Ladies and Gents I need some help. I know Cisco switches, 6500 series, RSMs, Cisco APs and 3000 series Concentrators pretty well, but this Pix Firewall/VPN is kicking my butt. I have no experience with firewalls and very limited experience with ACLs. Please help, I have searched and read and read but it is just not coming together for me. It is times like these that I question if I am in the wrong career. Here is my network and what I am trying to accomplish.
Network: Cable modem to Pix 501, (outside int DHCP)(running 6.3(1) code) Pix to my network (inside int 192.168.69.1/24) Network is 192.168.69.X/24
On said network I have the following:
3 PC's, a Linksys AP, Vonage Router, a XP Pro PC with a FTP server running, some internet IP cameras and a few other things. I am using a Cisco VPN client to VPN in.And this is what I am trying to accomplish: I travel a little and want to be able to get to my network resources at home while on the road. I want to be able to VPN into my home network from any IP, and get to my FTP server, IP cameras, telnet to AP/Vonage/Pix, and PCs via Remote Assistance/Remote Desktop (basically just like I were at home). I also would like to keep everything blocked coming into my network except ICMP requests/replies and of course a VPN tunnel or two (for family to be able to VPN in for pictures, etc). As far as outgoing traffic, I am not worried about blocking anything. I also run a DHCP server (192.168.69.100-120) on the Pix for everything on the network. It doesn't matter to me what ip range the tunnels get as long as they can do everything above.
With my current config I am able to get the VPN tunnel up and can get to my IP cameras but that is it. No ping, telnet, no access to FTP, nothing else. It is driving me nuts. Below is my current half working config. Please help me.
PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password XXXXXXXXXXXXXXX encrypted passwd XXXXXXXXXXXXXXXXX encrypted hostname MillsVPN domain-name ciscopix.com fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list 101 permit ip 192.168.69.0 255.255.255.0 172.26.69.0
255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.69.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool ipool 172.26.69.10-172.26.69.25 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http 192.168.69.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup MillsVPN address-pool ipool vpngroup MillsVPN dns-server 24.31.195.63 24.31.195.64 vpngroup MillsVPN idle-time 6000 vpngroup MillsVPN password XXXXXXXX vpngroup dns-server idle-time 1800 telnet 192.168.69.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.69.100-192.168.69.120 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:1e6e58b0056882b0a6f5580abaf8d33d : end MillsVPN#