Hi All,
My company recently made a number of infrastructure changes and subsequently we have a spare PIX 506E and an SHDSL connection with 1 public IP address.
My thought was to set it up for dedicated VPN access. So I put the modem into bridged mode and connected it to the pix. The default config was restored on the PIX so I've since set up the basics like interface addresses, PPPoe, VPN etc.
It responds to ping internally/externally and accepts/authenticates VPN users however there is no network throughput for VPN users.
My guess is it will be an ACL or routing issue but unfortunately I do not have enough experience with Cisco to work out the correct entries required.
Any assistance would be appreciated. Here's a copy of my config:
Building configuration... : Saved : PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password **************** encrypted passwd **************** encrypted hostname pixfirewall domain-name mycompany.local fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list mycompany_splitTunnelAcl permit ip 192.168.30.0
255.255.255.0 any access-list inside_outbound_nat0_acl permit ip 192.168.30.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list outside_cryptomap_dyn_20 permit ip any 192.168.100.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 203.214.68.34 255.255.255.0 pppoe ip address inside 192.168.30.15 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool mycompanyVPNpool 192.168.100.100-192.168.100.150 pdm history enable arp timeout 14400 nat (inside) 0 access-list inside_outbound_nat0_acl timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.30.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication LOCAL crypto map outside_map interface outside isakmp enable outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup mycompany address-pool mycompanyVPNpool vpngroup mycompany dns-server 192.168.30.2 vpngroup mycompany wins-server 192.168.30.2 vpngroup mycompany split-tunnel mycompany_splitTunnelAcl vpngroup mycompany idle-time 1800 vpngroup mycompany password ******** telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group mycompany request dialout pppoe vpdn group mycompany ppp authentication pap vpdn username mycompanymelb password ********* username ******* password **************** encrypted privilege 5 username ******* password **************** encrypted privilege 15 terminal width 80 Cryptochecksum:10ff7fdd2160cd3262a90e6e01638152 : end [OK]