Steve, Disregard question 1 part 3..LOL... I just read what the syopt connection permit-ipsec does. (lets the traffice back out to vpn clients bypassing the checking of ACL's)
Thanks again ----- Original Message ----- From: [EMAIL PROTECTED] To: Steve Wilson Cc: [EMAIL PROTECTED] Sent: Friday, February 28, 2003 10:36 AM Subject: Re: PIX VPN/IPSEC [7:64016] Hey Steve, Thanks for the config.... I had a few questions if you don't mind? 1. This access list will only use the addresses you specified in the pool "home"? These addresses will be assigned to VPN clients? This will also allow all traffic back out to the VPN client? access-list 110 permit ip inside-network 255.255.255.0 172.16.1.0 2. The pool of IP addresses I use must obviously be the same as the local subnet and not part of the DHCP scope? 3. I take it your using Cisco's VPN client 3000 because of your 3des and vpngroup? Thank you for your help. A ----- Original Message ----- From: "Steve Wilson" To: ; Sent: Friday, February 28, 2003 5:22 AM Subject: RE: PIX VPN/IPSEC [7:64016] > I use the following configuration to allow VPN clients to terminate on PIX. > Along with the usual rules about a firewall you need to create a "vpngroup" > which contains all the information that is passed to the client and an > access control list to list all the internal networks that the clients can > pass traffic to. > The clients are given an IP address from a pool called "home" in the config. > > The clients also need to be given the IP address if the servers on the > inside that are performing DNS and WINS if you want them to be able to > "view" the inside network. > The VPN clients only require the outside address of the PIX, the groupname > and the password set up to be allowed to connect through to the company > network. > I have removed some of the company specific stuff, so if it does not make > sense either re-post the query or e-mail me direct for clarification. > > PIX Version 6.2(2) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > enable password sanfran > passwd cisco > hostname pix506 > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol ils 389 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > fixup protocol skinny 2000 > names > name X.X.X.1 default-gateway > name 192.168.0.0 inside-network > name 192.168.0.1 mail-server > access-list 100 permit tcp any host X.X.X.2 eq smtp > access-list 110 permit ip inside-network 255.255.255.0 172.16.1.0 > 255.255.255.224 > pager lines 24 > logging on > interface ethernet0 10baset > interface ethernet1 10baset > mtu outside 1500 > mtu inside 1500 > ip address outside X.X.X.3 255.255.255.248 > ip address inside 192.168.0.254 255.255.255.0 > ip audit info action alarm > ip audit attack action alarm > ip local pool home 172.16.1.1-172.16.1.31 > pdm location mail-server 255.255.255.255 inside > pdm logging debugging 100 > pdm history enable > arp timeout 14400 > nat (inside) 0 access-list 110 > global (outside) 1 X.X.X.4 > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > static (inside,outside) X.X.X.2 mail-server netmask 255.255.255.255 0 0 > conduit permit icmp any any > route outside 0.0.0.0 0.0.0.0 default-gateway 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 > 0:05:00 si > p 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > aaa-server LOCAL protocol local > http server enable > http mail-server 255.255.255.255 inside > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > no sysopt route dnat > crypto ipsec transform-set glasgow esp-3des esp-md5-hmac > crypto dynamic-map dynmap 10 set transform-set glasgow > crypto map mymap 10 ipsec-isakmp dynamic dynmap > crypto map mymap interface outside > isakmp enable outside > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption 3des > isakmp policy 10 hash md5 > isakmp policy 10 group 2 > isakmp policy 10 lifetime 86400 > vpngroup pix506 address-pool home > vpngroup pix506 dns-server mail-server > vpngroup pix506 wins-server mail-server > vpngroup pix506 default-domain "YOUR DOMAIN NAME" > vpngroup pix506 split-tunnel 110 > vpngroup pix506 idle-time 1800 > telnet mail-server 255.255.255.255 inside > telnet timeout 5 > ssh timeout 5 > terminal width 80 > Cryptochecksum:57078d328d36e851c854b4913142d72e > : end > > Best of luck, > Steve Wilson > Network Engineer > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 27 February 2003 20:38 > To: [EMAIL PROTECTED] > Subject: PIX VPN/IPSEC [7:64016] > > I have a question regarding the configuration of manual IPSEC. I have to > create an access list to define the traffice to protect. > > I want to connect to my office network from home. I have a DHCP assigned > address from my ISP so I can't specify a peer address. So I will use isakmp > key ****** address 0.0.0.0 for now. > > Now as far as the traffic goes. Should I specify protect all traffic or > what? What happens when I have multiple remote users? I would like the PIX > to be the end point so I can travel over my entire network (email, shares, > printers, etc). I'm a little confused on this.. > > Thanks in advance... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64089&t=64016 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
