PIX – VPN – Remote Access

Below shows 2 examples of a Remote Access configuration on version 6.x and 7.x of the Cisco PIX firewall.

6.x

(config)#username 123 password 123
(config)#isakmp enable outside
(config)#ip local pool VPNIP 10.0.10.10-10.0.10.20 mask 255.255.255.0
(config)#isakmp policy 1 authentication pre-share
(config)#isakmp policy 1 encryption 3des
(config)#isakmp policy 1 hash sha
(config)#isakmp policy 1 group 2
(config)#isakmp policy 1 lifetime 43200

(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
(config)#crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
(config)#crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
(config)#crypto dynamic-map Outside_dyn_map2 20 set reverse-route

(config)#crypto map outside_map2 interface outside
(config)#crypto isakmp nat-traversal
(config)#sysopt connection permit-ipsec

(config)#vpngroup VPNGRP password 123
(config)#vpngroup VPNGRP address VPNIP
(config)#vpngroup VPNGRP idle-time 1200

(config)#isakmp keepalive 30 10
 
(config)#access-list 121 permit ip 192.168.0.0 255.255.255.0 10.0.10.0 255.255.255.0
(config)#nat (inside) 0 access-list 121

7.x

(config)#username 123 password 123
(config)#isakmp enable outside

(config)#ip local pool VPNIP 10.0.10.10-10.0.10.20 mask 255.255.255.0
(config)#isakmp policy 1 authentication pre-share
(config)#isakmp policy 1 encryption 3des
(config)#isakmp policy 1 hash sha
(config)#isakmp policy 1 group 2
(config)#isakmp policy 1 lifetime 43200

(config)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
(config)#crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
(config)#crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
(config)#crypto dynamic-map Outside_dyn_map 10 set reverse-route
(config)#crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000

(config)#crypto map outside_map interface outside
(config)#crypto isakmp nat-traversal
(config)#sysopt connection permit-ipsec
 
(config)#group-policy homevpn internal
(config)#group-policy homevpn attributes
(config-group-policy)#dns-server value 172.16.1.11
(config-group-policy)#vpn-tunnel-protocol IPSec
(config-group-policy)#default-domain value test.com
(config)#tunnel-group homevpn ipsec-ra
(config)#tunnel-group homevpn ipsec-attributes
(config-tunnel-ipsec)#pre-shared-key cisco123
(config)#tunnel-group homevpn general-attributes

(config-tunnel-general)#authentication-server-group LOCAL
(config-tunnel-ipsec)# default-group-policy homevpn
(config-tunnel-general)#address-pool VPNIP

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial