I use the following configuration to allow VPN clients to terminate on PIX. Along with the usual rules about a firewall you need to create a "vpngroup" which contains all the information that is passed to the client and an access control list to list all the internal networks that the clients can pass traffic to. The clients are given an IP address from a pool called "home" in the config.
The clients also need to be given the IP address if the servers on the inside that are performing DNS and WINS if you want them to be able to "view" the inside network. The VPN clients only require the outside address of the PIX, the groupname and the password set up to be allowed to connect through to the company network. I have removed some of the company specific stuff, so if it does not make sense either re-post the query or e-mail me direct for clarification. PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password sanfran passwd cisco hostname pix506 fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names name X.X.X.1 default-gateway name 192.168.0.0 inside-network name 192.168.0.1 mail-server access-list 100 permit tcp any host X.X.X.2 eq smtp access-list 110 permit ip inside-network 255.255.255.0 172.16.1.0 255.255.255.224 pager lines 24 logging on interface ethernet0 10baset interface ethernet1 10baset mtu outside 1500 mtu inside 1500 ip address outside X.X.X.3 255.255.255.248 ip address inside 192.168.0.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool home 172.16.1.1-172.16.1.31 pdm location mail-server 255.255.255.255 inside pdm logging debugging 100 pdm history enable arp timeout 14400 nat (inside) 0 access-list 110 global (outside) 1 X.X.X.4 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) X.X.X.2 mail-server netmask 255.255.255.255 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 default-gateway 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http mail-server 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set glasgow esp-3des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set glasgow crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup pix506 address-pool home vpngroup pix506 dns-server mail-server vpngroup pix506 wins-server mail-server vpngroup pix506 default-domain "YOUR DOMAIN NAME" vpngroup pix506 split-tunnel 110 vpngroup pix506 idle-time 1800 telnet mail-server 255.255.255.255 inside telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:57078d328d36e851c854b4913142d72e : end Best of luck, Steve Wilson Network Engineer -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 27 February 2003 20:38 To: [EMAIL PROTECTED] Subject: PIX VPN/IPSEC [7:64016] I have a question regarding the configuration of manual IPSEC. I have to create an access list to define the traffice to protect. I want to connect to my office network from home. I have a DHCP assigned address from my ISP so I can't specify a peer address. So I will use isakmp key ****** address 0.0.0.0 for now. Now as far as the traffic goes. Should I specify protect all traffic or what? What happens when I have multiple remote users? I would like the PIX to be the end point so I can travel over my entire network (email, shares, printers, etc). I'm a little confused on this.. Thanks in advance... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64062&t=64016 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
