Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 to PIX 501 VPN

Hi

I am trying to configure a network almost exactly like the solution in this document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml

However as soon as I start to configure it my software VPN client users cant connect.

Are the two VPN types compatible? What changes should I make to keep these users happy.

Thanks

Stewart

1 REPLY

Re: PIX 501 to PIX 501 VPN

Try This example setup:

PIX> enable

PIX# configure terminal

If there is more control needed or there is no sysopt connection permit-ipsec then use an acces-list acs-outside.

PIX(config)# sysopt connection permit-ipsec

or

PIX(config)# access-list acs-outside permit udp host VPNPeer host MyPublicIP eq isakmp

PIX(config)# access-list acs-outside permit esp host VPNPeer host MyPublicIP

PIX(config)# access-list acs-outside permit ah host VPNPeer host MyPublicIP

PIX(config)# access-group acs-outside in interface outside

STEP 1 - Configure IKE

PIX(config)# isakmp enable outside

PIX(config)# isakmp policy 10 authentication pre-share

PIX(config)# isakmp policy 10 encryption 3des

PIX(config)# isakmp policy 10 hash md5

PIX(config)# isakmp policy 10 group 2

PIX(config)# isakmp policy 10 lifetime 86400

PIX(config)# Isakmp identity address

PIX(config)# isakmp key your-vpn-password address PEER-IP netmask 255.255.255.255

STEP 2 - Configure IPSEC

PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet

PIX(config)# global (outside) 1 interface

PIX(config)# nat (inside) 0 access-list NONAT

PIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0

PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet

PIX(config)# crypto ipsec transform-set TRANS esp-des esp-md5-hmac

PIX(config)# crypto map REMOTE 10 ipsec-isakmp

PIX(config)# crypto map REMOTE 10 match address VPN

PIX(config)# crypto map REMOTE 10 set peer PEER-IP

PIX(config)# crypto map REMOTE 10 set transform-set TRANS

PIX(config)# crypto map REMOTE interface outside

PIX(config)# sysopt connection permit-ipsec

Description: This command permits IPSEC traffic trough the PIX without an ACL comment statement

Hope thet helps

Patrick

191
Views
0
Helpful
1
Replies
CreatePlease login to create content