10-19-2005 03:41 AM - edited 02-21-2020 02:03 PM
Hi!
I wonder if I can use the Pix501 as an VPN-server? I want to connect to my local Lan from Internet without using any RAS-servers on the inside. Is this possible?
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **************** encrypted
passwd **************** encrypted
hostname *********
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.100.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
10-19-2005 05:45 AM
Hi,
Yes you can configure the PIX as the VPN server and connect using cisco VPN client from outside.
Please find a sample pix config for the same.
---------------------------
sysopt connection permit-ipsec
access-list NONAT permit ip 192.168.100.0 255.255.255.0 192.168.254.0 255.255.255.0
nat (inside) 0 access-list NONAT
access-list DYN-VPN-ACL permit ip 192.168.100.0 255.255.255.0 192.168.254.0 255.255.255.0
aaa-server LOCAL protocol local
crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address DYN-VPN-ACL
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS
crypto dynamic-map outside_dyn_map 20 set security assocoation lifetime seconds 28800
crypto map client-map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map client-map client authentication LOCAL
crypto map client-map isakmp authorization LOCAL
crypto map client-map client configuration address respond
crypto map client-map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
ip local pool VPNPool 192.168.254.1 192.168.254.254
vpngroup rasvpngroup address-pool VPNPool
vpngroup rasvpngroup dns-server dns2 dns1
vpngroup rasvpngroup default-domain cisco.com
vpngroup rasvpngroup idle-time 1800
vpngroup rasvpngroup password xxxxxxx
vpngroup rasvpngroup acl DYN-VPN-ACL
username cisco password cisco123
HTH
Regards,
Shijo George.
10-19-2005 05:59 AM
Or you could use PPTP instead of IPSEC VPN, in that way you could use the Microsoft VPN fonctionality that is build in instead of a VPN client from Cisco.
Me personaly perfer the IPSEC option with the VPN Client but it is your choice.
Example config for PPTP VPN:
fixup protocol pptp 1723
# Access List for Dynamic VPN Users if the client connect from a fixed IP, then restrict the source IP.
access-list acs-outside permit tcp any host PPTP-Public eq pptp
access-list acs-outside permit gre any host PPTP-Public
access-group acs-outside in interface outside
#or use, sysopt will ignore the Acceess-lists and lets the protocol let trough:
sysopt connection permit-pptp
static (inside,outside) PPTP-Public PPTP-Local-Server-IP netmask 255.255.255.255 0 0
ip local pool PPTPool 192.168.200.1-192.168.200.254
vpdn group PPTP accept dialin pptp
vpdn group PPTP ppp authentication pap
vpdn group PPTP ppp authentication chap
vpdn group PPTP ppp authentication mschap
vpdn group PPTP client configuration address local PPTPool
vpdn group PPTP client configuration dns 192.168.1.100
vpdn group PPTP client configuration wins 192.168.1.101
vpdn group PPTP client authentication local
vpdn username user password userpassword
sincerely
Patrick
10-19-2005 09:31 AM
Okey, I will try this tomorrow...
Thanks!
10-19-2005 09:46 AM
I haven't used the Cisco VPN Client before. Is it free or do I have to purchase the software. What else do I have to do on the external WinXP-client and the Internal WinXP-client?
10-19-2005 03:12 PM
I think it is free, but you need to have a vaild Cisco Mainenance contract, called a SmartNet, to be able to download it from Cisco's web site.
http://www.cisco.com/kobayashi/sw-center/vpn/client/
http://www.cisco.com/cgi-bin/tablebuild.pl/windows
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide