setting up remote access on pix 506e

Posted on 2009-04-16
Last Modified: 2012-05-06
How can I go about setting up remote access IPSEC vpn into my pix? I have the cisco client on my other computers off site
Question by:dissolved
    LVL 43

    Accepted Solution

    Here is an example: is the inside network. is the VPN subnet.

    access-list nonat permit ip

    ip local pool vpn-pool mask

    nat (inside) 0 access-list nonat

    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map vpn 65535 set transform-set ESP-3DES-MD5
    crypto dynamic-map vpn 65535 set security-association lifetime seconds 86400 kilobytes 4608000
    crypto map vpn 65535 ipsec-isakmp dynamic vpn
    crypto map vpn client configuration address initiate
    crypto map vpn client authentication LOCAL
    crypto map vpn interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash sha
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 86400
    vpngroup <groupname> address-pool vpn-pool
    vpngroup <groupname> idle-time 14400
    vpngroup <groupname> password <grouppassword>

    username vpnuser1 password <password>
    username vpnuser2 password <password>
    username vpnuser3 password <password>

    Author Comment

    Thanks J.  A few questions just so I can fully understand.

    1. Can I use my existing isakmp policy, which I have defined for site-to-site, for my Remote Access VPN? Or is it best practice to have a separate one?

    2. If you have a lot of users, there is a way to do this dynamically right? (just curious, I don't need instructions.........yet)

    3. What significance does the vpn group name have?

    4.  Should my clients use IPSEC/UDP or IPSEC/TCP. Do they have the option of choosing?

    LVL 43

    Expert Comment

    1.  Yes, you can use your existing ISAKMP policy.  You also need to use your existing crypto map as you can only bind one map to the outside interface.  Simply use the 65535 sequence number for the dynamic (remote access) VPN.

    2.  If you have a lot of users, it might be better to use RADIUS to talk to Microsoft IAS for example so you can use your domain accounts instead of local authentication.

    3.  The vpn group name is what you type in the group authentication field in the VPN client.  It can be whatever you want it to be.

    4.  You only have the option to use IPSEC/UDP (NAT-T) with 6.3 code.

    Author Comment

    J, do I have to open up some ports on my firewall to let the traffic in?
    LVL 43

    Expert Comment

    Nope, you don't need to open ports for the VPN.

    Author Comment


    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
    Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now