Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
kl
New Member

PIX VPN configuration

Hi,

I have configured the PIX to do VPN connections from VPN clients and the clients can see the whole network. How do I configure the VPN to see only 2 hosts at my network and nothing else?

Regards

Kim Loefqvist

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: PIX VPN configuration

One way you could do this is to modify your

inside_outbound_nat0_acl access list to permit only traffic to the vpn subnet from these 2 hosts rather than "any"

HTH

3 REPLIES
Gold

Re: PIX VPN configuration

Hi -

Would it possible if you could post your config - pls remember to change 'real IPs' and passwords.

Thanks -

kl
New Member

Re: PIX VPN configuration

Hi,

Sorry for the delay, but here is my configuration:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password aaaaaaaaaa encrypted

passwd aaaaaaaaaa encrypted

hostname pix

domain-name aaaaaa.dk

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name xxx.xxx.xxx.xxx Strong

name 31.47.0.0 SS-DE

name 32.47.0.0 SS-DK

access-list outside_access_in permit icmp any any

access-list inside_outbound_nat0_acl permit ip SS-DK 255.255.0.0 SS-DE 255.255.0.0

access-list inside_outbound_nat0_acl permit ip any 172.16.250.0 255.255.255.0

access-list outside_cryptomap_20 permit ip SS-DK 255.255.0.0 SS-DE 255.255.0.0

access-list outside_cryptomap_dyn_20 permit ip any 172.16.250.0 255.255.255.0

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

ip address outside aaa.bbb.ccc.ddd 255.255.255.248

ip address inside 32.47.165.250 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 172.16.250.1-172.16.250.254

pdm location Strong 255.255.255.255 outside

pdm location SS-DE 255.255.0.0 outside

pdm logging critical 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.dde 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

ntp server x.x.145.130 source outside

ntp server x.x.159.194 source outside prefer

http server enable

http Strong 255.255.255.255 outside

http x.x.x.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server outside Strong /171103-1.cfg

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 123.456.789.012

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp key !!!!!!!! address 123.456.789.012 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup Test address-pool ippool

vpngroup Test dns-server 194.239.134.83

vpngroup Test wins-server 132.147.0.5

vpngroup Test idle-time 1800

vpngroup Test password Testing123

telnet timeout 5

ssh Strong 255.255.255.255 outside

ssh timeout 5

console timeout 0

username zzzzzz password aaaaaaaaaaaaaa encrypted privilege 15

privilege show level 0 command version

privilege show level 0 command curpriv

privilege show level 3 command pdm

privilege show level 3 command blocks

privilege show level 3 command ssh

privilege configure level 3 command who

privilege show level 3 command isakmp

privilege show level 3 command ipsec

privilege show level 3 command vpdn

privilege show level 3 command local-host

privilege show level 3 command interface

privilege show level 3 command ip

privilege configure level 3 command ping

privilege show level 3 command uauth

privilege configure level 5 mode enable command configure

privilege show level 5 command running-config

privilege show level 5 command privilege

privilege show level 5 command clock

privilege show level 5 command ntp

privilege show level 5 mode configure command logging

privilege show level 5 command fragment

terminal width 80

Cryptochecksum:xxxxxx: end

New Member

Re: PIX VPN configuration

One way you could do this is to modify your

inside_outbound_nat0_acl access list to permit only traffic to the vpn subnet from these 2 hosts rather than "any"

HTH

94
Views
0
Helpful
3
Replies
CreatePlease to create content