Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Easy VPN PIX 501 > ASA5505

So, I have an ASA 5505 at one office, with the ability to do a clientless, or anyconnect into it.  I also have a windows 2008 server which will allow me to PPTP, L2TP, or SSTP into it. 

My Goal: In my pursuite of understanding VPNs more I would like to setup a PIX 501 at a remote location, and when I plug a user into it, I would like it to be as if Im plugged into my office network switch.

I followed this article in regards to the pix setup for the client:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008019e6d7.shtml

And, for the ASA easy VPN Server I used the wizzard.

Here is a summary of the config files:

https://gist.github.com/2413887

  • Before i issue the vpnvlient enable command, all users on the PIX are able to communicate to the internet.
  • They are even able to establish clientless ssl VPN connections to the office.
  • As soon as I did 'vpnclient enable' on the PIX, my test user lost inet connectivity also this user is not able to view office resources

A little about the network in general:

  • Office = ISP > ASA(192.168.0.1/24) > SWITCH > Servers
  • REMOTE = ISP > PIX 501(172.16.0.1/24) > User
3 REPLIES
Super Bronze

Re: Easy VPN PIX 501 > ASA5505

Hi,

I configured a few PIX501 firewalls as NEM clients for one of our customers few years ago, so abit rusty.

I think you need to have the username/password configuration on the PIX501 also.

vpnclient username password

The ASA5505 might also need some configurations under its group-policy. Not 100% sure about this as our IOS VPN devices VPN profile configurations look abit different.

group-policy attributes

  password-storage enable

  nem enable

Also to be able to use the Internet through the VPN connection you need NAT configurations on the ASA5505 so the PIX501 users can use the ASA5505 outside interface IP as the PAT address for traffic destined to Internet.

Looking at your NAT exempt configuration for the VPN, I would personally use the real network address range as the source instead of using any.

- Jouni

New Member

Re: Easy VPN PIX 501 > ASA5505

Getting closer,

I keep my connection to the 172.16.0/24 network, but I am no longer able to reach the 10.100.60, 192.168.0, or public inet.

on the ASA side, I have listed these networks in the exclude ACL

Here is an updated ASA config:

https://gist.github.com/2416876

Client:

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0       172.16.0.1       172.16.0.2    100

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

       172.16.0.0    255.255.255.0         On-link        172.16.0.2    306

       172.16.0.2  255.255.255.255         On-link        172.16.0.2    306

     172.16.0.255  255.255.255.255         On-link        172.16.0.2    306

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link        172.16.0.2    306

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link        172.16.0.2    306

===========================================================================

FW(config)# show isakmp sa

Total     : 1

Embryonic : 0

        dst               src        state     pending     created

  71.191.155.165     10.100.60.23    OAK_CONF_VPNC   0           0

FW(config)# show ipsec sa

interface: outside

    Crypto map tag: _vpnc_cm, local addr. 10.100.60.23

   local  ident (addr/mask/prot/port): (10.100.60.23/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (71.191.155.165/255.255.255.255/0/0)

   current_peer: 71.191.155.165:0

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 10.100.60.23, remote crypto endpt.: 71.191.155.165

     path mtu 1500, ipsec overhead 0, media mtu 1500

     current outbound spi: 0

FW(config)# sh run | i vpn

vpnclient server 71.191.155.165

vpnclient mode network-extension-mode

vpnclient vpngroup securesub_evpn password ********

vpnclient username **** password ********

vpnclient enable

Easy VPN PIX 501 > ASA5505

Hi Daniel,

On the Headend ASA evpn config...

group-policy securesub_evpn attributes

dns-server value 192.168.0.25 4.2.2.2

vpn-tunnel-protocol ikev1

split-tunnel-policy excludespecified

split-tunnel-network-list value BAH-PKI-LAB

Change the "split-tunnel-policy excludespecified" to "split-tunnel-policy tunnelspecified"  and test. This might help.

hth

MS

900
Views
5
Helpful
3
Replies