Solved: Re: Remote VPN

cisco.learner · ‎01-07-2006

Hi, I setup static for remote connection now for rdp. I want to know what advantage is setup the remote VPN client on pix.

jackko · ‎01-07-2006

yes, cisco vpn client is a must.

below are the sample codes:

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list 101

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp identity address

isakmp nat-traversal 20

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

ip local pool ippool 10.1.1.11-10.1.1.21

vpngroup vpnclient address-pool ippool

vpngroup vpnclient idle-time 1800

vpngroup vpnclient dns-server 139.130.4.4

vpngroup vpnclient password cisco456

vpngroup vpnclient split-tunnel 120

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap

username cisco password cisco123

aaa-server LOCAL protocol local

crypto map remote_vpn client authentication LOCAL

crypto map remote_vpn client configuration address initiate

crypto map remote_vpn client configuration address respond

View solution in original post

jackko · ‎01-07-2006

the main benefit is to secure the connection.

providing port forwarding and inbound acl have been configured for remote user, all the traffic is traversed in clear text.

the remote vpn client needs to be installed on the remote pc.

cisco.learner · ‎01-07-2006

Hi, so only user setup client not anyone? Any example? Thanks.

jackko · ‎01-07-2006

yes, cisco vpn client is a must.

below are the sample codes:

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list 101

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp identity address

isakmp nat-traversal 20

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

ip local pool ippool 10.1.1.11-10.1.1.21

vpngroup vpnclient address-pool ippool

vpngroup vpnclient idle-time 1800

vpngroup vpnclient dns-server 139.130.4.4

vpngroup vpnclient password cisco456

vpngroup vpnclient split-tunnel 120

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap

username cisco password cisco123

aaa-server LOCAL protocol local

crypto map remote_vpn client authentication LOCAL

crypto map remote_vpn client configuration address initiate

crypto map remote_vpn client configuration address respond

cisco.learner · ‎01-08-2006

Hi, is there another remote VPN method? My friend don't need install VPN client.

jackko · ‎01-08-2006

not with the pix501. with pix 515e or above, webvpn would the other option.

just wondering what sort of device your friend has. it may be feasible to configure a lan-lan vpn between you and your friend.

cisco.learner · ‎01-08-2006

Hi, my friend has router 827h. Possible to setup vpn? Please give example.

jackko · ‎01-10-2006

below are the sample codes.

for pix,

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 121 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

ip address outside 1.1.x.x.x.255.0

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map myvpn 10 ipsec-isakmp

crypto map myvpn 10 match address 121

crypto map myvpn 10 set peer 1.1.1.2

crypto map myvpn 10 set transform-set myset

crypto map myvpn interface outside

isakmp enable outside

isakmp key xxx address 1.x.x.2 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

for router,

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key xxx address 1.1.1.1 no-xauth

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set myset

match address 121

interface Ethernet0

ip address 192.168.2.1 255.255.255.0

ip nat inside

interface Dialer0

ip address 1.1.1.2 255.255.255.0

ip access-group 111 in

ip nat outside

crypto map mymap

ip nat inside source route-map nonat interface Dialer0 overload

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 111 permit udp any host 1.1.1.2 eq non500-isakmp

access-list 111 permit udp any host 1.1.1.2 eq isakmp

access-list 111 permit esp any host 1.1.1.2

access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 111 deny ip any any

access-list 121 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

route-map nonat permit 10

match ip address 101