Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
402
Views
0
Helpful
1
Replies

PIX 501 & 506 with ADSL ROuter/Modem

warren.miller
Level 1
Level 1

‎06-28-2004 12:01 AM

Hi, We have an issue in the UK in that PPPoE is not yet available, we have a host of clients who have ADSL lines with a single IP address and wish to implement a PIX as a VPN gateway, can you give us some pointers as to how to get the VPN tunnel to the PIX if the only public IP address is on the router/modem. The actual provider charges to upgrade to two public IP addresses makes the line rental triple and our SME clients are just not willing to pay this. If you have any documentation on this could you please post a link.

Thanks

WLM

Labels:
0 Helpful
1 Reply 1

cfenegan
Level 1
Level 1

‎06-30-2004 05:58 AM

Hello Warren,

I've implemented a tunnel in the scenario you describe.

The VPN tunnel was between a 3005 concentrator and a PIX 501 using IPSec. The PIX was configured to use PPPoE on the external interface. The PIX was connected to a DLink302G (I think!) Ethernet/DSL modem which supports RFC1483 bridging enabling it to connect to PPPoA as used by the DSL connection.

Here is the abreviated config of the 501

access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.254.0 255.255.255.0

access-list v3vpn permit ip 192.168.1.0 255.255.255.0 172.16.254.0 255.255.255.0

ip address outside xx.xx.xx.xx 255.255.255.255 pppoe setroute

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list no-nat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

crypto ipsec transform-set vpnaps esp-des esp-md5-hmac

crypto map VPNTunnel 10 ipsec-isakmp

crypto map VPNTunnel 10 match address v3vpn

crypto map VPNTunnel 10 set peer yy.yy.yy.yy

crypto map VPNTunnel 10 set transform-set vpnaps

crypto map VPNTunnel interface outside

isakmp enable outside

isakmp key ******** address yy.yy.yy.yy netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

vpdn group dsllink request dialout pppoe

vpdn group dsllink localname userid@domain

vpdn group dsllink ppp authentication chap

vpdn username userid@domain password user-password

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns ??

dhcpd wins ??

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain domain-name

dhcpd enable inside

This should work quite happily with a PIX at the other end as well as a 3005. If the DSL IP address is not static you will have to configure the remote end to accept any IP address. The DLink302G is no longer available but other Ethernet/DSL modems with RFC1483 support are available.

With a little modification this config can be used to service remote VPN clients connecting to the PIX.

Hope this helps.

Clive

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents