PIX 501 VPN

I am trying to configure VPN access on a PIX 501. I am taking this job over from someone and I am confused on what they have already done. What I need it to do is be able to connect from Windows XP to the PIX

501. Here is my current config. I see it has VPN setup, but what do I use to connect to it? where do I assign username and password?

PIX Version 6.1(1)104 nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix domain-name putt-putt.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 names name 192.168.12.5 putt-server access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.1.0

255.255.255.0 access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.254.0 255.255.255.0 access-list 103 permit icmp any any echo-reply access-list 103 permit tcp any host 209.60.40.46 eq 3389 access-list 103 permit tcp any host 209.60.40.46 eq 5631 access-list 103 permit tcp any host 209.60.40.46 eq 5632 access-list 103 permit tcp any host 209.60.40.46 eq www access-list 103 permit tcp any host 209.60.40.46 eq smtp access-list 103 permit tcp any host 209.60.40.46 eq 8000 access-list 103 permit tcp any host 209.60.40.46 eq 12005 access-list 103 permit tcp any host 209.60.40.46 eq 12006 access-list 103 permit tcp any host 209.60.40.46 eq pop3 pager lines 24 logging on interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside 209.60.40.46 255.255.255.240 ip address inside 192.168.12.1 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit info action alarm ip audit attack action alarm ip local pool ippool 192.168.254.101-192.168.254.110 pdm location 192.168.12.1 255.255.255.255 inside pdm location 209.60.40.46 255.255.255.255 outside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface smtp putt-server smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 3389 putt-server 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www putt-server www netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 12005 putt-server 12005 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 12006 putt-server 12006 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5631 putt-server 5631 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 5632 putt-server 5632 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 8000 putt-server 8000 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pop3 putt-server pop3 netmask 255.255.255.255 0 0 access-group 103 in interface outside conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 209.60.40.33 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http 192.168.12.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt noproxyarp outside sysopt noproxyarp inside no sysopt route dnat crypto ipsec transform-set ARCset esp-des esp-md5-hmac crypto dynamic-map dynmap 1 set transform-set ARCset crypto map ARCmap 10 ipsec-isakmp dynamic dynmap crypto map ARCmap client configuration address initiate crypto map ARCmap client configuration address respond crypto map dynmap interface outside isakmp enable outside isakmp key ****** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 vpngroup ARCvpn address-pool ippool vpngroup ARCvpn dns-server putt-server vpngroup ARCvpn wins-server putt-server vpngroup ARCvpn default-domain putt-putt.com vpngroup ARCvpn split-tunnel 101 vpngroup ARCvpn idle-time 1800 vpngroup ARCvpn password ******** telnet 192.168.12.0 255.255.255.0 inside telnet timeout 5 ssh 192.168.12.0 255.255.255.0 inside ssh timeout 5 terminal width 80 Cryptochecksum:8b303999056c5d75dfb31fa0313182b6 : end
Reply to
steve.rochefort
Loading thread data ...

IIRC, this line has what you need:

vpngroup ARCvpn password ********

The username should be ARCvpn, and the password is encrypted (so I can't tell you what it is). I've never tried doing authentication this way, as normally I define a username by defining the vpngroup's name, and then hand off to a RADIUS server for doing the 'real' authentication (i.e. having a database of users).

Reply to
Chris

I tried that with no luck. The way I am testing this is by creating a connection in Windows XP to VPN to this site. I get an error 800 unable to establish the VPN connection. do I need to change anything in the XP vpn settings, or is default the way to go? Thanks for the quick response.

Reply to
steve.rochefort

Also, is there a command on the PIX 501 that would do what a "copy start run" would do?

Reply to
steve.rochefort

"reboot" ;-)

Reply to
Walter Roberson

snip

Steve,

Hi.

Just a quick note. I didn't see any other comment on this but I am catching up on my news after being off line for a while. Apologies if someone has sent the same response.

A dynamic crypto map should be assigned to a crypto map, then the crypto map is assigned to an interface. In the above example the crypto map (ARCmap) should be on the outside interface, not your dynamic map.

in summary change:

crypto map dynmap interface outside to:

crypto map ARCmap interface outside

Regards

Darren

Reply to
Darren Green

snip

Steve,

Hi.

Just a quick note. I didn't see any other comment on this but I am catching up on my news after being off line for a while. Apologies if someone has sent the same response.

A dynamic crypto map should be assigned to a crypto map, then the crypto map is assigned to an interface. In the above example the crypto map (ARCmap) should be on the outside interface, not your dynamic map.

in summary change:

crypto map dynmap interface outside to:

crypto map ARCmap interface outside

Regards

Darren

Reply to
Darren Green

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.