01-07-2006 05:09 PM - edited 02-21-2020 12:37 AM
Hi, I setup static for remote connection now for rdp. I want to know what advantage is setup the remote VPN client on pix.
Solved! Go to Solution.
01-07-2006 06:05 PM
yes, cisco vpn client is a must.
below are the sample codes:
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list 101
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp identity address
isakmp nat-traversal 20
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
ip local pool ippool 10.1.1.11-10.1.1.21
vpngroup vpnclient address-pool ippool
vpngroup vpnclient idle-time 1800
vpngroup vpnclient dns-server 139.130.4.4
vpngroup vpnclient password cisco456
vpngroup vpnclient split-tunnel 120
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap
username cisco password cisco123
aaa-server LOCAL protocol local
crypto map remote_vpn client authentication LOCAL
crypto map remote_vpn client configuration address initiate
crypto map remote_vpn client configuration address respond
01-07-2006 05:43 PM
the main benefit is to secure the connection.
providing port forwarding and inbound acl have been configured for remote user, all the traffic is traversed in clear text.
the remote vpn client needs to be installed on the remote pc.
01-07-2006 06:03 PM
Hi, so only user setup client not anyone? Any example? Thanks.
01-07-2006 06:05 PM
yes, cisco vpn client is a must.
below are the sample codes:
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list 101
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp identity address
isakmp nat-traversal 20
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
ip local pool ippool 10.1.1.11-10.1.1.21
vpngroup vpnclient address-pool ippool
vpngroup vpnclient idle-time 1800
vpngroup vpnclient dns-server 139.130.4.4
vpngroup vpnclient password cisco456
vpngroup vpnclient split-tunnel 120
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap
username cisco password cisco123
aaa-server LOCAL protocol local
crypto map remote_vpn client authentication LOCAL
crypto map remote_vpn client configuration address initiate
crypto map remote_vpn client configuration address respond
01-08-2006 04:10 PM
Hi, is there another remote VPN method? My friend don't need install VPN client.
01-08-2006 04:14 PM
not with the pix501. with pix 515e or above, webvpn would the other option.
just wondering what sort of device your friend has. it may be feasible to configure a lan-lan vpn between you and your friend.
01-08-2006 04:50 PM
Hi, my friend has router 827h. Possible to setup vpn? Please give example.
01-10-2006 10:23 AM
below are the sample codes.
for pix,
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 121 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ip address outside 1.1.x.x.x.255.0
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map myvpn 10 ipsec-isakmp
crypto map myvpn 10 match address 121
crypto map myvpn 10 set peer 1.1.1.2
crypto map myvpn 10 set transform-set myset
crypto map myvpn interface outside
isakmp enable outside
isakmp key xxx address 1.x.x.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
for router,
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address 1.1.1.1 no-xauth
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address 121
interface Ethernet0
ip address 192.168.2.1 255.255.255.0
ip nat inside
interface Dialer0
ip address 1.1.1.2 255.255.255.0
ip access-group 111 in
ip nat outside
crypto map mymap
ip nat inside source route-map nonat interface Dialer0 overload
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 111 permit udp any host 1.1.1.2 eq non500-isakmp
access-list 111 permit udp any host 1.1.1.2 eq isakmp
access-list 111 permit esp any host 1.1.1.2
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 111 deny ip any any
access-list 121 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
route-map nonat permit 10
match ip address 101
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide