• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 171
  • Last Modified:

setting up remote access on pix 506e

How can I go about setting up remote access IPSEC vpn into my pix? I have the cisco client on my other computers off site
  • 3
  • 3
1 Solution
Here is an example: is the inside network. is the VPN subnet.

access-list nonat permit ip

ip local pool vpn-pool mask

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map vpn 65535 set transform-set ESP-3DES-MD5
crypto dynamic-map vpn 65535 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map vpn 65535 ipsec-isakmp dynamic vpn
crypto map vpn client configuration address initiate
crypto map vpn client authentication LOCAL
crypto map vpn interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup <groupname> address-pool vpn-pool
vpngroup <groupname> idle-time 14400
vpngroup <groupname> password <grouppassword>

username vpnuser1 password <password>
username vpnuser2 password <password>
username vpnuser3 password <password>
dissolvedAuthor Commented:
Thanks J.  A few questions just so I can fully understand.

1. Can I use my existing isakmp policy, which I have defined for site-to-site, for my Remote Access VPN? Or is it best practice to have a separate one?

2. If you have a lot of users, there is a way to do this dynamically right? (just curious, I don't need instructions.........yet)

3. What significance does the vpn group name have?

4.  Should my clients use IPSEC/UDP or IPSEC/TCP. Do they have the option of choosing?

1.  Yes, you can use your existing ISAKMP policy.  You also need to use your existing crypto map as you can only bind one map to the outside interface.  Simply use the 65535 sequence number for the dynamic (remote access) VPN.

2.  If you have a lot of users, it might be better to use RADIUS to talk to Microsoft IAS for example so you can use your domain accounts instead of local authentication.

3.  The vpn group name is what you type in the group authentication field in the VPN client.  It can be whatever you want it to be.

4.  You only have the option to use IPSEC/UDP (NAT-T) with 6.3 code.
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

dissolvedAuthor Commented:
J, do I have to open up some ports on my firewall to let the traffic in?
Nope, you don't need to open ports for the VPN.
dissolvedAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now