• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 169
  • Last Modified:

setting up remote access on pix 506e

How can I go about setting up remote access IPSEC vpn into my pix? I have the cisco client on my other computers off site
0
dissolved
Asked:
dissolved
  • 3
  • 3
1 Solution
 
JFrederick29Commented:
Here is an example:

192.168.100.0/24 is the inside network.
192.168.255.0/24 is the VPN subnet.

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.255.0 255.255.255.0

ip local pool vpn-pool 192.168.255.10-192.168.255.100 mask 255.255.255.0

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map vpn 65535 set transform-set ESP-3DES-MD5
crypto dynamic-map vpn 65535 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map vpn 65535 ipsec-isakmp dynamic vpn
crypto map vpn client configuration address initiate
crypto map vpn client authentication LOCAL
crypto map vpn interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup <groupname> address-pool vpn-pool
vpngroup <groupname> idle-time 14400
vpngroup <groupname> password <grouppassword>

username vpnuser1 password <password>
username vpnuser2 password <password>
username vpnuser3 password <password>
0
 
dissolvedAuthor Commented:
Thanks J.  A few questions just so I can fully understand.

1. Can I use my existing isakmp policy, which I have defined for site-to-site, for my Remote Access VPN? Or is it best practice to have a separate one?

2. If you have a lot of users, there is a way to do this dynamically right? (just curious, I don't need instructions.........yet)

3. What significance does the vpn group name have?

4.  Should my clients use IPSEC/UDP or IPSEC/TCP. Do they have the option of choosing?

Thanks
0
 
JFrederick29Commented:
1.  Yes, you can use your existing ISAKMP policy.  You also need to use your existing crypto map as you can only bind one map to the outside interface.  Simply use the 65535 sequence number for the dynamic (remote access) VPN.

2.  If you have a lot of users, it might be better to use RADIUS to talk to Microsoft IAS for example so you can use your domain accounts instead of local authentication.

3.  The vpn group name is what you type in the group authentication field in the VPN client.  It can be whatever you want it to be.

4.  You only have the option to use IPSEC/UDP (NAT-T) with 6.3 code.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
dissolvedAuthor Commented:
J, do I have to open up some ports on my firewall to let the traffic in?
0
 
JFrederick29Commented:
Nope, you don't need to open ports for the VPN.
0
 
dissolvedAuthor Commented:
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now