PIX 501 VPN and Windows 2000

Help, please! This is my first PIX Firewall and VPN config...

I am setting up a VPN for a small company of 5 employees. They have a PIX 501 with vers 6.3(1), a 16-port switch, 3 servers(Windows 2000 and

2003). One Windows 2000 server has the MS Exchange and Active directory setup and is the Domain Controller with DNS and WINS server setup. They are currently able to get mail through https...

I want to setup VPN access using the features from the PIX. Scenario:

Client(outside)---->PIX/VPN--->MS DC server--->Internal network

So I want the client at home to connect to the PIX, have the PIX do the inital auth, then go to the Windows DC and allow users auth and access to internal servers and desktop to do work.

My dilemma is:

1> deciding how to configure the PIX to work with windows clients on the outside interface and which vpn client to use other than the CISCO VPN Client(which did not come with the software)

2> the proper config on the PIX to work as the end point or the through to the windows 2000 server with the active directory.

I have read other posts similar to this question, I have searched and read docs on cisco, I have googled, etc. Now I would appreciate human feedback/help.


Reply to
Loading thread data ...

I'm not 100% sure what you are asking with the DC doing Auth. If you want it to be part of the VPN, then you are in for a fun Ride. (-;

If you just want it for general Windows Auth, then you are in pretty good shape.

The First VPN I've set up on a PIX was a PPTP VPN. This type is pretty simple and easy to setup on the PIX and MS Windows 2000 and better have a built in PPTP Client. If you are interested in help setting up a PPTP VPN on the PIX, let me know and I can shoot over some Sample code.

Once the PPTP VPN is in place, the remote client just becomes a node on the network there at your office. So if you have WINS, DNS Set up at the office, the IPs can be sent to the Client and it will act just like you were there at the office. So connecting to a server is as easy as \\server-name\share

Scott Help, please! This is my first PIX Firewall and VPN config...

Reply to
Scott Townsend


I would greatly appreciate help setting up this way. If it has been done and proven I am game to try it. I want to setup the VPN as painless as possible since this is my first VPN and hands-on with PIX. So send me the info and any notes you have from your experience.

I currently have it setup through the VPN wizard as Microsoft L2TP with CHAP using local VPDN and certificates. But this was just setup to actually "try" something instead of sitting there looking at the box and doing nothing, LOL. And as for the client, I am looking for something so a remote user working from home or a laptop on the road can easily configure their system. I have used RealVNC with my previous company along with an IP address to enter in the browser to get to the VPN...I was not part of the actual setup, so basically I am looking to do a similar thing.

Thanks for helping.

Reply to

Its hard to tell since I have IPSec stuff as well as my PPTP in my PIX, but I believe this is all you need for PPTP.

------------------------- ip local pool remoteVPN

route outside 2

sysopt connection permit-pptp

vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40 vpdn group PPTP-VPDN-GROUP client configuration address local remoteVPN vpdn group PPTP-VPDN-GROUP client configuration dns

vpdn group PPTP-VPDN-GROUP client configuration wins

vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local

vpdn enable outside

vpdn username password

---------------------- You will have to Fill in: outside Default GW IP Address IP-DNS-Server1 IP-DNS-Server2 (or remove if you only have 1) IP-WINS-Server1 IP-WINS-Server2 (or remove if you only have 1)

On the PC Side, create a new Connection, Connect to VPN/MyWork Place. Put in the IP address of the Public side of the PIX, I thn go into the properties, TCP/IP Properties, Advanced, and then uncheck the Use Remote Gateway. This will allow you to use the Internet while still connected to the VPN.

Give that a whirl and see if that works. Feel free to email me at

-i (AT) enm.com

Scott Scott,

Reply to
Scott Townsend

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.