Re: Creating a VPN Connection to PIX 501 using VPN Client?

brian-henry · ‎10-24-2004

Hello,

I am new at this and I am trying to configure a secure VPN tunnel from anywhere that I travel back to my PIX at home via the VPN Client Software.

I wanted to using cypto ipsec, cyrpto maps, isakmp policy's and 3des, group 2 with a local DHCP scope on the pix and a RemoteUsers Group.

I have my cable modem connected directly into my 501

I have my vpngroup configured and the dhcp pool. I just do not see how I can enter in any pre-shared information in the clent config but ou could under the old Cisco Secure Client?

If anyone has a sample config I could look at I would greatly appreciate it.

Thanks a million.

Brian

sachinraja · ‎10-24-2004

Hello brian,

there are no pre-shared information configured for dynamic IPSEC. Instead you need to configure VPN groups and get the client authenticated using a TACACS server or a local database.

The sample configs are as below:

Nonat configuration:

nat (inside) 0 access-list 100

access-list 100 permit ip host 192.168.1.1 10.1.1.0 255.255.255.0

This will not do a nat for the traffic originating from your server (192.168.1.1) to the IP pool when the user gets connected.

IPSEC configuration:

aaa-server LOCAL protocol local

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication LOCAL

crypto map mymap interface outside

isakmp enable outside

Policy:

isakmp identity address

isakmp nat-traversal 20 (required only if PAT traffic coming onto the PIX)

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

VPN group config:

vpngroup vpn idle-time 1800

vpngroup abcvpn address-pool vpnpool

vpngroup abcvpn split-tunnel 100

vpngroup abcvpn idle-time 1800

vpngroup abcvpn password ********

username xyz password abcdef

Do let me know if you need any more information.

brian-henry · ‎10-25-2004

Thank you for your reply and that was perfect.

The only question that I have is that like you pointed out I do not have a Radius or Tacacs server right now and will have to use a local database on the PIX.

When you say traffic originating from your server would that be Radius or Tacacs?

So if I have the following networks on the inside I would need one access list for them all.

If I have several 10.10.X.X networks and my pool was 10.10.Y.Y then I would have to create the following below? Thanks again

access-list 102 permit ip 10.10.99.0 255.255.255.0 10.10.98.0 255.255.255.0

access-list 102 permit ip 10.10.100.0 255.255.255.0 10.10.98.0 255.255.255.0

access-list 102 permit ip 10.10.101.0 255.255.255.0 10.10.98.0 255.255.255.0

access-list 102 permit ip 10.10.102.0 255.255.255.0 10.10.98.0 255.255.255.0

access-list 102 permit ip 10.10.103.0 255.255.255.0 10.10.98.0 255.255.255.0

access-list 102 permit ip 10.10.104.0 255.255.255.0 10.10.98.0 255.255.255.0

access-list 102 permit ip 10.10.105.0 255.255.255.0 10.10.98.0 255.255.255.0

access-list 102 permit ip 10.10.106.0 255.255.255.0 10.10.98.0 255.255.255.0

access-list 102 permit ip 10.10.107.0 255.255.255.0 10.10.98.0 255.255.255.0

access-list 102 permit ip 10.10.108.0 255.255.255.0 10.10.98.0 255.255.255.0

ip local pool vpndhcp 10.10.98.1-10.10.98.254

sachinraja · ‎10-25-2004

You are right.. the access lists looks good .. it should work out. the access list 102 will then be applied on to the no nat statement.

I was referring to your internal servers and not the radius or tacacs.. traffic originating from your internal server which is 10.10.x.x network.

hope you got it..