cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
709
Views
25
Helpful
9
Replies

Need guide to configure VPN Client

tonny_ecmyy
Level 1
Level 1

Hello there...

I have vpn in my pix 506E and I have vpn client ver.4.0.1 software installed on other pc (outside). In the firewall, there are two type of vpn; site to site vpn and remote access vpn. We use remote access vpn to allow vpn client to access our server right?

All of this is new to me and could you give an examples how to configure vpn inside my firewall whether in CLI Command or PDM, and how to configure the vpn client software.

Thanks for helping cisco beginner

Tonny

1 Accepted Solution

Accepted Solutions

tony,

try chanigng it to a cisco and see if it solves.. but otherwise, since you have changed the PIX outside IP now, you will be able to make VPN connections to the new public IP now, if it is routed on internet.

can you please try connecting now and let us know what happens ?

View solution in original post

9 Replies 9

sachinraja
Level 9
Level 9

Hello Tony,

You can configure your PIX using CLI. you can go into the PIX and configure the following for remote access VPN.

No nat:

nat (inside) 0 access-list 100

access-list 100 permit ip host 192.168.180.1 (server ip to be accessed) 10.1.1.0 255.255.255.0 (IP pool)

ip local pool vpnpool 10.1.1.1-10.1.1.254

Crypto map configuration:

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication LOCAL

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

Policy configuration:

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

VPN group configuration:

vpngroup abcvpn address-pool vpnpool

vpngroup abcvpn split-tunnel 100

vpngroup abcvpn idle-time 1800

vpngroup abcvpn password ********

username tonny password cisco

Once you configure this, configure your client as given below:

1) download the vpn client from cisco site and install the exe.

2) when you configure the client for the first time, give a connection name. This happens, once you open the software after installing it.

3) On the tab hostname/ip address of the server, give your PIX's outside IP address.

4) configure the group authentication parameters. in the above example, this information is "groupname - abcvpn, password - password"

5)Press finish and then click connect.

You will get another window, asking for the local authentication. enter tonny, password ,as configureed on the PIX using the username command.

All the best !!

Rate all replies if found useful..

Hello...

I'm still unable to connect to our server using vpn client. the vpn client shows this message: secure VPN connection terminated locally by the client reason the remote peer is no longer responding.

In the host name i fill in my fixed ip 202.xxx.xxx.161 which is translated to firewall outside ip 10.1.1.2. before this, I use this fixed ip to remote the server inside using the command

#static (inside,outside) 10.1.1.9 192.168.1.9 netmask 255.255.255.255 0 0

could you give an examples base on my configuration that i have attach...please look through..

i'm the person that you help in previous conversation under firewalling forum. I was success in previous step, now i'm going to configure vpn.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd699b5

Thanks

Tonny

Ya Tony.. I know you..

The IP Pool you have assigned is the same as the LAN pool. This is not the right way to do. Change this IP pool to a different subnet and then try..

ip local pool vpnpool 192.168.100.1-192.168.100.254

access-list 100 permit ip host 192.168.1.9 192.168.100.0 255.255.255.0

With your configuration, you can connect only to the server 192.168.1.9 after logging on to the VPN.

By the Way, where are you trying the VPN from ? from internet or from somewhere local ? because i remember you do not have a public IP on the PIX outside.. is that so ? if not, go ahead with the config told above.

All the best !!

Hello sachinraja,

I'm trying the vpn client from internet using broadband connection. I have 2 internet line in my office, the line with dynamic ip (this is the line that i try cisco vpn client using notebook) and the other one is fixed ip line 202.xxx.xxx.161 (this is where my server located) As my server is vunerable to hacker or any unauthorized access ..i need a secure tunnel to access it.

Currently i'm using cisco vpn client ver 4.0.1, under the transport tab, i've enable transparent tunneling and choose ipSec over udp (NAT/PAT). In host, i fill in fixed ip add 218.xxx.xxx.161 which is then translated to 10.1.1.2 (firewall outside interface) if i'm doing remote

218.xxx.xxx.161 > 10.1.1.9 > 192.168.1.9.

I'm still can't connect with vpn.

your cooperation is highly appreciated

thanks

Tonny

Hello tonny,

You can call me Raj..

You have made you scenario a little complex now with 2 internet lines.. are they from different ISPs ? are they terminating on the same router ?

anyway, did u change the ip pool and the access-lists which were given to yu before ??

I hope you are doing the nat on the router.. can you mail me the router/pix configurations offline to my mail id ? the probelm can be solved easily after seeing that..

Thanks Raj for replying,

I already send you an email.

Thanks

Tonny

Hello tony,

saw ur router config. seems to be a non cisco router. your problem is as below:

see .. u have a PIX with outside IP as private, which will not be reachable from internet. so, for the reachability, you need to traslate the outside ip PIX 10.1.1.2 to a public IP, which you need to configure on the router. without this the firewall outside IP will not be reached and IPSEC cannot be configured.

One solution is to assign public IP for the firewall outside directly and change the inside IP of the router to the same subnet. You just need a /30 IP subnet for this. Once you do this, the PIX will be directly reachable via te public IP, which will solve your problem.

hope this helps.

Hi Raj,

I've e-mail you another config, I think its my router which has problem..

Thank you

Tony

tony,

try chanigng it to a cisco and see if it solves.. but otherwise, since you have changed the PIX outside IP now, you will be able to make VPN connections to the new public IP now, if it is routed on internet.

can you please try connecting now and let us know what happens ?