Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Pix 501 Ver 6.3


I would first say Thx for all the good reading i got from this page.

I am about to setup a Vpn connect on the firm and I have some question`s about this !

1: Can I setup that only some Mac adresses are aloud to connect via Vpn ?

2: it`s my first time that a config a vpn tunnel, So I would realy appreciate all the help I can get.

This is my config, Please fill free to give me some advice..What port`s the can be open and what don’t need to be open !

Best regards Jonas

Building configuration...

: Saved


PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ********** encrypted

passwd *********** encrypted

hostname pixfirewall


clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list inside_outbound_nat0_acl permit ip any

access-list inside_outbound_nat0_acl permit ip any

access-list outside_cryptomap_dyn_20 permit ip any

pager lines 24

logging on

logging timestamp

logging standby

logging trap warnings

logging host inside

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside

ip verify reverse-path interface outside

ip audit name Ytecaudit info action alarm

ip audit name myaudit attack action drop

ip audit name ytecaudit info action alarm

ip audit info action alarm

ip audit attack action alarm

ip local pool Inside

pdm location outside

pdm location inside

pdm location outside

pdm logging warnings 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0 0

route outside 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication secure-http-client

http server enable

http outside

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp enable inside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup RemoteUsers address-pool Inside

vpngroup RemoteUsers idle-time 1800

vpngroup RemoteUsers secure-unit-authentication

vpngroup RemoteUsers password ********

telnet timeout 5

ssh timeout 5

console timeout 0


Re: Pix 501 Ver 6.3

I am not aware of a method to filter traffic based on MAC to enter the VPN tunnel. The crypto access-list is always the IP access-list. Not sure if there is a work around for this.

Regarding what ports can be open depends on what you what to allow the outside/VPN users to access the inside resources. It cannot be generalized for all situations.

CreatePlease to create content