Please help with Pix 501

Ladies and Gents I need some help. I know Cisco switches, 6500 series, RSMs, Cisco APs and 3000 series Concentrators pretty well, but this Pix Firewall/VPN is kicking my butt. I have no experience with firewalls and very limited experience with ACLs. Please help, I have searched and read and read but it is just not coming together for me. It is times like these that I question if I am in the wrong career. Here is my network and what I am trying to accomplish.

Network: Cable modem to Pix 501, (outside int DHCP)(running 6.3(1) code) Pix to my network (inside int 192.168.69.1/24) Network is 192.168.69.X/24

On said network I have the following:

3 PC's, a Linksys AP, Vonage Router, a XP Pro PC with a FTP server running, some internet IP cameras and a few other things. I am using a Cisco VPN client to VPN in.

And this is what I am trying to accomplish: I travel a little and want to be able to get to my network resources at home while on the road. I want to be able to VPN into my home network from any IP, and get to my FTP server, IP cameras, telnet to AP/Vonage/Pix, and PCs via Remote Assistance/Remote Desktop (basically just like I were at home). I also would like to keep everything blocked coming into my network except ICMP requests/replies and of course a VPN tunnel or two (for family to be able to VPN in for pictures, etc). As far as outgoing traffic, I am not worried about blocking anything. I also run a DHCP server (192.168.69.100-120) on the Pix for everything on the network. It doesn't matter to me what ip range the tunnels get as long as they can do everything above.

With my current config I am able to get the VPN tunnel up and can get to my IP cameras but that is it. No ping, telnet, no access to FTP, nothing else. It is driving me nuts. Below is my current half working config. Please help me.

PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password XXXXXXXXXXXXXXX encrypted passwd XXXXXXXXXXXXXXXXX encrypted hostname MillsVPN domain-name ciscopix.com fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list 101 permit ip 192.168.69.0 255.255.255.0 172.26.69.0

255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.69.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool ipool 172.26.69.10-172.26.69.25 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http 192.168.69.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup MillsVPN address-pool ipool vpngroup MillsVPN dns-server 24.31.195.63 24.31.195.64 vpngroup MillsVPN idle-time 6000 vpngroup MillsVPN password XXXXXXXX vpngroup dns-server idle-time 1800 telnet 192.168.69.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.69.100-192.168.69.120 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:1e6e58b0056882b0a6f5580abaf8d33d : end MillsVPN#
Reply to
millsusaf
Loading thread data ...

You should upgrade to a 6.3(4) due to security issues. The upgrade is free even if you have no support contract.

How will you deal with the changing IP address of your outside interface? DHCP'd outside addresses are somewhat incompatible with acting as a VPN server.

In order to implement the restrictions above, you will need to remove your sysopt connection permit-ipsec statement (which permits ipsec traffic to connect to everything) and instead add in the appropriate restrictions to your outside ACL.

That's possibly the cause of your trouble. Look at the 'mask' parameter.

formatting link

The dns servers you are setting are in the USA. If you are living in the USA then unless you are a banned person you are entitled to a free 3DES / AES license key. [The other encryption provisions about possibly being a national of an enemy country, have to do with

-exporting- encryption from the USA.] On the other hand, you did not mention where you travel to... traveling outside USA with your VPN client is "exporting" for which there are special considerations...

Reply to
Walter Roberson

->The only code I can find on Cisco is 6.3(5) and from what I have read it is the latest code for the Pix 501. Is this right? I would hate to load the wrong code. Looking for conformation.

formatting link

->I know that the DHCP outside int isn't ideal, but my cable modem bill would more than double for a static so I unfortunately I have to deal with it. I am getting around it by if I can't connect (once working totally) I will have the wife check on the IP by telneting to the PIX and the show IP command, getting that new address and changing it in my VPN client.

-> >ip local pool ipool 172.26.69.10-172.26.69.25 As for the ip mask, I read the doc and they way I read it; it states that by default the pix puts a /24 mask if nothing is entered (bases on class of network). However I have tried to manually add a /24, but it is not allowing me to.

->As for my ACL, can someone scrub over this attempt? I don't think it is correct. I tried to go through it on the Pix but the help is nothing like it is on the switches. access-list 101 permit icmp 0.0.0.0 0.0.0.0 outside access-list 101 permit icmp outside 0.0.0.0 0.0.0.0 access-list 101 permit ip 192.168.69.0 255.255.255.0 172.26.69.0

255.255.255.0 access-list 101 permit ip 172.26.69.0 255.255.255.9 192.168.69.0 255.255.255.0 access-list 101 deny any any

global (outside) 1 interface access-list 101

->According to this I have AES, I will just have to figure out how to turn it on. Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled I do travel outside the US occasionally, but only official DoD business, and am usually on DoD bases.

Thanks

Reply to
millsusaf

In article , millsusaf wrote: :->The only code I can find on Cisco is 6.3(5) and from what I have read :it is the latest code for the Pix 501. Is this right?

Yes. But people who stick with x.y(1) often do not have access to the software downloads, so I reported on the newest version that one can update to for free. 6.3(5) is a bug-fix release, not a security release, so it isn't covered by Cisco's free-update policies.

:->I know that the DHCP outside int isn't ideal, but my cable modem bill :would more than double for a static so I unfortunately I have to deal :with it. I am getting around it by if I can't connect (once working :totally) I will have the wife check on the IP by telneting to the PIX :and the show IP command, getting that new address and changing it in my :VPN client.

Consider using dyndns

:-> >ip local pool ipool 172.26.69.10-172.26.69.25 :As for the ip mask, I read the doc and they way I read it; it states :that by default the pix puts a /24 mask if nothing is entered (bases on :class of network). However I have tried to manually add a /24, but it :is not allowing me to.

What syntax did you use? PIX 6.x does not accept the slash notation for masks in any context.

:->As for my ACL, can someone scrub over this attempt? I don't think it :is correct.

:global (outside) 1 interface access-list 101

You are right, the ACL is mostly wrong, probably because you are fuzzy on what you are trying to do with it. The 'global' command does not accept access lists.

Some specific hints for ACLs

- use 'any' instead of '0.0.0.0 0.0.0.0'

- use 'interface outside' instead of 'outside'

- the only place you need to write ACLs to explicitly match both forward and reverse traffic, is for use with 'capture'. For all other cases, you write it in one direction only, and the PIX knows how to read it "backwards" if it needs to.

- every ACL ends with a default deny of everything, so you do not need to put one in (unless you want hitcounts or want to 'log' it differently.)

:->According to this I have AES, I will just have to figure out how to :turn it on. :VPN-3DES-AES: Enabled

Add another transform set that uses esp-aes-256 hmac-sha and on your 'crypto map MAP # set transform-set' line give the name of that transform set first. Also, create an additional isakmp policy with a lower number than your existing one, that uses aes-256 sha group 5 .

Reply to
Walter Roberson

Normally I like to figure these things out, but I am very busy lately and just don't have any more time to spend on it. In addition I am going out of town Monday morning for a couple of days and would like to get this working before I leave, so I am throwing in the towel.

If someone can write me a 100% functional config that does everything I want from my original post I will give them $50 upon conformation that the config works. I can paypal the funds or send a money order, your choice. I am a man of my word, and will send the money. If you are serious about writing the config, and need a warm fuzzy I will supply you will my ebay username so you can see my feedback. (it shows my good character). $50 isn't a lot of money, but I think fair for the 10 minutes it will take someone who knows that the heck they are doing. Thanks hopefully someone jumps on this soon.

Reply to
millsusaf

In article , millsusaf wrote: :If someone can write me a 100% functional config that does everything I :want from my original post I will give them $50 upon conformation that :the config works.

We can't do that without knowing the internal IP addresses. Without those, the best we could do (without chance) would be a configuration that worked 100% for some location that remarkably resembled yours in structure but not in detail.

It's your sentance about keeping everything blocked except for the things you listed that is the problem: that sentance disallows the use of sysopt connection permit-ipsec to bypass ACLs for VPNs. Because we can't bypass them, we need to know the internal details so we know what to permit them to.

Reply to
Walter Roberson

In article , millsusaf wrote: :If someone can write me a 100% functional config that does everything I :want from my original post

Changes from your original configuration are marked with '-->'. On each of those lines, strip off the '--> ' but if that is followed by a ':' then leave the ':' -- it is a comment marker.

PIX Version 6.3(1)

--> : this took noticably more than 5 minutes, mostly to write the comments

--> : Adjusting for your DNS issue was the other main complication. Other

--> : than second-guessing what you really wanted to do... interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password XXXXXXXXXXXXXXX encrypted passwd XXXXXXXXXXXXXXXXX encrypted hostname MillsVPN domain-name ciscopix.com fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list 101 permit ip 192.168.69.0 255.255.255.0 172.26.69.0 255.255.255.0

--> : Part of your posting implied that VPN traffic should be narrowly

--> : restricted, such as only FTP to the FTP server. We cannot configure

--> : that for you without knowing the inside IP addresses and a complete

--> : list of services you want to each one. Thus this configuration

--> : is not 100% what you asked for, because it allows VPN traffic

--> : to reach everything inside your internal network

--> : you asked for all ICMP request/response to be permitted into your

--> : network. That is not secure so I have only provided for the useful ICMP

--> access-list out2in permit icmp any interface outside echo-reply

--> access-list out2in permit icmp any interface outside unreachable

--> access-list out2in permit icmp any interface outside time-exceeded

--> : you wanted some undefined VPN tunnels for your family but did not

--> : tell us anything about them, and did not tell us whether you

--> : wanted them to terminate on the PIX or on some inside host.

--> : If they are to terminate on an inside host, you would need

--> : to permit in more traffic in out2in, but you would also have

--> : problems in getting the traffic to the correct inside host because

--> : you do not have more than one public IP address and you cannot

--> : forward ESP or GRE from the outside interface to something inside,

--> : at least not gracefully.

--> : Anyhow, this configuration is not 100% what you asked for

--> : because it does not allow for those VPN tunnels that you did

--> : not give us enough information to configure.

--> : your vpngroup sets DNS servers that are outside your local network

--> : but your client cannot normally reach those because normally -all-

--> : traffic goes to the PIX, and PIX 6.x will -never- turn traffic around

--> : and permit it out the same interface it came in on, even if the

--> : traffic came in as VPN traffic and is going out as DNS traffic.

--> : therefor in order for your choice of DNS server to be useful, we

--> : must exclude the DNS servers from going through the tunnel and instead

--> : have the client PC talk directly to those DNS servers and hope that

--> : those DNS servers are willing to answer random DNS queries on our

--> : behalf. If you did not intend that your VPN client should have useful

--> : access to outside DNS, you would not include a vpngroup dns-server

--> : statement. If you do need useful DNS then rather than counting on

--> : your rr.com DNS server and counting on the random local ISP to

--> : pass the packets all the way to rr.com, you would normally install

--> : an internal DNS server and refer to that.

--> : Note: in order to gain the access to the rr.com DNS servers through

--> : the split-tunnel configuration, the VPN client will have to have

--> : the checkbox option ticked to request split tunneling. Both parts

--> : must be in place: the server must be configured for split tunnel

--> : and the client must be configured to ask the server for split tunnel.

--> access-list split_vpn_acl deny ip host 24.31.195.63 any

--> access-list split_vpn_acl deny ip host 24.31.195.64 any

--> : the next statement just means that everything not denied above should

--> : be sent by the VPN client through the VPN tunnel to the PIX. It does

--> : NOT in itself permit any outside traffic to access anything.

--> access-list split_vpn_acl permit ip any any

pager lines 24

--> : you wanted ICMP request/reply into your network. If you want to

--> : be able to ping the PIX itself from outside, uncomment the next statement

--> : icmp permit any echo outside

--> icmp permit any echo-reply outside

--> icmp permit any unreachable outside

--> icmp permit any time-exceeded outside

mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.69.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm

--> : the default mask for 172.26 would be 255.255.0.0

--> ip local pool ipool 172.26.69.10-172.26.69.25 mask 255.255.255.0 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0

--> : this activates the outside ACL

--> access-group out2in in interface outside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http 192.168.69.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec

--> : you can run into MTU problems if you do not restrict the TCP MSS

--> : because after the VPN layers, the packet can exceed the 1500

--> : bytes of your MTU

--> sysopt connection tcpmss 1348 crypto ipsec transform-set myset esp-des esp-md5-hmac

--> : you do not NEED to allow AES, but we were talking about it...

--> crypto ipsec transform-set mysetAES esp-aes-256 esp-sha-hmac

--> crypto dynamic-map dynmap 10 set transform-set mysetAES myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp enable outside

--> : if you do not use hostname instead of address, then you will have

--> : difficulties when your ISP changes your IP underneath you

--> isakmp identity hostname isakmp nat-traversal 20

--> : again you do not need AES, but we were talking about it.

--> isakmp policy 7 authentication pre-share

--> isakmp policy 7 encryption aes-256

--> isakmp policy 7 hash sha

--> isakmp policy 7 group 5

--> : a full day, 86400 seconds, seems a bit much idle time for a VPN

--> : client so I dropped it to one hour

--> isakmp policy 7 lifetime 3600 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2

--> : you probably want a shorter lifetime, as per above isakmp policy 10 lifetime 86400 vpngroup MillsVPN address-pool ipool vpngroup MillsVPN dns-server 24.31.195.63 24.31.195.64 vpngroup MillsVPN idle-time 6000 vpngroup MillsVPN password XXXXXXXX

--> : this to allow the PC client to reach the DNS server you defined

--> vpngroup MillsVPN split-tunnel split_vpn_acl

--> : you had vpngroup dns-server idle-time at this point, which would

--> : be for a vpngroup named 'dns-server'.

--> vpngroup MillsVPN idle-time 1800 telnet 192.168.69.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.69.100-192.168.69.120 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80

Reply to
Walter Roberson

I was also wondering about the DynDNS thing. From what I read on thier site, it requires a client to be installed on a PC. Obviously this PC would need to be on constinately to update the system properly. How would this work in my situation when the IP address I am trying to get to is the Pix external int? Does the client know that the PC is resides on is part of a larger network?

Reply to
millsusaf

Walter,

Thanks for the help, as long as it works the $50 is yours. You are correct; I wasn't as specific as I should have been, sorry about that. The DNS servers are my ISP's; that entry was there because I was trying to follow a Cisco config I found. I did not realize they were not supposed to be there. I have no reason to get to those DNS server outside my network. Therefore anything referencing those DNS servers should be taken out.

I am sorry, I was trying to convey that all VPN tunnels should be wide open to anything on the network. As for the family accounts, I also want them to be wide open to the network. Two accounts would be fine, "FamilyA" and "FamilyB".

As for the ICMP request/reply's, the only thing I want to be able to ping from the internet is the external int. However I do want the ability to ping everything on my network once a VPN tunnel is created.

Once I upgrade the Pix to 6.3(5), I definitely want the AES. Is the policy 7's for AES and the 10's for the old MD5? Let me know if you need more info. Thanks

Brian

Reply to
millsusaf

In article , millsusaf wrote: :I was also wondering about the DynDNS thing. From what I read on thier :site, it requires a client to be installed on a PC. Obviously this PC :would need to be on constinately to update the system properly.

Not -constantly- on -- but the client needs to run at the frequency of the maximum delay you are willing to tolerate before the IP is updated. For example, if you don't mind waiting half an hour for dyndns to catch up with an IP address change, then the client only needs to run every half an hour.

:How :would this work in my situation when the IP address I am trying to get :to is the Pix external int? Does the client know that the PC is :resides on is part of a larger network?

All the client has to know is your login name and password and the relevant domain name. The client connects to dyndns.com and says "I'm here!"... passing through the NAT translation to the outside IP address as it does that. dyndns.com reads off sender's IP address from the packet -- which will be the translated IP address. Which is exactly the address that needs to be registered in the DNS tables. It doesn't matter how many layers of translation that the client has to go through, as long as the final translation is the one that external systems should be using to contact you.

Reply to
Walter Roberson

In article , millsusaf wrote: :I am sorry, I was trying to convey that all VPN tunnels should be wide :open to anything on the network. As for the family accounts, I also :want them to be wide open to the network. Two accounts would be fine, :"FamilyA" and "FamilyB".

Will the family accounts also be using the Cisco VPN client? Or will they be using Microsoft's client (PPTP) ? What is *your* security policy on whether the family should be able to use their systems to talk to other sites (e.g., yahoo IM) at the same time as they are communicating with your systems? It is more convenient to them if they can connect to you and do other things at the same time, but the risk to you is higher: their systems might be under remote control, so if they are allowed to communicate with another system at the same time they are communicating with your network, -potentially- their systems could be used to compromise your system (especially since you don't want any restrictions on what they can connect to inside your network.)

:Once I upgrade the Pix to 6.3(5), I definitely want the AES.

AES came in in 6.2; you do not need an upgrade for it.

:Is the :policy 7's for AES and the 10's for the old MD5?

There are two layers for IPSec encryption, "Phase 1" and "Phase 2". The isakmp policy statements control "Phase 1" encryption, which has to do with the process of negotiating shared session keys. "Phase 2" encryption is for the data traffic, and that is controlled by the crypto map set transform-set . The mysetAES transform set is there to use AES-256 for Phase 2.

The choice is not, by the way, AES vs MD5, but rather AES vs DES (or 3DES), and MD5 vs SHA. MD5 is weaker than SHA (even taking into account the known issues with each).

AES-256 is a 256 bit encryption; AES-128 is a 128 bit encryption;

3DES turns out to only be 112 bit encryption (not 168 like it might sound); DES is 56 bit encryption. AES is a simpler algorithm and runs about half again as fast on the PIX 501 as 3DES does.

I'll put together the config changes later... it appears to be my turn to cook.

Reply to
Walter Roberson

Yes the family accounts will also be using a cisco client. As for the security, lock em down. The only reason they would be connected to me would be to upload/download pictures etc. While doing that, they don't need to be doing other things. In addition, they are not security conscious and I would probably end up with a virus. AES -256 sounds good to me. Thanks

Reply to
millsusaf

Updated as per discussion postings. Really the only thing keeping your config from being useful before was likely the 'mask' parameter on your 'ip local pool' command.

PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password XXXXXXXXXXXXXXX encrypted passwd XXXXXXXXXXXXXXXXX encrypted hostname MillsVPN domain-name ciscopix.com fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list 101 permit ip 192.168.69.0 255.255.255.0 172.26.69.0 255.255.255.0 pager lines 24

--> : as per your clarification, you do not need any of the extra ACLs

--> : I put in before

--> : this allows the external ping you wanted

--> icmp permit any echo outside

--> : this helps allow your inside hosts to ping to outside

--> icmp permit any echo-reply outside

--> : these help allow inside hosts to be told of unavailable systems

--> icmp permit any unreachable outside

--> icmp permit any time-exceeded outside

mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.69.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm

--> : the default mask for 172.26 would be 255.255.0.0

--> ip local pool ipool 172.26.69.10-172.26.69.25 mask 255.255.255.0 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http 192.168.69.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec

--> : you can run into MTU problems if you do not restrict the TCP MSS

--> : because after the VPN layers, the packet can exceed the 1500

--> : bytes of your MTU

--> sysopt connection tcpmss 1348 crypto ipsec transform-set myset esp-des esp-md5-hmac

--> : you do not NEED to allow AES, but we were talking about it...

--> crypto ipsec transform-set mysetAES esp-aes-256 esp-sha-hmac

--> crypto dynamic-map dynmap 10 set transform-set mysetAES myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp enable outside

--> : if you do not use hostname instead of address, then you will have

--> : difficulties when your ISP changes your IP underneath you

--> isakmp identity hostname isakmp nat-traversal 20

--> : again you do not need AES, but we were talking about it.

--> isakmp policy 7 authentication pre-share

--> isakmp policy 7 encryption aes-256

--> isakmp policy 7 hash sha

--> isakmp policy 7 group 5

--> : a full day, 86400 seconds, seems a bit much idle time for a VPN

--> : client so I dropped it to one hour

--> isakmp policy 7 lifetime 3600 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2

--> : adjusted for a shorter lifetime, as per above

--> isakmp policy 10 lifetime 3600 vpngroup MillsVPN idle-time 6000 vpngroup MillsVPN password XXXXXXXX

--> : remove all the other vpngroup commands that were here, including

--> : the address-pool one

--> vpngroup FamilyA idle-time 6000

--> vpngroup FamilyA password YYYYYYYY

--> vpngroup FamilyB idle-time 6000

--> vpngroup FamilyB password ZZZZZZZZ telnet 192.168.69.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.69.100-192.168.69.120 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.