Wednesday, March 12, 2008

PIX 7.0: Simple Remote Access VPN

TOPOLOGY:

192.168.201.0 ---- PIX --- (( INTERNET )) ---- home_user

VPN Client Pool = 172.16.1.1 to 172.16.1.254



PIX 7.0/7.1 CONFIGURATION:

access-list SPLIT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

isakmp identity address
isakmp nat-traversal

isakmp policy 200 authentication pre-share
isakmp policy 200 encryption des
isakmp policy 200 hash sha
isakmp policy 200 group 2
isakmp policy 200 lifetime 86400

crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto dynamic-map CISCO 1 set transform-set MYSET
crypto map MYMAP 65535 ipsec-isakm dynamic CISCO

ip local pool CLIENTPOOL 172.16.1.1-172.16.1.254

tunnel-group REMOTEACCESS type ipsec-ra
tunnel-group REMOTEACCESS general-attributes
address-pool CLIENTPOOL
tunnel-group REMOTEACCESS ipsec-attributes
pre-shared-key CISCO123

group-policy REMOTEACCESS internal
group-policy REMOTEACCESS attributes
wins-server value 10.1.1.3
dns-server value 10.1.1.3
vpn-idle-timeout 30

crypto map MYMAP interface outside
isakmp enable outside




PIX 7.2 CONFIGURATION:

access-list SPLIT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-vpn

crypto isakmp identity address
crypto isakmp nat-traversal

crypto isakmp policy 200
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto dynamic-map CISCO 1 set transform-set MYSET
crypto map MYMAP 65535 ipsec-isakm dynamic CISCO

ip local pool CLIENTPOOL 172.16.1.1-172.16.1.254

tunnel-group REMOTEACCESS type ipsec-ra
tunnel-group REMOTEACCESS general-attributes
address-pool CLIENTPOOL
tunnel-group REMOTEACCESS ipsec-attributes
pre-shared-key CISCO123

group-policy REMOTEACCESS internal
group-policy REMOTEACCESS attributes
wins-server value 10.1.1.3
dns-server value 10.1.1.3

crypto map MYMAP interface outside
isakmp enable outside

1 comment:

Anonymous said...

There is one product I know of, RHUB http://www.rhubcom.com, Remote Access, which is simple, fast, and secure. It is an appliance, and deployed on premises, you get the security of your own firewall. In addition access is blocked by IP address. So, you don’t even need a VPN.