|
|
| Author |
Message |
steve.rochefort@gmail.com
Guest
|
 Posted: Thu Apr 27, 2006 6:50 pm Post subject: PIX 501 VPN |
 |
|
I am trying to configure VPN access on a PIX 501. I am taking this job
over from someone and I am confused on what they have already done.
What I need it to do is be able to connect from Windows XP to the PIX
501. Here is my current config. I see it has VPN setup, but what do I
use to connect to it? where do I assign username and password?
PIX Version 6.1(1)104
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name putt-putt.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name 192.168.12.5 putt-server
access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.254.0
255.255.255.0
access-list 103 permit icmp any any echo-reply
access-list 103 permit tcp any host 209.60.40.46 eq 3389
access-list 103 permit tcp any host 209.60.40.46 eq 5631
access-list 103 permit tcp any host 209.60.40.46 eq 5632
access-list 103 permit tcp any host 209.60.40.46 eq www
access-list 103 permit tcp any host 209.60.40.46 eq smtp
access-list 103 permit tcp any host 209.60.40.46 eq 8000
access-list 103 permit tcp any host 209.60.40.46 eq 12005
access-list 103 permit tcp any host 209.60.40.46 eq 12006
access-list 103 permit tcp any host 209.60.40.46 eq pop3
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 209.60.40.46 255.255.255.240
ip address inside 192.168.12.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.254.101-192.168.254.110
pdm location 192.168.12.1 255.255.255.255 inside
pdm location 209.60.40.46 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp putt-server smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 3389 putt-server 3389 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface www putt-server www netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 12005 putt-server 12005 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 12006 putt-server 12006 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 5631 putt-server 5631 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 5632 putt-server 5632 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 8000 putt-server 8000 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface pop3 putt-server pop3 netmask
255.255.255.255 0 0
access-group 103 in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 209.60.40.33 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.12.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
no sysopt route dnat
crypto ipsec transform-set ARCset esp-des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set ARCset
crypto map ARCmap 10 ipsec-isakmp dynamic dynmap
crypto map ARCmap client configuration address initiate
crypto map ARCmap client configuration address respond
crypto map dynmap interface outside
isakmp enable outside
isakmp key ****** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup ARCvpn address-pool ippool
vpngroup ARCvpn dns-server putt-server
vpngroup ARCvpn wins-server putt-server
vpngroup ARCvpn default-domain putt-putt.com
vpngroup ARCvpn split-tunnel 101
vpngroup ARCvpn idle-time 1800
vpngroup ARCvpn password ********
telnet 192.168.12.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.12.0 255.255.255.0 inside
ssh timeout 5
terminal width 80
Cryptochecksum:8b303999056c5d75dfb31fa0313182b6
: end |
|
| Back to top |
|
 |
|
|
Chris
Guest
|
| Posted: Thu Apr 27, 2006 6:50 pm Post subject: Re: PIX 501 VPN |
|
|
steve.rochefort@gmail.com wrote:
| Quote: | I am trying to configure VPN access on a PIX 501. I am taking this job
over from someone and I am confused on what they have already done.
What I need it to do is be able to connect from Windows XP to the PIX
501. Here is my current config. I see it has VPN setup, but what do I
use to connect to it? where do I assign username and password?
|
IIRC, this line has what you need:
vpngroup ARCvpn password ********
The username should be ARCvpn, and the password is encrypted (so I
can't tell you what it is). I've never tried doing authentication this
way, as normally I define a username by defining the vpngroup's name,
and then hand off to a RADIUS server for doing the 'real'
authentication (i.e. having a database of users). |
|
| Back to top |
|
|
steve.rochefort@gmail.com
Guest
|
| Posted: Thu Apr 27, 2006 7:50 pm Post subject: Re: PIX 501 VPN |
|
|
I tried that with no luck. The way I am testing this is by creating a
connection in Windows XP to VPN to this site. I get an error 800
unable to establish the VPN connection. do I need to change anything
in the XP vpn settings, or is default the way to go? Thanks for the
quick response. |
|
| Back to top |
|
|
steve.rochefort@gmail.com
Guest
|
| Posted: Thu Apr 27, 2006 9:50 pm Post subject: Re: PIX 501 VPN |
|
|
Also, is there a command on the PIX 501 that would do what a "copy
start run" would do? |
|
| Back to top |
|
|
Walter Roberson
Guest
|
| Posted: Thu Apr 27, 2006 9:50 pm Post subject: Re: PIX 501 VPN |
|
|
In article <1146172945.990303.198770@g10g2000cwb.googlegroups.com>,
steve.rochefort@gmail.com <steve.rochefort@gmail.com> wrote:
| Quote: | Also, is there a command on the PIX 501 that would do what a "copy
start run" would do?
|
"reboot" ;-) |
|
| Back to top |
|
|
Darren Green
Guest
|
| Posted: Sun Apr 30, 2006 2:50 pm Post subject: Re: PIX 501 VPN |
|
|
steve.rochefort@gmail.com wrote:
| Quote: | I am trying to configure VPN access on a PIX 501. I am taking this job
over from someone and I am confused on what they have already done.
What I need it to do is be able to connect from Windows XP to the PIX
501. Here is my current config. I see it has VPN setup, but what do I
use to connect to it? where do I assign username and password?
snip |
| Quote: | crypto ipsec transform-set ARCset esp-des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set ARCset
crypto map ARCmap 10 ipsec-isakmp dynamic dynmap
crypto map ARCmap client configuration address initiate
crypto map ARCmap client configuration address respond
crypto map dynmap interface outside
|
Steve,
Hi.
Just a quick note. I didn't see any other comment on this but I am
catching up on my news after being off line for a while. Apologies if
someone has sent the same response.
A dynamic crypto map should be assigned to a crypto map, then the crypto
map is assigned to an interface. In the above example the crypto map
(ARCmap) should be on the outside interface, not your dynamic map.
in summary change:
crypto map dynmap interface outside to:
crypto map ARCmap interface outside
Regards
Darren |
|
| Back to top |
|
|
Darren Green
Guest
|
| Posted: Sun Apr 30, 2006 2:50 pm Post subject: Re: PIX 501 VPN |
|
|
steve.rochefort@gmail.com wrote:
| Quote: | I am trying to configure VPN access on a PIX 501. I am taking this job
over from someone and I am confused on what they have already done.
What I need it to do is be able to connect from Windows XP to the PIX
501. Here is my current config. I see it has VPN setup, but what do I
use to connect to it? where do I assign username and password?
snip |
| Quote: | crypto ipsec transform-set ARCset esp-des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set ARCset
crypto map ARCmap 10 ipsec-isakmp dynamic dynmap
crypto map ARCmap client configuration address initiate
crypto map ARCmap client configuration address respond
crypto map dynmap interface outside
|
Steve,
Hi.
Just a quick note. I didn't see any other comment on this but I am
catching up on my news after being off line for a while. Apologies if
someone has sent the same response.
A dynamic crypto map should be assigned to a crypto map, then the crypto
map is assigned to an interface. In the above example the crypto map
(ARCmap) should be on the outside interface, not your dynamic map.
in summary change:
crypto map dynmap interface outside to:
crypto map ARCmap interface outside
Regards
Darren |
|
| Back to top |
|
|
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Private messages
Log in
