thank you for the response, but what I am looking for is a configuration example similar to my sitution.

I want all my inside traffic to go out. ( done that works right out of the box )

I want nothing to be able to get in from outside. ( done ( that works right out of the box. )

I now want to be able to connect to my internal network through the internet using Cisco Client 4.0.1.

I also want to get to the ftp server and terminal server with addresses of 10.0.0.2 and 10.0.0.5 when I am connected through the vpn client.

This is what I can not find an example of.

Thank you again for help.

Aldo

Aldo: Glad to hear you got some of your requirnments up and running. Now, take a look at his example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

It doesn't do everything you want, but take a look at the sample I have below, and try to peace together what you need:

Assume:

Outside: 172.x.x.x.x.255.0

Inside: 10.0.0.0 255.255.255.0

VPN IP Pool: 10.10.0.0 255.255.255.0

!-- Allow IPSec traffic terminating on the outside interface to pass thru to our inside interface.

access-list acl_out permit ip 10.10.0.0 255.255.255.0 10.0.0.0 255.255.255.0

!-- Apply acl_out to interface outside; blocks all other traffic, except those permitted by acl_out.

access-group acl_out in interface outside

!-- Allow VPN traffic only to access ports specified by acl_in

access-list acl_in permit tcp host 10.0.0.2 10.10.0.0 255.255.255.0 eq ftp

access-list acl_in permit tcp host 10.0.0.2 10.10.0.0 255.255.255.0 eq ftp-data

access-list acl_in permit tcp host 10.0.0.5 10.10.0.0 255.255.255.0 eq 3389

!-- Again, this will block everything but those permitted by acl_in; so for this means, that you need to add more statements to acl_in to allow inside->outside for your inside users.

access-group acl_in in interface inside

!-- Allow internal users to access common internet ports:

access-list acl_in permit tcp 10.0.0.0 255.255.255.0 any eq http

access-list acl_in permit tcp 10.0.0.0 255.255.255.0 any eq https

access-list acl_in permit tcp 10.0.0.0 255.255.255.0 any eq ftp

access-list acl_in permit tcp 10.0.0.0 255.255.255.0 any eq ftp-data

access-list acl_in permit tcp 10.0.0.0 255.255.255.0 any eq telnet

access-list acl_in permit tcp 10.0.0.0 255.255.255.0 any eq domain

!-- Don't forget to allow UDP domain

access-list acl_in permit udp 10.0.0.0 255.255.255.0 any eq domain

!-- This will be used in conjunction with NAT (inside) 0 access-list acl_nat0

access-list acl_nat0 permit ip 10.0.0.0 255.255.255.0 10.10.0.0 255.255.255.0

!-- Don't translate VPN traffic

nat (inside) 0 access-list acl_nat0

!-- Pool of address that will be used by VPN clients

ip local pool VPN-IP-pool 10.10.0.10-10.10.0.200

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

!--- Create a dynamic crypto map and specify which

!--- transform sets are allowed for this dynamic crypto map entry.

crypto dynamic-map DynVPN 10 set transform-set 3DES-SHA

!--- Add the dynamic crypto map set into a static crypto map set.

crypto map VPNClient 10 ipsec-isakmp dynamic DynVPN

!--- Enable the PIX to launch the Xauth application on the VPN Client.

crypto map VPNClient client authentication MyRADIUS

!--- Apply the crypto map to the outside interface.

crypto map VPNClient interface outside

!--- IKE Policy Configuration.

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

!--- IPSec group configuration for VPN Client.

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 dns-server 10.0.0.x

vpngroup vpn3000 wins-server 10.0.0.x

vpngroup vpn3000 default-domain cisco.com

vpngroup vpn3000 idle-time 1800

vpngroup xxxx password xxxx

So, the only thing left now it setup a RADIUS server to authenticate your VPN clients against. Also, you don't want to the line that says "sysopt connection permit-ipsec".

And, of course this isn't a complete config, but a snipet. But, I think it has all the elements necessary to help you setup your VPN and limited access to your 10.0.0.2/5 addresses.

Hope this helps.

Johans

Hi Johans,

Just a question on the ACLs in your example. Wouldn't you configure acl_out as follows:

!-- Allow IPSec traffic terminating on the outside interface to pass thru to our inside interface.

access-list acl_out permit tcp 10.10.0.0 255.255.255.0 host 10.0.0.2 eq ftp

access-list acl_out permit tcp 10.10.0.0 255.255.255.0 host 10.0.0.5 eq 3389

And I don't believe you will require the following lines in acl_in:

access-list acl_in permit tcp host 10.0.0.2 10.10.0.0 255.255.255.0 eq ftp

access-list acl_in permit tcp host 10.0.0.2 10.10.0.0 255.255.255.0 eq ftp-data

access-list acl_in permit tcp host 10.0.0.5 10.10.0.0 255.255.255.0 eq 3389

I may be wrong here, this is just my understanding of it.

Also, Aldo, please be aware that the PIX 501 will only support 10 concurrent VPN users with 6.3 (and only 5 with 6.2).

Regards,

Craig.

Craig: You're right - you wouldn't need those acl_in access-lists entries. Thanks for pointing out my error.

Cheers,

Johans

Oopps. I really need to stop posting messages when half-sleep. I had "access-group acl_in in interface inside" in the example, so even though acl_out would let the traffic thru, it'll get dropped on the inside interface. So, you might as well just use sysopt conn permit-ipsec, with only the acl_in statements allowing ftp traffic to flow thru.

Johans

configuring a pix with no experience will be difficult.

there is a gui, but you still need to understand routing principals.

the cisco pix gui is called the pix device manager (PDM). you will be able to use it to configure what you want.

as long as http server is enabled in the pix, you should be able to access the PDM at https://192.168.0.1/pdm.html (inside interface ip)

if you are intersted in seeing what commands the pdm sends to the pix, you can enable "view commands before they are sent to the pix" in the pdm menu.

and you will need java installed ;)

one other tip that i find usefull is, dont set a default gateway on your client pc (leave it blank) and set your client ip in the same subnet as the pix inside interface. i find that if you have the default gateway set the pdm often runs as slow as a dog and frequently times out. dont ask me why.. lol

configuring a pix for the first time is often off putting, but once you get used to it, you will appreciate the versatility of it ;)

good luck

rob

Given your list of requirements, the easiest way to accomplish this is to use the PDM and go into the VPN wizard. Click wizards from the menu bar at the top and select VPN wizard. You will want to do a Remote Access VPN on the OUTSIDE interface. It will ask you some questions about using a Pre-shared key or Certificate. Next, if you don't have an authentication server uncheck that option. Next, you will have the option of putting in other information like your internal DNS server and WINS server and such. Next, you will create a group name and range of IPs to use. The name can be anything, and the IPs should be a range on your internal network that are available for use. These will be assigned to the incomming remote connections. Next, you will need to chose the type of encryption. Make sure this matches up with what you are using on your Cisco client software. Next, you will chose the range of IPs that you want the remote users to have access to, i.e. 10.0.0.2 and 10.0.0.5. After that you are set. It will automaticly generate all the crypto maps and such for you. In this simple config, make sure you use a really strong Pre-shared key, cuz this is the only thing protecting you from any other client connecting to you.