fir3net
PPS-Firenetbanner-780.5x190-30-03-17

PIX - VPN - Remote Access

Below shows 2 examples of a Remote Access configuration on version 6.x and 7.x of the Cisco PIX firewall.

6.x

(config)#username 123 password 123
(config)#isakmp enable outside
(config)#ip local pool VPNIP 10.0.10.10-10.0.10.20 mask 255.255.255.0
(config)#isakmp policy 1 authentication pre-share
(config)#isakmp policy 1 encryption 3des
(config)#isakmp policy 1 hash sha
(config)#isakmp policy 1 group 2
(config)#isakmp policy 1 lifetime 43200

(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
(config)#crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
(config)#crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
(config)#crypto dynamic-map Outside_dyn_map2 20 set reverse-route

(config)#crypto map outside_map2 interface outside
(config)#crypto isakmp nat-traversal
(config)#sysopt connection permit-ipsec

(config)#vpngroup VPNGRP password 123
(config)#vpngroup VPNGRP address VPNIP
(config)#vpngroup VPNGRP idle-time 1200

(config)#isakmp keepalive 30 10
 
(config)#access-list 121 permit ip 192.168.0.0 255.255.255.0 10.0.10.0 255.255.255.0
(config)#nat (inside) 0 access-list 121

7.x

(config)#username 123 password 123
(config)#isakmp enable outside

(config)#ip local pool VPNIP 10.0.10.10-10.0.10.20 mask 255.255.255.0
(config)#isakmp policy 1 authentication pre-share
(config)#isakmp policy 1 encryption 3des
(config)#isakmp policy 1 hash sha
(config)#isakmp policy 1 group 2
(config)#isakmp policy 1 lifetime 43200

(config)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
(config)#crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
(config)#crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
(config)#crypto dynamic-map Outside_dyn_map 10 set reverse-route
(config)#crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000

(config)#crypto map outside_map interface outside
(config)#crypto isakmp nat-traversal
(config)#sysopt connection permit-ipsec
 
(config)#group-policy homevpn internal
(config)#group-policy homevpn attributes
(config-group-policy)#dns-server value 172.16.1.11
(config-group-policy)#vpn-tunnel-protocol IPSec
(config-group-policy)#default-domain value test.com
(config)#tunnel-group homevpn ipsec-ra
(config)#tunnel-group homevpn ipsec-attributes
(config-tunnel-ipsec)#pre-shared-key cisco123
(config)#tunnel-group homevpn general-attributes

(config-tunnel-general)#authentication-server-group LOCAL
(config-tunnel-ipsec)# default-group-policy homevpn
(config-tunnel-general)#address-pool VPNIP

Tags: VPN

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001