Solved: PIX 525 config and VPN setup

ngtelecom · ‎06-17-2010

Hello,

I have been asked to work on a customer request to replave his non cisco FW with a pix 525 and also to come up with a VPN solution using this PIX 525.

I am not a FW guy as my main experience is with routing/switching but I did read some documentations and had some hands on with a PIX 501 and cisco vpn300 client. I was able to bring up the vpn connection even if all tests did not pass (need to troubleshoot further).

Customer has his main site with an application running on a webserver that need to be accessed only via vpn from: 3rd party + from few remote users.

The solution I want to propose to customer is:

option 1:

PIX 525 as vpn server + Cisco vpn 3000 client on all remote users pcs.

option 2:

PIX 525 as vpn server + windows vpn client on all remote users pcs

option 3:

PIX 525 as vpn server + PIX 501 at 3rd party + windows vpn client on all remote users pcs

First I want you to confirm that those otions are feasable. Then what option should I go for knowing that remote users are only about 10.

Customer has no tacacs or radius so should I go for statis userid/pass configured on PIX525?

Any idea, advise, suggestion is welcome. Thanks in advance

Regards,

ngtelecom

Federico Coto Fajardo · ‎06-17-2010

Hi,

Option 1

I think is the best solution because the PIX-525 will act as a Firewall and the VPN server.

Then all clients will connect via VPN using the Cisco IPsec VPN client software.

Option 2

The advantage of this option is that you don't need to install the software VPN on the clients (not a problem, just 10 clients)

The problem is that it does not come with split-tunneling and don't provide as good protection as the Cisco software.

Option 3

This is also valid and you can do an EasyVPN connection where the 525 is the server and the 501 the client.

Local authentication on the PIX-525 sounds fine.

As a recommendation, the PIXes are EoS and the replacement are the ASAs.

Hope it helps.

Federico.

View solution in original post

Federico Coto Fajardo · ‎06-24-2010

Hi,

You don't have an ASA 5505 or a small router for easy vpn client?

You can use either PIX or VPN3002 HW client, but both are discontinued.

Federico.

View solution in original post

Federico Coto Fajardo · ‎06-24-2010

Yes, you can have the PIX-525 as the easy VPN server and the 800 router as the easy VPN client.

Federico.

View solution in original post

Federico Coto Fajardo · ‎06-17-2010

Hi,

Option 1

I think is the best solution because the PIX-525 will act as a Firewall and the VPN server.

Then all clients will connect via VPN using the Cisco IPsec VPN client software.

Option 2

The advantage of this option is that you don't need to install the software VPN on the clients (not a problem, just 10 clients)

The problem is that it does not come with split-tunneling and don't provide as good protection as the Cisco software.

Option 3

This is also valid and you can do an EasyVPN connection where the 525 is the server and the 501 the client.

Local authentication on the PIX-525 sounds fine.

As a recommendation, the PIXes are EoS and the replacement are the ASAs.

Hope it helps.

Federico.

ngtelecom · ‎06-23-2010

First of all, thanks Franco for your advise.

I managed to setup a lab and was able to get vpn working with both pptp and cisco vpn.

I am now trying to understand nat on the PIX. I have a web server (192.168.0.110) on the inside interface.

I want to permit access from outside world (internet) to that server. I have only 1 public ip (let say from my lab 192.168.2.2) address which I use on the outside interface.

I did the following:

fixup protocol http 80

access-list outside_in permit tcp any host 192.168.0.110 eq www
access-list inside_in permit tcp host 192.168.0.110 any eq www

ip address outside 192.168.2.2 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0

global (outside) 10 interface
nat (inside) 0 access-list 101
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_in in interface outside
access-group inside_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

Can I have your comments on this config and what is wrong? any suggestion is welcome. Thanks again.

ngtelecom · ‎06-24-2010

Hi again,

I fixed it with following config.

access-list 125 permit tcp any host 192.168.2.2 eq www

static (inside,outside) tcp 192.168.2.2 www 192.168.0.110 www netmask 255.255.255.255 0 0

access-group 125 in interface outside

Next step.. Configure easy vpn... pix501 to pic525 or vpn3002 client hardware to pix525?

I need minimum impact on remote LAN. So probably vpn3002.. What do you think about this?

Regards

Federico Coto Fajardo · ‎06-24-2010

Hi,

You don't have an ASA 5505 or a small router for easy vpn client?

You can use either PIX or VPN3002 HW client, but both are discontinued.

Federico.

ngtelecom · ‎06-24-2010

Hi,

No I have no ASA. I am limited to old HW: a vpn 3002 and pix 501.

Do you think I can use a C837 with ipsec ios (c837-k9o3y6-mz.122-13.ZH) to establish vpn connection to pix525? to be honest I did not check in that direction, I mean using a router as vpn client..

Regards,

Federico Coto Fajardo · ‎06-24-2010

Yes, you can have the PIX-525 as the easy VPN server and the 800 router as the easy VPN client.

Federico.

ngtelecom · ‎06-24-2010

Thanks again Fredirico.

I did configure the vpn3002 client hardware as per

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800941ea.shtml

So far so good. I can brows and telnet from PC behind vpn3002 client HW to webserver and router on LAN behind PIX.

I have just to uncheck the IPSed over TCP in the IPSec sestion on the vpn client.

I will document all I have done and present it to my boss/customer.

Will test later with c837.