?
Solved

PIX 501 Setting up VPN  on the PDM

Posted on 2009-02-17
2
Medium Priority
?
733 Views
Last Modified: 2012-05-06
Internet -->2600 -->PIX501-->switch--> LAN

When setting up Remote Access VPN from the PDM should I be setting the VPN connection from the outside interface are the inside interface where the internal network is and with doing that will I have to nat the selected interface with a public Ip on the router  
PIX Version 6.3(4)                  
interface ethernet0 auto                        
interface ethernet1 100full                           
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                   
enable password encrypted                                          
passwd  encrypted                                 
hostname pixfirewall                    
domain-name ciscopix.com                        
fixup protocol dns maximum-length 512                                     
fixup protocol ftp 21                     
fixup protocol h323 h225 1720                             
fixup protocol h323 ras 1718-1719                                 
fixup protocol http 80                      
fixup protocol pptp 1723                        
fixup protocol rsh 514                      
fixup protocol rtsp 554                       
fixup protocol sip 5060                       
fixup protocol sip udp 5060                           
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names     
access-list allow_inbound permit icmp any any                                             
access-list allow_inbound permit tcp any host 172.16.1.52 eq 3389                                                                 
access-list allow_inbound permit tcp any host 172.16.1.61 eq 3389                                                                 
access-list allow_inbound permit gre any host 172.16.1.61                                                         
access-list allow_inbound permit gre any host 172.16.1.52                                                         
access-list allow_inbound permit tcp any host 172.16.1.61 eq smtp                                                                 
access-list allow_inbound permit tcp any host 172.16.1.61 eq www                                                                
access-list allow_ping permit icmp any any echo-reply                                                     
access-list allow_ping permit icmp any any source-quench                                                        
access-list allow_ping permit icmp any any time-exceeded                                                        
pager lines 24              
icmp permit any traceroute outside                                  
icmp permit any outside                       
icmp permit any echo-reply outside                                  
icmp permit any router-solicitation outside                                           
icmp permit any inside                      
mtu outside 1500                
mtu inside 1500               
ip address outside 172.16.0.2 255.255.255.252                                             
ip address inside 172.16.1.1 255.255.255.192                                            
ip audit info action alarm                          
ip audit attack action alarm                            
pdm location 172.16.1.0 255.255.255.192 inside                                              
pdm history enable                  
arp timeout 14400                 
static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.192 0 0                                                                         
access-group allow_inbound in interface outside                                               
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1                                          
timeout xlate 3:00:00                     
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                             
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                               
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.1.0 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.1.2-172.16.1.20 inside
dhcpd dns 172.16.1.52 172.16.1.55
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:f12cc417a1b8c72febce1ca0ac92fe15

Open in new window

0
Comment
Question by:Wayne-
2 Comments
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 1200 total points
ID: 23670029
Always apply the crypto map to the client-facing interface (outside)
The VPN wizard should walk you through everything you need to do. When it asks you for an address pool, create a new one using a different IP subnet from the internal network.
0
 

Accepted Solution

by:
Wayne- earned 0 total points
ID: 23674050
Internet -->2600 -->PIX501-->switch--> LAN

Have gone thru the VPN Wizard  setup nat on the outside interface on the pix firewall on the Router
Router= ip nat inside source static 172.16.1.0.2  64.xx.xx.xx.75
can ping the public IP
Reply from 64.xx.xx.75: bytes=32 time=31ms TTL=242
Reply from 64.xx.xx.75: bytes=32 time=30ms TTL=242
Reply from 64.xx.xx.75: bytes=32 time=33ms TTL=242
Reply from 64.xx.xx.75: bytes=32 time=30ms TTL=242


set up My PPTP connection get error message  Error 718
The connetion was terminated because the remote computer did not respond in a timely manner
VPNSETUP.doc
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this article, we’ll look at how to deploy ProxySQL.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question