Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco PIX VPN and Windows VPN

Posted on 2010-01-12
9
Medium Priority
?
318 Views
Last Modified: 2012-05-08
Is it possible for a PIX firewall to be configured using windows-based vpn connections as well as cisco vpn client?  We have a PIX firewall that is set up using VPDN settings to allow Windows VPN to log in for remote access...but I would like to change that to where they would be able to also log in via Cisco VPN client.  Is it possible to have them both run at the same time or would one cancel out the once the configurations are in place?
0
Comment
Question by:Averitteg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 26294457
You should be able to run both, you just need to apply the config for the Cisco Client.

Have a look at this cisco HOW TO for your exact scenario:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml
0
 
LVL 2

Author Comment

by:Averitteg
ID: 26305087
Okay, so I tried to enter in the commands, but I'm sure that I'm missing something because I'm still not able to connect via the cisco vpn client. We can still connect via the windows vpn however.  I've successfully set up the RA with the help of Bignewf on an ASA, but not on a PIX.  Any help would be greatly appreciated.  
Thank you.
~Averitt

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *******
passwd ******* encrypted
hostname PIX
domain-name local
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host 10.0.0.10 eq 3389
access-list outside_access_in permit tcp any host 10.0.0.213 eq 3393
access-list outside_access_in permit tcp any host 10.0.0.208 eq 3392
access-list outside_access_in permit tcp any host 10.0.0.207 eq 3390
access-list outside_access_in permit tcp any host 10.0.0.12 eq 3391
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in permit tcp any interface outside eq 135
access-list inside_outbound_nat0_acl permit ip any 10.0.0.224 255.255.255.240
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list outside_cryptomap_dyn1_1 permit ip any 10.0.0.0 255.255.255.0
pager lines 20
logging on
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 70.60.1.1 255.255.255.248
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool RA_VPN 172.16.1.1-172.16.1.100 mask 255.255.255.0
ip local pool radhcp 172.16.5.25-172.16.5.30 mask 255.255.255.0
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.0.0.10 255.255.255.255 inside
pdm location 10.0.0.12 255.255.255.255 inside
pdm location 10.0.0.207 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 10.0.0.0 255.255.255.0 outside
pdm location 10.0.0.224 255.255.255.224 outside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 10.0.0.224 255.255.255.240 outside
pdm location 172.16.1.0 255.255.255.0 outside
pdm logging informational 512
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 10.0.0.10 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3390 10.0.0.207 3390 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3391 10.0.0.12 3391 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3393 10.0.0.213 3393 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.0.0.10 www netmask 255.255.255.2550 0
static (inside,outside) tcp interface https 10.0.0.10 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 135 10.0.0.10 135 netmask 255.255.255.2550 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.60.1.1 1
route outside 172.16.5.0 255.255.255.0 70.60.1.1 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set Firstset esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 match address outside_cryptomap_dyn1_1
crypto dynamic-map dyn1 1 set transform-set Firstset
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
vpngroup RA address-pool radhcp
vpngroup RA idle-time 1800
vpngroup RA password ********
telnet 0.0.0.0 255.255.255.255 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 255.255.255.255 outside
ssh timeout 15
console timeout 0
vpdn group PPTP-VPDM-GROUP accept dialin pptp
vpdn group PPTP-VPDM-GROUP ppp authentication pap
vpdn group PPTP-VPDM-GROUP ppp authentication chap
vpdn group PPTP-VPDM-GROUP ppp authentication mschap
vpdn group PPTP-VPDM-GROUP client configuration address local RA_VPN
vpdn group PPTP-VPDM-GROUP client configuration dns 10.0.0.10 24.25.5.60
vpdn group PPTP-VPDM-GROUP pptp echo 60
vpdn group PPTP-VPDM-GROUP client authentication local
vpdn username support password *********
vpdn enable outside
dhcpd address 10.0.0.25-10.0.0.75 inside
dhcpd dns 10.0.0.10 24.25.5.60
dhcpd wins 10.0.0.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain local
dhcpd enable inside
terminal width 80
Cryptochecksum:ef4fc80959a0e7fbf767c4a6ab677505
: end

Open in new window

0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 2000 total points
ID: 26306083
According to the Cisco doc, You seem to be missing:

crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local RA_VPN outside
isakmp client configuration address-pool local radhcp outside




0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 2

Author Comment

by:Averitteg
ID: 26306269
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

What is the address portion of this command for?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 26307009
You could use different keys for different addresses ....    
0
 
LVL 2

Author Comment

by:Averitteg
ID: 26307172
But since it's Remote access, what are the addresses representing?  I know there is the one outside global IP address where all outside users will direct their vpn client to initiate their vpn, but why would there be different addresses?  Sorry, just not fully comprehending the command or how to utilize it.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 26307288
If you only have 1 set of VPN users, then leave the address at "0.0.0.0 netmask 0.0.0.0" which equates to all users.  

0
 
LVL 2

Author Comment

by:Averitteg
ID: 26340935
Okay, I'll give it a try and post my results.
0
 
LVL 2

Author Comment

by:Averitteg
ID: 26341555
"You could use different keys for different addresses .... "
When you say this, do you mean I can use a different key for different locations where they could be connecting from?
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering cloud tradeoffs and determining the right mix for your organization.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question