Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Use Pix VPN to Secure Wireless Communucation

After demonstrating how easy it is to sniff traffic on unknown/unsecured wireless networks, I find myself needing to come up with a solution for the problem.

Since all of our laptop users have the Cisco VPN client installed, we thought about setting up a Pix firewall with VPN configured to act as a gateway to the Internet when users are "forced" to use unsecured wireless in the various parks and restaurants around the NYC area. I understand that Pix version 7 allows traffic to come in and out of the same interface now, so it would seem that this task is logically possible.

I would like to set up the firewall so that when users connect to wireless networks, they can connect to the firewall using VPN so that all wireless traffic is encrypted. The firewall will then act as a gateway to the Internet. For the test, I loaded version Pix 7.02 on a spare 506e, so I only have command-line access. Once the test is complete and I can demonstrate the results to the executive staff, we will get funded to buy an ASA 5510 just for the employees around NYC to use. I have configured the 506e for VPN access (without split tunneling of course) and it’s working like a charm, but I cannot get out to the Internet once I am connected. The VPN configuration is posted below. Any assistance will be greatly appreciated.


access-list net_vpn_net extended permit ip

access-list net_vpn_net extended permit ip any

ip local pool MYVPNPOOL

nat (inside) 0 access-list net_vpn_net

route outside x.x.x.x 1

group-policy TESTVPN internal

group-policy TESTVPN attributes

dns-server value x.x.x.x y.y.y.y

vpn-idle-timeout 30

default-domain value

username TestUser password xxxxxxxxxxxxxxxxx encrypted privilege 1

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp nat-traversal 60

tunnel-group DefaultRAGroup type ipsec-ra

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (outside) LOCAL

tunnel-group TESTVPN type ipsec-ra

tunnel-group TESTVPN general-attributes

address-pool MYVPNPOOL

default-group-policy TESTVPN

tunnel-group TESTVPN ipsec-attributes

pre-shared-key *


Re: Use Pix VPN to Secure Wireless Communucation

i thought the magical command "same-security-traffic permit intra-interface" is required.

further, i thought that v7 doesn't support pix 501 and 506e, interesting.

New Member

Re: Use Pix VPN to Secure Wireless Communucation

Cisco does not support Version 7 on the 506e. Version 7 can be installed and operate on a 506e since it only requires 5MB of flash, but you do not have enough flash left to install the Cisco Adaptive Security Device Manager (ASDM). That is why I am doing everything from the command line.

I will try the "same-security-traffic permit intra-interface" command and report back the results. Thanks for the information.

New Member

Re: Use Pix VPN to Secure Wireless Communucation

No luck. Still no access to the Internet after adding the statement "same-security-traffic permit intra-interface".


Re: Use Pix VPN to Secure Wireless Communucation

having a second look at the command reference, the description of the command is "Permits communication in and out of the same interface when traffic is IPSec protected".

does it mean the traffic has to be hopping from one vpn to another vpn; as opposed to from vpn to the pure internet. i guess you need to contact the cisco tac in order to verify.

an alternative is to setup proxy for the remote vpn client, which would be less complicated and much easier to manage.


Re: Use Pix VPN to Secure Wireless Communucation

just wondering how you go.

finally, i've found a cisco doc addressing your scenario:

CreatePlease to create content