02-23-2005 10:35 PM - edited 03-09-2019 10:26 AM
Hi All
How I can enable vpnclient and vpn site-to-site on interface outside simultaneous. If anyone have any idea please let's me know.
Thank you.
Pichet.p
02-24-2005 03:45 AM
Here is an example config:
PIX Firewall configuration version 6.3.3
PIX> enable
PIX# configure terminal
If more control needed or there is no sysopt connection permit-ipsec then use acces-list acs-outside.
PIX(config)# access-list acs-outside permit udp host VPNPeer host MyPublicIP eq isakmp
PIX(config)# access-list acs-outside permit esp host VPNPeer host MyPublicIP
PIX(config)# access-list acs-outside permit ah host VPNPeer host MyPublicIP
PIX(config)# access-group acs-outside in interface outside
or use (for dynamic VPN clients) :
PIX(config)# sysopt connection permit-ipsec
Description: This command permits IPSEC traffic trough the PIX without an ACL comment statement
PIX(config)# aaa-server LOCAL protocol local
PIX(config)# aaa authentication secure-http-client
STEP 1 - Configure IKE
PIX(config)# isakmp enable outside
PIX(config)# isakmp policy 10 authentication pre-share
PIX(config)# isakmp policy 10 encryption 3des
PIX(config)# isakmp policy 10 hash md5
PIX(config)# isakmp policy 10 group 2
PIX(config)# isakmp policy 10 lifetime 86400
PIX(config)# isakmp nat-traversal 20
PIX(config)# Isakmp identity address
PIX(config)# isakmp key your-vpn-password address PEER-IP netmask 255.255.255.255
STEP 2 - Configure IPSEC
PIX(config)# access-list NONAT permit ip Internalnet ISubnet VPN-Pool 255.255.255.0
PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet
PIX(config)# global (outside) 1 interface
PIX(config)# nat (inside) 0 access-list NONAT
PIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet
PIX(config)# access-list DYN-VPN-ACL permit ip Internalnet ISubnet VPN-Pool 255.255.255.0
PIX(config)# crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
PIX(config)# crypto dynamic-map outside_dyn_map 20 match address DYN-VPN-ACL
PIX(config)# crypto dynamic-map outside_dyn_map 20 set transform-set TRANS
PIX(config)# crypto map REMOTE 65535 ipsec-isakmp dynamic outside_dyn_map
PIX(config)# crypto map REMOTE client authentication LOCAL
PIX(config)# crypto map REMOTE interface outside
PIX(config)# crypto map REMOTE 10 ipsec-isakmp
PIX(config)# crypto map REMOTE 10 match address VPN
PIX(config)# crypto map REMOTE 10 set peer PEER-IP
PIX(config)# crypto map REMOTE 10 set transform-set TRANS
PIX(config)# crypto map REMOTE interface outside
Step 3 VPN Group config
PIX(config)# ip local pool VPNPool x.y.z.1-x.y.z.254
PIX(config)# vpngroup VPNGroup address-pool VPNPool
PIX(config)# vpngroup VPNGroup dns-server dns2 dns1
PIX(config)# vpngroup VPNGroup default-domain localdomain
PIX(config)# vpngroup VPNGroup idle-time 1800
PIX(config)# vpngroup VPNGroup password grouppassword
PIX(config)# username vpnclient password vpnclient-password
sincerely
Patrick
02-24-2005 06:12 PM
I will try to do this config.
Thank you Patrick
Pichet.p
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide