PIX 501 VPN and Windows 2000

Discussion in 'Cisco' started by d8da, Mar 25, 2005.

  1. d8da

    d8da Guest

    Help, please! This is my first PIX Firewall and VPN config...

    I am setting up a VPN for a small company of 5 employees. They have a
    PIX 501 with vers 6.3(1), a 16-port switch, 3 servers(Windows 2000 and
    2003). One Windows 2000 server has the MS Exchange and Active directory
    setup and is the Domain Controller with DNS and WINS server setup. They
    are currently able to get mail through https...

    I want to setup VPN access using the features from the PIX. Scenario:

    Client(outside)---->PIX/VPN--->MS DC server--->Internal network

    So I want the client at home to connect to the PIX, have the PIX do the
    inital auth, then go to the Windows DC and allow users auth and access
    to internal servers and desktop to do work.

    My dilemma is:

    1> deciding how to configure the PIX to work with windows clients on
    the outside interface and which vpn client to use other than the CISCO
    VPN Client(which did not come with the software)

    2> the proper config on the PIX to work as the end point or the through
    to the windows 2000 server with the active directory.

    I have read other posts similar to this question, I have searched and
    read docs on cisco, I have googled, etc. Now I would appreciate human

    d8da, Mar 25, 2005
    1. Advertisements

  2. I'm not 100% sure what you are asking with the DC doing Auth. If you want it
    to be part of the VPN, then you are in for a fun Ride. (-;

    If you just want it for general Windows Auth, then you are in pretty good

    The First VPN I've set up on a PIX was a PPTP VPN. This type is pretty
    simple and easy to setup on the PIX and MS Windows 2000 and better have a
    built in PPTP Client. If you are interested in help setting up a PPTP VPN on
    the PIX, let me know and I can shoot over some Sample code.

    Once the PPTP VPN is in place, the remote client just becomes a node on the
    network there at your office. So if you have WINS, DNS Set up at the office,
    the IPs can be sent to the Client and it will act just like you were there
    at the office. So connecting to a server is as easy as \\server-name\share

    Scott Townsend, Mar 25, 2005
    1. Advertisements

  3. d8da

    d8da Guest


    I would greatly appreciate help setting up this way. If it has been
    done and proven I am game to try it. I want to setup the VPN as
    painless as possible since this is my first VPN and hands-on with PIX.
    So send me the info and any notes you have from your experience.

    I currently have it setup through the VPN wizard as Microsoft L2TP with
    CHAP using local VPDN and certificates. But this was just setup to
    actually "try" something instead of sitting there looking at the box
    and doing nothing, LOL. And as for the client, I am looking for
    something so a remote user working from home or a laptop on the road
    can easily configure their system. I have used RealVNC with my previous
    company along with an IP address to enter in the browser to get to the
    VPN...I was not part of the actual setup, so basically I am looking to
    do a similar thing.

    Thanks for helping.
    d8da, Mar 25, 2005
  4. Its hard to tell since I have IPSec stuff as well as my PPTP in my PIX, but
    I believe this is all you need for PPTP.
    ip local pool remoteVPN

    route outside <outside Default GW IP Address> 2

    sysopt connection permit-pptp

    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
    vpdn group PPTP-VPDN-GROUP client configuration address local remoteVPN
    vpdn group PPTP-VPDN-GROUP client configuration dns <IP-DNS-Server1>
    vpdn group PPTP-VPDN-GROUP client configuration wins <IP-WINS-Server1>
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local

    vpdn enable outside

    vpdn username <username> password <password>
    You will have to Fill in:
    outside Default GW IP Address
    IP-DNS-Server2 (or remove if you only have 1)
    IP-WINS-Server2 (or remove if you only have 1)

    On the PC Side, create a new Connection, Connect to VPN/MyWork Place.
    Put in the IP address of the Public side of the PIX,
    I thn go into the properties, TCP/IP Properties, Advanced, and then uncheck
    the Use Remote Gateway. This will allow you to use the Internet while still
    connected to the VPN.

    Give that a whirl and see if that works. Feel free to email me at
    <firstname>-i (AT) enm.com

    Scott Townsend, Mar 25, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.