at pix site,
commands:
debug crypto ipsec 255
debug crypto isakmp 255

look at the logs and see what happened to the packets
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
LVL 1

Author Comment

by:FlyingFortress
ID: 23668519
Ok thanks, just a couple more questions regarding the port fowarding.

I had to assign the outside interface a static 192 IP from the router to work.
So my internal network was a 192.168.1.0 and my external ip is set as 192.168.10.0 to negotiate with my router. I can get out to the net now and everything seems correct as far as the physical set up is concerned.

With this in mind should i set up the tunnels remote network from work to negotiate with the 192.168.1.0 (internal) or the 192.168.10.0 (router)

This comes back to the port forwarding i suppose....i set this up on the router to soingle port forward 4500 to the PIX 192.168.1.1
Do i have to get the pix to listen on a particular port (using 4500) i so how do i do this on the pix?

I have also connected throught the console and hyper terminal if you have any commands related to this.

Thanks for your help.







0
 
LVL 9

Expert Comment

by:Press2Esc
ID: 23669160
To avoid having to unnecessarily deal with ports and DSL router/gateways, I always recommend either (1) bridging the dsl router or (2) place the attached firewall/router (in your case the 501) in the DSL router's DMZ...  
In the first case, the PIX would need to provide the required PPP authentication (login/pwd), while in the latter, the attached Cisco would be provided a public IP via the DSL router..
P2E
0
 
LVL 6

Accepted Solution

by:
ricks_v earned 2000 total points
ID: 23675454
Depends whether you would still use the ADSL still for regular browsing (other pcs connected behind the ADSL still able to browse), Ipsec port forwarding is recommended as this will not be possible on ADSL DMZ mode.

Q.With this in mind should i set up the tunnels remote network from work to negotiate with the 192.168.1.0 (internal) or the 192.168.10.0 (router)
A.You will need 192.168.1.0 /16 on your ipsec tunnel (inside network behind ASA)

Q.This comes back to the port forwarding i suppose....i set this up on the router to soingle port forward 4500 to the PIX 192.168.1.1
Do i have to get the pix to listen on a particular port (using 4500) i so how do i do this on the pix?
A. You will need port forward to the outside pix interface, for the following ports: UDP: 4500,500,1701 , tcp/udp:50,51. (mainly only 500)
Q.Do i have to get the pix to listen on a particular port (using 4500) i so how do i do this on the pix?
A. It's done automatically when you configure ipsec lan 2 lan tunnel on pix.

your connection will be something like:

(your pc)--->192.168.1.1(ASA)192.168.10.100---> 192.168.10.1(ADSL)--->Internet

your ASA will have 192.168.10.1 default gateway
#route outside 0.0.0.0 0.0.0.0 192.168.10.1

your PC will have 192.168.1.1 gateway



0
 
LVL 1

Author Closing Comment

by:FlyingFortress
ID: 31546317
Thank you all for your help.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Considering cloud tradeoffs and determining the right mix for your organization.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question