Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Set up a VPN pn Pix 6.1

Is the following configuration enough to configure VPN on PIX. The PIX connects to a catalyst switch on the inside and ISP router on the outside. Do I ahve to add something to the ctatlyat as well to configure vpn access.

ip local pool vpnpool

crypto ipsec transform-set myset1 esp-des esp-md5-hmac

crypto dynamic-map dmap 90 set transform-set myset1

crypto map smap 90 ipsec-isakmp dynamic dmap

crypto map smap client authentication partnerauth

crypto map smap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn address-pool vpnpool

vpngroup vpn dns-server DNS-ECC

vpngroup vpn wins-server WINS

vpngroup vpn default-domain

vpngroup vpn split-tunnel 100

vpngroup vpn idle-time 1800

vpngroup vpn password ********

New Member

Re: Set up a VPN pn Pix 6.1

You should also add:

"sysopt connection permit-ipsec" to override inbound acls to permit inbound ipsec to be processed.

Also need to prevent outbound vpn traffic from being nat'ed. This can be done with an acl on the nat statement that denies inside->192.168.1.x OR an acl that permits inside->192.168.1.x associated with a nat 0 command. I am assuming the "partnerauth" tag is correctly configured with aaa commands not shown. Give you config a test and post back any issues you have.

New Member

Re: Set up a VPN pn Pix 6.1

1." partnerauth tag configuration"

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host cisco123 timeout 5

2. Please explain your comment

"prevent outbound vpn traffic from being nat'ed"

I intend to add the following:

acess-list 200 permit ip any

ip local pool vpnpool

nat inside 0 access-list 200

What else do i need to do and why? I have the following nat commands already:

nat (inside) 0 0 0

nat (inside) 0 0 0

nat (inside) 0 0 0

nat (inside) 0 0 0

nat (inside) 0 0 0

nat (inside) 0 0 0

nat (inside) 0 0 0


Re: Set up a VPN pn Pix 6.1

the access-list should be:

access-list 200 permit ip

CreatePlease to create content