06-17-2010 03:34 PM
Hello,
I have been asked to work on a customer request to replave his non cisco FW with a pix 525 and also to come up with a VPN solution using this PIX 525.
I am not a FW guy as my main experience is with routing/switching but I did read some documentations and had some hands on with a PIX 501 and cisco vpn300 client. I was able to bring up the vpn connection even if all tests did not pass (need to troubleshoot further).
Customer has his main site with an application running on a webserver that need to be accessed only via vpn from: 3rd party + from few remote users.
The solution I want to propose to customer is:
option 1:
PIX 525 as vpn server + Cisco vpn 3000 client on all remote users pcs.
option 2:
PIX 525 as vpn server + windows vpn client on all remote users pcs
option 3:
PIX 525 as vpn server + PIX 501 at 3rd party + windows vpn client on all remote users pcs
First I want you to confirm that those otions are feasable. Then what option should I go for knowing that remote users are only about 10.
Customer has no tacacs or radius so should I go for statis userid/pass configured on PIX525?
Any idea, advise, suggestion is welcome. Thanks in advance
Regards,
ngtelecom
Solved! Go to Solution.
06-17-2010 03:40 PM
Hi,
Option 1
I think is the best solution because the PIX-525 will act as a Firewall and the VPN server.
Then all clients will connect via VPN using the Cisco IPsec VPN client software.
Option 2
The advantage of this option is that you don't need to install the software VPN on the clients (not a problem, just 10 clients)
The problem is that it does not come with split-tunneling and don't provide as good protection as the Cisco software.
Option 3
This is also valid and you can do an EasyVPN connection where the 525 is the server and the 501 the client.
Local authentication on the PIX-525 sounds fine.
As a recommendation, the PIXes are EoS and the replacement are the ASAs.
Hope it helps.
Federico.
06-24-2010 03:12 PM
Hi,
You don't have an ASA 5505 or a small router for easy vpn client?
You can use either PIX or VPN3002 HW client, but both are discontinued.
Federico.
06-24-2010 03:35 PM
Yes, you can have the PIX-525 as the easy VPN server and the 800 router as the easy VPN client.
Federico.
06-17-2010 03:40 PM
Hi,
Option 1
I think is the best solution because the PIX-525 will act as a Firewall and the VPN server.
Then all clients will connect via VPN using the Cisco IPsec VPN client software.
Option 2
The advantage of this option is that you don't need to install the software VPN on the clients (not a problem, just 10 clients)
The problem is that it does not come with split-tunneling and don't provide as good protection as the Cisco software.
Option 3
This is also valid and you can do an EasyVPN connection where the 525 is the server and the 501 the client.
Local authentication on the PIX-525 sounds fine.
As a recommendation, the PIXes are EoS and the replacement are the ASAs.
Hope it helps.
Federico.
06-23-2010 04:13 PM
First of all, thanks Franco for your advise.
I managed to setup a lab and was able to get vpn working with both pptp and cisco vpn.
I am now trying to understand nat on the PIX. I have a web server (192.168.0.110) on the inside interface.
I want to permit access from outside world (internet) to that server. I have only 1 public ip (let say from my lab 192.168.2.2) address which I use on the outside interface.
I did the following:
fixup protocol http 80
access-list outside_in permit tcp any host 192.168.0.110 eq www
access-list inside_in permit tcp host 192.168.0.110 any eq www
ip address outside 192.168.2.2 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
global (outside) 10 interface
nat (inside) 0 access-list 101
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_in in interface outside
access-group inside_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
Can I have your comments on this config and what is wrong? any suggestion is welcome. Thanks again.
06-24-2010 03:07 PM
Hi again,
I fixed it with following config.
access-list 125 permit tcp any host 192.168.2.2 eq www
static (inside,outside) tcp 192.168.2.2 www 192.168.0.110 www netmask 255.255.255.255 0 0
access-group 125 in interface outside
Next step.. Configure easy vpn... pix501 to pic525 or vpn3002 client hardware to pix525?
I need minimum impact on remote LAN. So probably vpn3002.. What do you think about this?
Regards
06-24-2010 03:12 PM
Hi,
You don't have an ASA 5505 or a small router for easy vpn client?
You can use either PIX or VPN3002 HW client, but both are discontinued.
Federico.
06-24-2010 03:25 PM
Hi,
No I have no ASA. I am limited to old HW: a vpn 3002 and pix 501.
Do you think I can use a C837 with ipsec ios (c837-k9o3y6-mz.122-13.ZH) to establish vpn connection to pix525? to be honest I did not check in that direction, I mean using a router as vpn client..
Regards,
06-24-2010 03:35 PM
Yes, you can have the PIX-525 as the easy VPN server and the 800 router as the easy VPN client.
Federico.
06-24-2010 04:32 PM
Thanks again Fredirico.
I did configure the vpn3002 client hardware as per
So far so good. I can brows and telnet from PC behind vpn3002 client HW to webserver and router on LAN behind PIX.
I have just to uncheck the IPSed over TCP in the IPSec sestion on the vpn client.
I will document all I have done and present it to my boss/customer.
Will test later with c837.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide