is it correct?

Hi. I have to configure a VPN between a network (1) with static public IP and a PC connected by ADSL with dynamic public IP. I would like to know if the configuration that I have prepared is correct. In this moment the network (1) is composed by a private network connected to a Firewall PIX 515 Version 6.1(3) connected to an ADSL router connected to internet. The ADSL router (SpeedStrean 5660) doesn't support IPSec ESP and IPSec AH then I decided to set it as a bridge. Because of this I should change NAT configuration on PIX because network on outside interface would not be private too. I planned to do: 1- Modify outside interface IP, it would by my static public IP 2- Modify NAT settings; it should translate private IP to my static public IP 3- Modify default-route 4- Set PIX to accept VPN (I found configuration on a Cisco document): sysopt ipsec pl?compatible sysopt connection permit?ipsec crypto ipsec transform?set myset esp?des esp?md5?hmac crypto dynamic?map cisco 1 set transform?set myset crypto map dyn?map 20 ipsec?isakmp dynamic cisco crypto map dyn?map interface outside isakmp enable outside isakmp key cisco123 address netmask isakmp policy 10 authen pre?share isakmp policy 10 encrypt des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 5- Install GreenBow client on remote PC and set it correctly

I have two question more:

1- Must I add anything to prevent attacks because all external traffic will arrive in PIX? 2- Will I have problem because of SO version of PIX?

Thank you, Maurizio

Reply to
Loading thread data ...

You really should get that updated. If I recall correctly, you are entitled to a free update to 6.1(4) because of security bugs -- but going to 6.3(5)rebuild would be even better.

If you did go to 6.3 then you would not need to go bridge mode: you would just configure isakmp nat-traversal 20 and then the client on the PC would use NAT-T (NAT Traversal) and everything would get encapsulated in UDP. A small MTU loss relative to what you are planning, but a lot easier to manage.

You don't need to set pl-compatible : that is only for compatability with the VPN tunnels used in PIX 3 and PIX 4.

No more so than before.

Please search cisco's site for "PIX security advisories". 6.1(3) has some known security problems.

Reply to
Walter Roberson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.