Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1427
Views
0
Helpful
2
Replies

PIX 515E vpn configuration

mcx-india
Level 1
Level 1

‎03-03-2008 09:53 PM

Hi can anybody help me to know whether is it possible to configure both site-to-site vpn and remote access vpn on single interface(outside) on PIX 515E ??? if yes can anybody provide the configuration for the same.

Labels:
0 Helpful
2 Replies 2

jjoseph01
Level 3
Level 3

‎03-03-2008 10:04 PM

Hi, the answer is yes, you can have both site-to-site and remote access at the same time. Take a look at this example below, maybe this will help some.

config t

!

! These access lists define what traffic should be routed through the VPN tunnel

access-list 101 permit ip [INSIDE NETWORK] [INSIDE MASK] [REMOTE NETWORK] [REMOTE MASK]

access-list nonat permit ip [INSIDE NETWORK] [INSIDE MASK] 192.168.172.0 255.255.255.0

access-list nonat permit ip [INSIDE NETWORK] [INSIDE MASK] [REMOTE NETWORK] [REMOTE MASK]

!

nat (inside) 0 access-list nonat

!

sysopt connection permit-ipsec

sysopt connection permit-pptp

!

ip local pool vpnpool 192.168.172.1-192.168.172.254

!

isakmp client configuration address-pool local vpnpool outside

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 authentication pre-share

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 authentication pre-share

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp identity address

isakmp key 0123456789 address [REMOTE PIX] netmask 255.255.255.255

isakmp key 0123456789 address 0.0.0.0 netmask 0.0.0.0

isakmp enable outside

!

crypto ipsec transform-set vpnset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map vpnmap 10 ipsec-isakmp

crypto map vpnmap 10 match address 101

crypto map vpnmap 10 set peer [REMOTE PIX]

crypto map vpnmap 10 set transform-set vpnset

crypto map vpnmap 20 ipsec-isakmp dynamic dynmap

crypto map vpnmap client configuration address initiate

crypto map vpnmap client configuration address respond

crypto map vpnmap interface outside

!

! The vpngroup command is used to configure a VPN tunnel that will use the

! Cisco VPN Client. If you intend to only use the Microsoft VPN Client, this

! section may be left out

vpngroup [VPNGROUP] address-pool vpnpool

vpngroup [VPNGROUP] dns-server [DNS]

vpngroup [VPNGROUP] wins-server [WINS]

vpngroup [VPNGROUP] default-domain [DOMAIN]

vpngroup [VPNGROUP] idle-time 1800

vpngroup [VPNGROUP] password [VPNGROUPPW]

!

! The vpdn command is used to configured a VPN tunnel that will use the

! Microsoft VPN Client. If you intend to only use the Cisco VPN client, this

! section may be left out

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto required

vpdn group 1 client configuration address local vpnpool

vpdn group 1 client configuration dns [DNS]

vpdn group 1 client configuration wins [WINS]

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

!

! The following line can be repeated to configure the user names and passwords

! for users needing VPN access with the Microsoft VPN Client

vpdn username [VPN USER] password [VPN PASSWORD]

vpdn enable outside

!

exit

wri mem

0 Helpful

yunis
Level 1
Level 1

‎03-07-2008 03:22 AM

thanxx joseph

0 Helpful
Customers Also Viewed These Support Documents