Hi, what details do you need?

On our site:

Pix 501 with public ip and inside ip(network) of 192.168.1.1 255.255.255.0 this is used to access the internet. Another network 192.168.100.0 255.255.255.0 is used for the software we use(so all workstations have 2 IPs each.

The remote site:

Router 2621XM with public ip and a different private subnet.

Let me know if you need more details and what specific details.

Thanks

Daniel

OOPS,sorry, what was i thinking. Okay, we intend to have a branch office in a remote site, and we will like to connect from our site to that site as if we were on a LAN(though with different subnets). Now we access the internet through satellite internet(VSAT). I was wondering if possible and how to configure either a PIX 501 and a router 2621XM, to connect throgh VSAT. Can i get a permanet site to site connection this way? if possible, what kind of WAN connection must be on the other site?

Thanks.

NB

PIX on our site and Router on the other.

providing both sites have a static public ip, then the options are either lan-lan vpn or ezvpn. alternatively, if only one of the two sites has a static public ip, then the only option is ezvpn.

the main difference between lan-lan vpn and ezvpn is that with ezvpn, only the remote site (i.e the one hasn't got a static public ip) can initiate the vpn. once the vpn is established, either site would have access to the other.

Thanks a lot Jackko, i guess i'll have to go and read up something on ezvpn(which i've never heard of). As for vpn, the last time i tried it, it didn't work. Maybe you or anybody could assist me and see where i went wrong. below is my config. We use a VPN client version 4.0.5 (D) alais vpnunitysoftware.the error message i get is : connection terminated locally by client Reason 412: the remote peer is no longer responding.or failed to establish tcp connection (if i enable trnsparent tunneling)

thanks.

For a Remote VPN setup use my example config and ajust your NoNAT and Access-list.

example:

access-list NONAT permit ip Internalnet ISubnet VPN-Pool 255.255.255.0

access-list DYN-VPN-ACL permit ip Internalnet ISubnet VPN-Pool 255.255.255.0

aaa-server LOCAL protocol local

aaa authentication secure-http-client

sysopt connection permit-ipsec

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address DYN-VPN-ACL

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS

crypto map REMOTE 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map REMOTE client authentication LOCAL

crypto map REMOTE interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

ip local pool VPNPool x.y.z.1-x.y.z.254

vpngroup VPNGroup address-pool VPNPool

vpngroup VPNGroup dns-server dns2 dns1

vpngroup VPNGroup default-domain localdomain

vpngroup VPNGroup idle-time 1800

vpngroup VPNGroup password grouppassword

username vpnclient password vpnclient-password

Links:

Cisco PIX Firewall and VPN Configuration Guide, Version 6.3:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_book09186a0080172852.html

Managing VPN Remote Access:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172787.html

sincerely

Patrick

Change this lines:

access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list DYN-VPN-ACL permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.

255.0

ip local pool VPNPool 192.168.100.1-192.168.100.254

sincerely

Patrick

Hi, i thought i could figure it out, but no. I have mapped drives to my server, and i want a situation where i can map to these drives remotely through VPN. Patrick, thanks for the config, it worked, but am not getting what i want as stated above.

How come enabling transparent tunnel (ipsec/TCP) doesn't work(is there a particular port i should use), what am i missing? and if i go to staus\statistics my Local LAN indicates "disabled" even though it is checked. What am i missing in the config. if am not clear please let me know. Buttom line, i have a VPN connection(not with TCP), but i can't access my office network. Help.

Thanks a million.

i guess the issue maybe related to netbios as it relies on broadcast, and unfortunately broadcast will not be encrypted/sent via the vpn tunnel.

if that's the case, then you may need to setup a wins server and point the remote vpn client to it.

e.g.

vpngroup VPNGroup address-pool VPNPool

vpngroup VPNGroup dns-server server 192.116.101.82

vpngroup VPNGroup wina-server server 192.116.101.x

vpngroup VPNGroup default-domain somewhere.com

vpngroup VPNGroup idle-time 1800

vpngroup VPNGroup password ********

What exactly have you tryed to do that did not work ?

As jackko mentioned, netbios broacast does never pass the VPN tunnel so forget about browsing in your network neighborhood. But all IP address and tcp and udp port related non broadcasting traffic should work.

sincerely

Patrick

Login to domain server using the VPN Client:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=Network%20Management&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd60514/0#selected_message

gfullage wrote:

If you're using Win2k/XP then you only get the chance to logon to the domain at startup. For this reason, the VPN client has a Start Before Logon feature, where as soon as you hit CTRL-ALT-DEL to login, the VPN client pops up, enabling you to bring up the VPN BEFORE you login to the domain. Enable it under the Options - Windows Logon Properties section.

On the PIX, make sure you send down the internal WINS server(s) so that the PC knows where to send everything. And on your NIC TCP/IP settings make sure "Enable Netbios over TCP/IP" is checked, this solves a lot of issues.

Have you tryed with Remote Desktop to connect to the server ?

sincerely

Patrick

THANKs A MILLION guys, i got everything working now, one little detail i left out was nat (inside) 0 access-list nonat. So sad, i can't be on the internet at the same time.

Thanks.

NB.

Is it possible to have both IPSEC and PPTP configs in the pix at once? I almost gave a shot, but.... this is company stuff, gatta be sure.

To have access to the Internet on same time as you are connected with the VPN you have 2 choices.

1.) Install a proxy server on the Network where the VPN terminates.

2.) Configure Split tunnel that allows you to browse on your PC that starts the VPN Sesion to the Internet.

! Kind of danger fot hyjacking !

access-list SplitTunnelACL permit ip vpnpool-net 255.255.255.0 any

vpngroup VPNGroup split-tunnel SplitTunnelACL

3.) To your question if you can have PPTP and VPN Setup on the same time. YES this is possible.

sincerely

Patrick