Re: Basic VPN config from 3.5.x client to PIX 501

pcarter · ‎07-11-2002

All,

Sorry for the most basic question here but this situation is this:

PIX 501 sitting between the Internet and LAN. This internet connection DOES NOT handle traffic initiated from within the LAN. I simply need to enable the PIX to accept incoming client connections. I've read through and tried varrious permutations as about 20 different Cisco documents. Each one simply is more complicated than I need. What do I need to do (probably an incedibly basic step I've missed) to tell the PIX to accept connections from incoming clients?

I've added the lines:

ip local pool inpool x.x.x.x-x.x.x.x

vpngroup vpn dns-server x.x.x.x

vpngroup vpn wins-server x.x.x.x

vpngroup vpn default-domian testdomain.com

vpngroup vpn password ********

sysopt connection permit-ipsec

no sysopt route dnat (I have no idea what this line means)

plus the basics, interface names, ip addresses, etc...

Any help is greatly appreciated.

Patrick

edadios · ‎07-11-2002

Have a look at this config and don't use the "aaa-server..." configs and the line "crypto map vpnclient authentication authme" and look at highlighted commands :

http://www.cisco.com/warp/customer/471/vpn3002pix-6421.shtml .

You need :

access-list nonat permit ip "inside ip subnet" "pool inpool ip subnet"

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

crypto ipsec transform-set strong ............

crypto dynamic-map .........

crypto map vpn interface outside

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

Regards,

paqiu · ‎07-11-2002

You have configed vpngroup commands, which is very good.

You still need

1 crypto map

2 isakmp

3 nat (inside) 0 access-list

to make the remote access client working fine.

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map cisco 20 set transform-set myset

crypto map partner-map 20 ipsec-isakmp dynamic cisco

crypto map partner-map client configuration address initiate

crypto map partner-map interface outside

isakmp enable outside

isakmp identity address

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 2

isakmp policy 8 lifetime 86400

I assume that your inside network is 192.168.200.x and the pool is 192.168.1.x

ip local pool vpnpool 192.168.1.200-192.168.1.254

access-list 101 permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list 101

Best Regards,

ryan.rader · ‎07-11-2002

Hi Patrick,

This config on cisco's site has helped me out alot http://www.cisco.com/warp/public/110/pptpcrypto3.html

but to be completely honest the esaies way to do this is to upgrade the PIX to 6.2 and install a program called PDM 2.0 (PIX Device Manager) this new program has a wizard built in that allows you to create Site to Site or Software Client to PIX VPNs. It will configure the PIX to do what you want in a couple minutes. Its a very nice tool.

karlsd · ‎07-16-2002

ran the tool. it created the vpn client to PIX config. I connect through the client and pull down an address from the pool but I am unable to access any resources on my LAN.

edadios · ‎07-16-2002

Likely routing issue.

Do you have a Nat 0 statement?

Does your inside host default route to the pix ? This is so that it send reply for the ip on vpn pool back to the pix inside interface....

Regards,