06-28-2004 12:01 AM
Hi, We have an issue in the UK in that PPPoE is not yet available, we have a host of clients who have ADSL lines with a single IP address and wish to implement a PIX as a VPN gateway, can you give us some pointers as to how to get the VPN tunnel to the PIX if the only public IP address is on the router/modem. The actual provider charges to upgrade to two public IP addresses makes the line rental triple and our SME clients are just not willing to pay this. If you have any documentation on this could you please post a link.
Thanks
WLM
06-30-2004 05:58 AM
Hello Warren,
I've implemented a tunnel in the scenario you describe.
The VPN tunnel was between a 3005 concentrator and a PIX 501 using IPSec. The PIX was configured to use PPPoE on the external interface. The PIX was connected to a DLink302G (I think!) Ethernet/DSL modem which supports RFC1483 bridging enabling it to connect to PPPoA as used by the DSL connection.
Here is the abreviated config of the 501
access-list no-nat permit ip 192.168.1.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list v3vpn permit ip 192.168.1.0 255.255.255.0 172.16.254.0 255.255.255.0
ip address outside xx.xx.xx.xx 255.255.255.255 pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
crypto ipsec transform-set vpnaps esp-des esp-md5-hmac
crypto map VPNTunnel 10 ipsec-isakmp
crypto map VPNTunnel 10 match address v3vpn
crypto map VPNTunnel 10 set peer yy.yy.yy.yy
crypto map VPNTunnel 10 set transform-set vpnaps
crypto map VPNTunnel interface outside
isakmp enable outside
isakmp key ******** address yy.yy.yy.yy netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpdn group dsllink request dialout pppoe
vpdn group dsllink localname userid@domain
vpdn group dsllink ppp authentication chap
vpdn username userid@domain password user-password
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns ??
dhcpd wins ??
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain domain-name
dhcpd enable inside
This should work quite happily with a PIX at the other end as well as a 3005. If the DSL IP address is not static you will have to configure the remote end to accept any IP address. The DLink302G is no longer available but other Ethernet/DSL modems with RFC1483 support are available.
With a little modification this config can be used to service remote VPN clients connecting to the PIX.
Hope this helps.
Clive
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide