Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1731
Views
0
Helpful
5
Replies

Pix 501 as VPN-server...

j.fransson
Level 1
Level 1

‎10-19-2005 03:41 AM - edited ‎02-21-2020 02:03 PM

Hi!

I wonder if I can use the Pix501 as an VPN-server? I want to connect to my local Lan from Internet without using any RAS-servers on the inside. Is this possible?

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password **************** encrypted

passwd **************** encrypted

hostname *********

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.100.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Labels:
0 Helpful
5 Replies 5

shijogeorge
Level 1
Level 1

‎10-19-2005 05:45 AM

Hi,

Yes you can configure the PIX as the VPN server and connect using cisco VPN client from outside.

Please find a sample pix config for the same.

---------------------------

sysopt connection permit-ipsec

access-list NONAT permit ip 192.168.100.0 255.255.255.0 192.168.254.0 255.255.255.0

nat (inside) 0 access-list NONAT

access-list DYN-VPN-ACL permit ip 192.168.100.0 255.255.255.0 192.168.254.0 255.255.255.0

aaa-server LOCAL protocol local

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address DYN-VPN-ACL

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS

crypto dynamic-map outside_dyn_map 20 set security assocoation lifetime seconds 28800

crypto map client-map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map client-map client authentication LOCAL

crypto map client-map isakmp authorization LOCAL

crypto map client-map client configuration address respond

crypto map client-map interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

ip local pool VPNPool 192.168.254.1 192.168.254.254

vpngroup rasvpngroup address-pool VPNPool

vpngroup rasvpngroup dns-server dns2 dns1

vpngroup rasvpngroup default-domain cisco.com

vpngroup rasvpngroup idle-time 1800

vpngroup rasvpngroup password xxxxxxx

vpngroup rasvpngroup acl DYN-VPN-ACL

username cisco password cisco123

HTH

Regards,

Shijo George.

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to shijogeorge

‎10-19-2005 05:59 AM

Or you could use PPTP instead of IPSEC VPN, in that way you could use the Microsoft VPN fonctionality that is build in instead of a VPN client from Cisco.

Me personaly perfer the IPSEC option with the VPN Client but it is your choice.

Example config for PPTP VPN:

fixup protocol pptp 1723

# Access List for Dynamic VPN Users if the client connect from a fixed IP, then restrict the source IP.

access-list acs-outside permit tcp any host PPTP-Public eq pptp

access-list acs-outside permit gre any host PPTP-Public

access-group acs-outside in interface outside

#or use, sysopt will ignore the Acceess-lists and lets the protocol let trough:

sysopt connection permit-pptp

static (inside,outside) PPTP-Public PPTP-Local-Server-IP netmask 255.255.255.255 0 0

ip local pool PPTPool 192.168.200.1-192.168.200.254

vpdn group PPTP accept dialin pptp

vpdn group PPTP ppp authentication pap

vpdn group PPTP ppp authentication chap

vpdn group PPTP ppp authentication mschap

vpdn group PPTP client configuration address local PPTPool

vpdn group PPTP client configuration dns 192.168.1.100

vpdn group PPTP client configuration wins 192.168.1.101

vpdn group PPTP client authentication local

vpdn username user password userpassword

sincerely

Patrick

0 Helpful

j.fransson
Level 1
Level 1
In response to Patrick Iseli

‎10-19-2005 09:31 AM

Okey, I will try this tomorrow...

Thanks!

0 Helpful

j.fransson
Level 1
Level 1
In response to shijogeorge

‎10-19-2005 09:46 AM

I haven't used the Cisco VPN Client before. Is it free or do I have to purchase the software. What else do I have to do on the external WinXP-client and the Internal WinXP-client?

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to j.fransson

‎10-19-2005 03:12 PM

I think it is free, but you need to have a vaild Cisco Mainenance contract, called a SmartNet, to be able to download it from Cisco's web site.

http://www.cisco.com/kobayashi/sw-center/vpn/client/

http://www.cisco.com/cgi-bin/tablebuild.pl/windows

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents