I'm setting up a small VPN just for home use so me and a few friends can log in remotely via a PIX 501 w/ 3DES over my cable connection. Now I've got it working, but found a few strange things I had questions about. I have each user setup with the VPNGROUP config lines. (I will post config below), everyone uses the Cisco VPN client to connect. Now I noticed that I never set an isakmp pre-share key and there is no spot to add one in the Cisco client only user/pass I would think that should be needed for secure connectivety. The other setup I did was have a split-tunnel applied to the user when they connect to only encrypt traffic destined for the local network and any regular internet traffic would still go out the persons internet connection. In testing I tried to get all traffic to flow through the VPN but I think the pix prevents traffic coming in on the outside interface to leave on that same interface (as it would with internet traffic) . Any way to do this or do you need another interface? Also just wondering if there is a better way to write this config or any other tips are appreciated. Here is an edited config with only the relevant portions. Thanks for any help John PIX Version 6.3(1) ! access-list 80 permit ip any host 192.168.1.75 access-list 80 permit ip any host 192.168.1.76 access-list 80 permit ip any host 192.168.1.77 access-list 80 permit ip any host 192.168.1.78 access-list 80 permit ip any host 192.168.1.79 ! access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.75 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.76 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.77 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.78 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.79 ! ip address outside dhcp setroute ip address inside 192.168.1.254 255.255.255.0 ip local pool REMOTEUSER 192.168.1.75-192.168.1.79 ! global (outside) 1 interface nat (inside) 0 access-list 80 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 floodguard enable ! crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac crypto dynamic-map DYNOMAP 10 set transform-set TRANSFORM crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP crypto map MYMAP interface outside ! isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash sha isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 isakmp policy 30 authentication pre-share isakmp policy 30 encryption 3des isakmp policy 30 hash md5 isakmp policy 30 group 2 isakmp policy 30 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption des isakmp policy 40 hash md5 isakmp policy 40 group 1 isakmp policy 40 lifetime 86400 ! vpngroup VPNUSER address-pool REMOTEUSER vpngroup VPNUSER dns-server vpngroup VPNUSER default-domain cisco.com vpngroup VPNUSER split-tunnel 90 vpngroup VPNUSER idle-time 1800 vpngroup VPNUSER password ******** vpngroup john address-pool REMOTEUSER vpngroup john dns-server vpngroup john default-domain cisco.com vpngroup john idle-time 1800 vpngroup john password ********
Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74367&t=74367 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html