10-13-2005 11:13 AM - edited 03-09-2019 12:43 PM
10-13-2005 04:31 PM
please provide more detail
10-14-2005 06:41 AM
Hi, what details do you need?
On our site:
Pix 501 with public ip and inside ip(network) of 192.168.1.1 255.255.255.0 this is used to access the internet. Another network 192.168.100.0 255.255.255.0 is used for the software we use(so all workstations have 2 IPs each.
The remote site:
Router 2621XM with public ip and a different private subnet.
Let me know if you need more details and what specific details.
Thanks
Daniel
10-14-2005 06:54 AM
just wondering what sort of info you are looking for, as the original post is blank except the title "connecting to a remote network".
10-14-2005 12:04 PM
OOPS,sorry, what was i thinking. Okay, we intend to have a branch office in a remote site, and we will like to connect from our site to that site as if we were on a LAN(though with different subnets). Now we access the internet through satellite internet(VSAT). I was wondering if possible and how to configure either a PIX 501 and a router 2621XM, to connect throgh VSAT. Can i get a permanet site to site connection this way? if possible, what kind of WAN connection must be on the other site?
Thanks.
NB
PIX on our site and Router on the other.
10-14-2005 11:53 PM
providing both sites have a static public ip, then the options are either lan-lan vpn or ezvpn. alternatively, if only one of the two sites has a static public ip, then the only option is ezvpn.
the main difference between lan-lan vpn and ezvpn is that with ezvpn, only the remote site (i.e the one hasn't got a static public ip) can initiate the vpn. once the vpn is established, either site would have access to the other.
10-15-2005 09:32 AM
Thanks a lot Jackko, i guess i'll have to go and read up something on ezvpn(which i've never heard of). As for vpn, the last time i tried it, it didn't work. Maybe you or anybody could assist me and see where i went wrong. below is my config. We use a VPN client version 4.0.5 (D) alais vpnunitysoftware.the error message i get is : connection terminated locally by client Reason 412: the remote peer is no longer responding.or failed to establish tcp connection (if i enable trnsparent tunneling)
thanks.
10-15-2005 10:54 AM
For a Remote VPN setup use my example config and ajust your NoNAT and Access-list.
example:
access-list NONAT permit ip Internalnet ISubnet VPN-Pool 255.255.255.0
access-list DYN-VPN-ACL permit ip Internalnet ISubnet VPN-Pool 255.255.255.0
aaa-server LOCAL protocol local
aaa authentication secure-http-client
sysopt connection permit-ipsec
crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address DYN-VPN-ACL
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS
crypto map REMOTE 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map REMOTE client authentication LOCAL
crypto map REMOTE interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
ip local pool VPNPool x.y.z.1-x.y.z.254
vpngroup VPNGroup address-pool VPNPool
vpngroup VPNGroup dns-server dns2 dns1
vpngroup VPNGroup default-domain localdomain
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password grouppassword
username vpnclient password vpnclient-password
Links:
Cisco PIX Firewall and VPN Configuration Guide, Version 6.3:
Managing VPN Remote Access:
sincerely
Patrick
10-15-2005 11:01 AM
Change this lines:
access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list DYN-VPN-ACL permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.
255.0
ip local pool VPNPool 192.168.100.1-192.168.100.254
sincerely
Patrick
10-17-2005 01:17 PM
Hi, i thought i could figure it out, but no. I have mapped drives to my server, and i want a situation where i can map to these drives remotely through VPN. Patrick, thanks for the config, it worked, but am not getting what i want as stated above.
How come enabling transparent tunnel (ipsec/TCP) doesn't work(is there a particular port i should use), what am i missing? and if i go to staus\statistics my Local LAN indicates "disabled" even though it is checked. What am i missing in the config. if am not clear please let me know. Buttom line, i have a VPN connection(not with TCP), but i can't access my office network. Help.
Thanks a million.
10-17-2005 04:49 PM
i guess the issue maybe related to netbios as it relies on broadcast, and unfortunately broadcast will not be encrypted/sent via the vpn tunnel.
if that's the case, then you may need to setup a wins server and point the remote vpn client to it.
e.g.
vpngroup VPNGroup address-pool VPNPool
vpngroup VPNGroup dns-server server 192.116.101.82
vpngroup VPNGroup wina-server server 192.116.101.x
vpngroup VPNGroup default-domain somewhere.com
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password ********
10-17-2005 05:33 PM
What exactly have you tryed to do that did not work ?
As jackko mentioned, netbios broacast does never pass the VPN tunnel so forget about browsing in your network neighborhood. But all IP address and tcp and udp port related non broadcasting traffic should work.
sincerely
Patrick
10-17-2005 05:59 PM
Login to domain server using the VPN Client:
gfullage wrote:
If you're using Win2k/XP then you only get the chance to logon to the domain at startup. For this reason, the VPN client has a Start Before Logon feature, where as soon as you hit CTRL-ALT-DEL to login, the VPN client pops up, enabling you to bring up the VPN BEFORE you login to the domain. Enable it under the Options - Windows Logon Properties section.
On the PIX, make sure you send down the internal WINS server(s) so that the PC knows where to send everything. And on your NIC TCP/IP settings make sure "Enable Netbios over TCP/IP" is checked, this solves a lot of issues.
Have you tryed with Remote Desktop to connect to the server ?
sincerely
Patrick
10-19-2005 12:22 PM
THANKs A MILLION guys, i got everything working now, one little detail i left out was nat (inside) 0 access-list nonat. So sad, i can't be on the internet at the same time.
Thanks.
NB.
Is it possible to have both IPSEC and PPTP configs in the pix at once? I almost gave a shot, but.... this is company stuff, gatta be sure.
10-20-2005 03:41 AM
To have access to the Internet on same time as you are connected with the VPN you have 2 choices.
1.) Install a proxy server on the Network where the VPN terminates.
2.) Configure Split tunnel that allows you to browse on your PC that starts the VPN Sesion to the Internet.
! Kind of danger fot hyjacking !
access-list SplitTunnelACL permit ip vpnpool-net 255.255.255.0 any
vpngroup VPNGroup split-tunnel SplitTunnelACL
3.) To your question if you can have PPTP and VPN Setup on the same time. YES this is possible.
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide