Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

What's needed for a basic VPN?

We have a small network with a PIX 506 between it and the internet. I'd like to set up a VPN so I can access the network from school or home. I'm running version 5.2 and to the best of my knowledge, no software (other than online documentation) came with the PIX. I'm running Windows 2000 Professional at home (and any OS I want at school). The PIX has a static ip and I have a DHCP dynamic IP assigned from my isp. The inside network of the PIX is running is and let's say .100 to .200 are available.

What should I use? Do I have access to the VPN 3000 Client? (IE: is it free or can I get it since I purchased a PIX 506 last summer?). Can my PIX even support VPN's or do I have to purchase a seperate license? I know I can put PPTP on my Win 2k machine but can I use it on the PIX?

My time is short (I'm at school) but I'll add any info if it's needed. If someone could point me to a online doc that could help me out I'd appreciate it.


New Member

Re: What's needed for a basic VPN?

It depends on your security requirements and how much administrative overhead you want to endure.


This is the easiest to implement. It only requires a fairly simple config on the Pix and no client software on the clients. A simple PPTP vpn setup on Win2k, using the outside PIX IP address as your host that the connect to. You will only be able to use 40 bit encryption without upgrading to a 3DES license which costs money. The one other thing that you will need is a backend Radius server to authenticate the clients. You can setup an IAS server in your LAN on Win2k. It can be pretty much any server in your LAN as it does not require much overhead. The setup is really simple. You really only need to setup a shared secret between the IAS server and the PIX. As an alternative, you can also setup local authentication on the PIX, where everyone will have the same username and password to the VPN, but this is obviously less secure. The IP pool that you designate should from the RFC 1918 private addresses, but it should be a differnet subnet than the one on your inside lan. If you have or add a 3rd interface on your pix and you use the same subnet on your VPN as well as on your inside LAN, then any servers on the DMZ interface will think that you are spoofing from the outside because the DMZ will already have a route to the inside interface and PIX will block all returning traffic to hosts on the VPN. Anyway, just use something like for your pool.

Example Setup


This one is a little more involved because you need to install the VPN client V3.5x which is free to use and donwload as long as you have a smartnet contract or some contract to download Cisco software. You will also need to apply for a 56 bit IPSEC license key to install on the PIX which is free but you will also need a contract for that.

One issue you might want to consider is to use a personal firewall with a PPTP VPN so you have protection from the Internet while you are connected to the VPN.