Showing results for 
Search instead for 
Did you mean: 

Pix 501 as VPN-server...


I wonder if I can use the Pix501 as an VPN-server? I want to connect to my local Lan from Internet without using any RAS-servers on the inside. Is this possible?

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password **************** encrypted

passwd **************** encrypted

hostname *********

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521


pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

conduit permit icmp any any

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80



Yes you can configure the PIX as the VPN server and connect using cisco VPN client from outside.

Please find a sample pix config for the same.


sysopt connection permit-ipsec

access-list NONAT permit ip

nat (inside) 0 access-list NONAT

access-list DYN-VPN-ACL permit ip

aaa-server LOCAL protocol local

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address DYN-VPN-ACL

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS

crypto dynamic-map outside_dyn_map 20 set security assocoation lifetime seconds 28800

crypto map client-map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map client-map client authentication LOCAL

crypto map client-map isakmp authorization LOCAL

crypto map client-map client configuration address respond

crypto map client-map interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

ip local pool VPNPool

vpngroup rasvpngroup address-pool VPNPool

vpngroup rasvpngroup dns-server dns2 dns1

vpngroup rasvpngroup default-domain

vpngroup rasvpngroup idle-time 1800

vpngroup rasvpngroup password xxxxxxx

vpngroup rasvpngroup acl DYN-VPN-ACL

username cisco password cisco123



Shijo George.


Or you could use PPTP instead of IPSEC VPN, in that way you could use the Microsoft VPN fonctionality that is build in instead of a VPN client from Cisco.

Me personaly perfer the IPSEC option with the VPN Client but it is your choice.

Example config for PPTP VPN:

fixup protocol pptp 1723

# Access List for Dynamic VPN Users if the client connect from a fixed IP, then restrict the source IP.

access-list acs-outside permit tcp any host PPTP-Public eq pptp

access-list acs-outside permit gre any host PPTP-Public

access-group acs-outside in interface outside

#or use, sysopt will ignore the Acceess-lists and lets the protocol let trough:

sysopt connection permit-pptp

static (inside,outside) PPTP-Public PPTP-Local-Server-IP netmask 0 0

ip local pool PPTPool

vpdn group PPTP accept dialin pptp

vpdn group PPTP ppp authentication pap

vpdn group PPTP ppp authentication chap

vpdn group PPTP ppp authentication mschap

vpdn group PPTP client configuration address local PPTPool

vpdn group PPTP client configuration dns

vpdn group PPTP client configuration wins

vpdn group PPTP client authentication local

vpdn username user password userpassword




Okey, I will try this tomorrow...



I haven't used the Cisco VPN Client before. Is it free or do I have to purchase the software. What else do I have to do on the external WinXP-client and the Internal WinXP-client?


I think it is free, but you need to have a vaild Cisco Mainenance contract, called a SmartNet, to be able to download it from Cisco's web site.