PIX 515 VPN config

Discussion in 'Cisco' started by CFSSMB, Dec 11, 2003.

  1. CFSSMB

    CFSSMB Guest

    Greetings everyone. I've just recently began learning the PIX config
    as our network guy was fired, so me being a programmer somehow got
    tasked with taking over management of the PIX and setting up a VPN.
    I've looked all over Cisco's site for configuration examples but my
    networking ignorance has me stumped. Basically here is what our
    network consist of: A PIX 515R running version 6.3.3 configured with
    3 interfaces, outside, dmz, inside. I would like this to be as simple
    as possible and I currently have version 4.0.2 of Cisco's VPN client.
    Our people will have access to the Internet through high speed
    DSL/Cable and then use the VPN to connect to the corp network for
    email and such. Any help is appreciated: PIX Config is as follows:
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password ************ encrypted
    passwd *********** encrypted
    hostname thepix
    fixup protocol dns maximum-length 512
    no fixup protocol ftp 21
    no fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    no fixup protocol http 80
    no fixup protocol rsh 514
    fixup protocol rtsp 554
    no fixup protocol sip 5060
    fixup protocol sip udp 5060
    no fixup protocol skinny 2000
    no fixup protocol smtp 25
    no fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list aclout permit tcp any host *.*.*.* eq smtp
    access-list aclout permit tcp any host *.*.*.* eq imap4
    access-list aclout permit tcp any host *.*.*.* eq pop3
    access-list aclout permit tcp any host *.*.*.* eq www
    access-list aclout permit tcp any host *.*.*.* eq https
    access-list aclout permit tcp any host *.*.*.* eq domain
    access-list aclout permit udp any host *.*.*.* eq domain
    access-list aclout permit tcp any host *.*.*.* eq https
    access-list aclout permit tcp any host *.*.*.* eq www
    access-list aclout permit tcp any host *.*.*.* eq smtp
    access-list aclout permit tcp any host *.*.*.* eq pop3
    access-list aclout permit tcp any host *.*.*.* eq imap4
    access-list aclout permit tcp any host *.*.*.* eq https
    access-list aclout permit tcp any host *.*.*.* eq www
    access-list aclout permit tcp any host *.*.*.* eq www
    access-list aclout permit tcp any host *.*.*.* eq https
    access-list aclout permit tcp any host *.*.*.* eq 13700
    access-list aclout permit tcp any host *.*.*.* eq 13800
    access-list aclout permit tcp any host *.*.*.* eq www
    access-list aclout permit tcp any host *.*.*.* eq https
    access-list aclout permit tcp any host *.*.*.* eq 13700
    access-list aclout permit tcp any host *.*.*.* eq 13800
    access-list aclout permit tcp any host *.*.*.* eq www
    access-list aclout permit tcp any host *.*.*.* eq https
    access-list acldmz permit tcp any host 10.1.1.30 eq 1433
    access-list acldmz permit tcp any host 10.1.1.20 eq 1433
    access-list acldmz permit tcp any host 10.1.1.22 eq 1433
    access-list acldmz permit tcp any host 10.1.1.5 eq https
    access-list acldmz permit tcp any host 10.1.1.5 eq www
    access-list acldmz permit tcp any host 10.1.1.24 eq smtp
    access-list acldmz permit tcp any host 10.1.1.4 eq netbios-ssn
    access-list acldmz permit udp any host 10.1.1.4 eq netbios-ns
    access-list acldmz permit udp any host 10.1.1.4 eq netbios-dgm
    pager lines 14
    logging on
    logging console debugging
    logging monitor debugging
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside *.*.*.* 255.255.255.240
    ip address inside 192.168.100.27 255.255.255.0
    ip address dmz 10.1.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address dmz
    pdm history enable
    arp timeout 14400
    global (outside) 1 *.*.*.*-*.*.*.* netmask 255.255.255.240
    global (outside) 1 *.*.*.* netmask 255.255.255.240
    global (dmz) 1 10.1.1.100-10.1.1.200 netmask 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
    static (dmz,outside) *.*.*.* 10.1.1.2 netmask 255.255.255.255 0 0
    static (inside,dmz) 10.1.1.20 192.168.100.46 netmask 255.255.255.255 0
    0
    static (inside,dmz) 10.1.1.22 192.168.100.38 netmask 255.255.255.255 0
    0
    static (dmz,outside) *.*.*.* 10.1.1.3 netmask 255.255.255.255 0 0
    static (inside,dmz) 10.1.1.4 192.168.100.4 netmask 255.255.255.255 0 0
    static (inside,dmz) 10.1.1.5 192.168.100.29 netmask 255.255.255.255 0
    0
    static (inside,dmz) 10.1.1.30 192.168.100.35 netmask 255.255.255.255 0
    0
    static (dmz,outside) *.*.*.* 10.1.1.7 netmask 255.255.255.255 0 0
    static (inside,outside) *.*.*.* 192.168.100.32 netmask 255.255.255.255
    0 0
    static (dmz,outside) *.*.*.* 10.1.1.8 netmask 255.255.255.255 0 0
    static (inside,dmz) 10.1.1.24 192.168.100.24 netmask 255.255.255.255 0
    0
    static (dmz,outside) *.*.*.* 10.1.1.5 netmask 255.255.255.255 0 0
    static (inside,outside) *.*.*.* 192.168.100.31 netmask 255.255.255.255
    0 0
    access-group aclout in interface outside
    access-group acldmz in interface dmz
    route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community front4309
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.100.174 255.255.255.255 inside
    telnet 192.168.100.0 255.255.255.0 inside
    telnet 192.168.100.0 255.255.255.0 dmz
    telnet timeout 15
    ssh timeout 5
    console timeout 0
    terminal width 80
    CFSSMB, Dec 11, 2003
    #1
    1. Advertising

  2. In article <>,
    CFSSMB <> wrote:
    :Greetings everyone. I've just recently began learning the PIX config
    :as our network guy was fired, so me being a programmer somehow got
    :tasked with taking over management of the PIX and setting up a VPN.
    :I've looked all over Cisco's site for configuration examples but my
    :networking ignorance has me stumped. Basically here is what our
    :network consist of: A PIX 515R running version 6.3.3 configured with
    :3 interfaces, outside, dmz, inside. I would like this to be as simple
    :as possible and I currently have version 4.0.2 of Cisco's VPN client.
    :Our people will have access to the Internet through high speed
    :DSL/Cable and then use the VPN to connect to the corp network for
    :email and such. Any help is appreciated: PIX Config is as follows:

    You didn't actually say what the question is. Looking over your
    config, it seems likely the question is "How do I allow the VPN clients
    to connect"? If so, then I suggest you load pdm (if it is not
    already loaded) and then execute the 'setup' command to configure
    a host to allow pdm from, and then use pdm to configure the VPN clients.
    --
    I wrote a hack in microcode,
    with a goto on each line,
    it runs as fast as Superman,
    but not quite every time! -- Dave Touretzky and Don Libes
    Walter Roberson, Dec 11, 2003
    #2
    1. Advertising

  3. CFSSMB

    CFSSMB Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<br9009$api$>...
    > In article <>,
    > CFSSMB <> wrote:
    >
    > You didn't actually say what the question is. Looking over your
    > config, it seems likely the question is "How do I allow the VPN clients
    > to connect"? If so, then I suggest you load pdm (if it is not
    > already loaded) and then execute the 'setup' command to configure
    > a host to allow pdm from, and then use pdm to configure the VPN clients.


    Sorry about not being clear. Yes, I want to allow the 4.0.2 VPN
    clients to connect to the 515 Pix. I'm completely new to this stuff
    and I really just want to get this done ASAP. I found this on the
    previous networking guy's machine. Will this work or do I need to
    make changes to it, and if so, what changes. Thanks again for your
    help

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password udz4IzQE82ZuVZwG encrypted
    passwd udz4IzQE82ZuVZwG encrypted
    hostname paculpix
    fixup protocol dns maximum-length 512
    no fixup protocol ftp 21
    no fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    no fixup protocol http 80
    no fixup protocol rsh 514
    fixup protocol rtsp 554
    no fixup protocol sip 5060
    fixup protocol sip udp 5060
    no fixup protocol skinny 2000
    no fixup protocol smtp 25
    no fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list aclout permit tcp any host *.*.*.53 eq smtp
    access-list aclout permit tcp any host *.*.*.53 eq imap4
    access-list aclout permit tcp any host *.*.*.53 eq pop3
    access-list aclout permit tcp any host *.*.*.53 eq www
    access-list aclout permit tcp any host *.*.*.53 eq https
    access-list aclout permit tcp any host *.*.*.53 eq domain
    access-list aclout permit udp any host *.*.*.53 eq domain
    access-list aclout permit tcp any host *.*.*.56 eq https
    access-list aclout permit tcp any host *.*.*.56 eq www
    access-list aclout permit tcp any host *.*.*.55 eq smtp
    access-list aclout permit tcp any host *.*.*.55 eq pop3
    access-list aclout permit tcp any host *.*.*.55 eq imap4
    access-list aclout permit tcp any host *.*.*.58 eq https
    access-list aclout permit tcp any host *.*.*.58 eq www
    access-list aclout permit tcp any host *.*.*.54 eq www
    access-list aclout permit tcp any host *.*.*.54 eq https
    access-list aclout permit tcp any host *.*.*.54 eq 13700
    access-list aclout permit tcp any host *.*.*.54 eq 13800
    access-list aclout permit tcp any host *.*.*.52 eq www
    access-list aclout permit tcp any host *.*.*.52 eq https
    access-list aclout permit tcp any host *.*.*.51 eq 13700
    access-list aclout permit tcp any host *.*.*.51 eq 13800
    access-list aclout permit tcp any host *.*.*.51 eq www
    access-list aclout permit tcp any host *.*.*.51 eq https
    access-list aclout permit tcp any host *.*.*.58 eq 3389
    access-list acldmz permit tcp any host 10.1.1.30 eq 1433
    access-list acldmz permit tcp any host 10.1.1.20 eq 1433
    access-list acldmz permit tcp any host 10.1.1.22 eq 1433
    access-list acldmz permit tcp any host 10.1.1.5 eq https
    access-list acldmz permit tcp any host 10.1.1.5 eq www
    access-list acldmz permit tcp any host 10.1.1.24 eq smtp
    access-list acldmz permit tcp any host 10.1.1.4 eq netbios-ssn
    access-list acldmz permit udp any host 10.1.1.4 eq netbios-ns
    access-list acldmz permit udp any host 10.1.1.4 eq netbios-dgm
    access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.172.0
    255.255.255.
    0
    pager lines 14
    logging on
    logging console debugging
    logging monitor debugging
    logging buffered debugging
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside *.*.*.50 255.255.255.240
    ip address inside 192.168.100.27 255.255.255.0
    ip address dmz 10.1.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 192.168.172.1-192.168.172.254
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address dmz
    pdm history enable
    arp timeout 14400
    global (outside) 1 *.*.*.59-*.*.*.60 netmask 255.255.255.240
    global (outside) 1 *.*.*.61 netmask 255.255.255.240
    global (dmz) 1 10.1.1.100-10.1.1.200 netmask 255.255.255.0
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
    static (dmz,outside) *.*.*.58 10.1.1.2 netmask 255.255.255.255 0 0
    static (inside,dmz) 10.1.1.20 192.168.100.46 netmask 255.255.255.255 0
    0
    static (inside,dmz) 10.1.1.22 192.168.100.38 netmask 255.255.255.255 0
    0
    static (dmz,outside) *.*.*.51 10.1.1.3 netmask 255.255.255.255 0 0
    static (inside,dmz) 10.1.1.4 192.168.100.4 netmask 255.255.255.255 0 0
    static (inside,dmz) 10.1.1.5 192.168.100.29 netmask 255.255.255.255 0
    0
    static (inside,dmz) 10.1.1.30 192.168.100.35 netmask 255.255.255.255 0
    0
    static (dmz,outside) *.*.*.56 10.1.1.7 netmask 255.255.255.255 0 0
    static (inside,outside) *.*.*.55 192.168.100.32 netmask
    255.255.255.255 0 0
    static (dmz,outside) *.*.*.52 10.1.1.8 netmask 255.255.255.255 0 0
    static (inside,dmz) 10.1.1.24 192.168.100.24 netmask 255.255.255.255 0
    0
    static (dmz,outside) *.*.*.54 10.1.1.5 netmask 255.255.255.255 0 0
    static (inside,outside) *.*.*.53 192.168.100.31 netmask
    255.255.255.255 0 0
    access-group aclout in interface outside
    access-group acldmz in interface dmz
    route outside 0.0.0.0 0.0.0.0 *.*.*.49 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community front4309
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set vpnset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set vpnset
    crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
    crypto map vpnmap client configuration address initiate
    crypto map vpnmap interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp client configuration address-pool local vpnpool outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup vpn-all address-pool vpnpool
    vpngroup vpn-all wins-server 192.168.100.1
    vpngroup vpn-all default-domain password
    vpngroup vpn-all idle-time 1800
    vpngroup vpn-all password ********
    telnet 192.168.100.174 255.255.255.255 inside
    telnet 192.168.100.0 255.255.255.0 inside
    telnet 192.168.100.0 255.255.255.0 dmz
    telnet timeout 15
    ssh timeout 5
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe auto required
    vpdn group 1 client configuration address local vpnpool
    vpdn group 1 client configuration wins 192.168.100.1
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username ******* password ********
    vpdn enable outside
    terminal width 80
    CFSSMB, Dec 11, 2003
    #3
  4. In article <>,
    CFSSMB <> wrote:
    :Sorry about not being clear. Yes, I want to allow the 4.0.2 VPN
    :clients to connect to the 515 Pix. I'm completely new to this stuff
    :and I really just want to get this done ASAP. I found this on the
    :previous networking guy's machine. Will this work or do I need to
    :make changes to it, and if so, what changes.

    :pIX Version 6.3(3)

    The Cisco Output Interpreter says that the configuration is
    fairly self-consistant. I haven't examined it myself to see whether
    it will work.

    The Output Interpreter recommends turning on ip verify reverse-path;
    recommends hard-coding the interface speeds; changing the xlate
    timeout to be no more than 1 hour; configuring a console timeout;
    and suggests you might want to turn on access-list compilation
    for aclout . Oh, yes, and it recommends logging off-machine
    instead of to the console, especially when you are using 'debugging'
    level of logging.
    --
    Cannot open .signature: Permission denied
    Walter Roberson, Dec 11, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,790
    Martin Bilgrav
    Feb 6, 2004
  2. Al
    Replies:
    0
    Views:
    5,204
  3. Scott Townsend
    Replies:
    8
    Views:
    688
    Roman Nakhmanson
    Feb 22, 2006
  4. Stephen M
    Replies:
    1
    Views:
    642
    mcaissie
    Nov 14, 2006
  5. andrew_grafik

    PIX-515-UR-BUN how to enable VPN-DES: , VPN-3DES-AES:

    andrew_grafik, Oct 10, 2009, in forum: General Computer Support
    Replies:
    0
    Views:
    1,984
    andrew_grafik
    Oct 10, 2009
Loading...

Share This Page