Here is an example config:

PIX Firewall configuration version 6.3.3

PIX> enable

PIX# configure terminal

If more control needed or there is no sysopt connection permit-ipsec then use acces-list acs-outside.

PIX(config)# access-list acs-outside permit udp host VPNPeer host MyPublicIP eq isakmp

PIX(config)# access-list acs-outside permit esp host VPNPeer host MyPublicIP

PIX(config)# access-list acs-outside permit ah host VPNPeer host MyPublicIP

PIX(config)# access-group acs-outside in interface outside

or use (for dynamic VPN clients) :

PIX(config)# sysopt connection permit-ipsec

Description: This command permits IPSEC traffic trough the PIX without an ACL comment statement

PIX(config)# aaa-server LOCAL protocol local

PIX(config)# aaa authentication secure-http-client

STEP 1 - Configure IKE

PIX(config)# isakmp enable outside

PIX(config)# isakmp policy 10 authentication pre-share

PIX(config)# isakmp policy 10 encryption 3des

PIX(config)# isakmp policy 10 hash md5

PIX(config)# isakmp policy 10 group 2

PIX(config)# isakmp policy 10 lifetime 86400

PIX(config)# isakmp nat-traversal 20

PIX(config)# Isakmp identity address

PIX(config)# isakmp key your-vpn-password address PEER-IP netmask 255.255.255.255

STEP 2 - Configure IPSEC

PIX(config)# access-list NONAT permit ip Internalnet ISubnet VPN-Pool 255.255.255.0

PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet

PIX(config)# global (outside) 1 interface

PIX(config)# nat (inside) 0 access-list NONAT

PIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0

PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet

PIX(config)# access-list DYN-VPN-ACL permit ip Internalnet ISubnet VPN-Pool 255.255.255.0

PIX(config)# crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

PIX(config)# crypto dynamic-map outside_dyn_map 20 match address DYN-VPN-ACL

PIX(config)# crypto dynamic-map outside_dyn_map 20 set transform-set TRANS

PIX(config)# crypto map REMOTE 65535 ipsec-isakmp dynamic outside_dyn_map

PIX(config)# crypto map REMOTE client authentication LOCAL

PIX(config)# crypto map REMOTE interface outside

PIX(config)# crypto map REMOTE 10 ipsec-isakmp

PIX(config)# crypto map REMOTE 10 match address VPN

PIX(config)# crypto map REMOTE 10 set peer PEER-IP

PIX(config)# crypto map REMOTE 10 set transform-set TRANS

PIX(config)# crypto map REMOTE interface outside

Step 3 VPN Group config

PIX(config)# ip local pool VPNPool x.y.z.1-x.y.z.254

PIX(config)# vpngroup VPNGroup address-pool VPNPool

PIX(config)# vpngroup VPNGroup dns-server dns2 dns1

PIX(config)# vpngroup VPNGroup default-domain localdomain

PIX(config)# vpngroup VPNGroup idle-time 1800

PIX(config)# vpngroup VPNGroup password grouppassword

PIX(config)# username vpnclient password vpnclient-password

sincerely

Patrick