Setting up VPN on a PIX 515E is a straightforward process when using ASDM, and it is not much more difficult to do within the CLI either.  I will take you through all the steps needed to configure a working VPN solution on your firewall as well as post an example of the config at the end.

First you need to open ASDM from your desktop computer and connect to your firewall.

ASDM VPN Wizzard

 

 

 

 

 

 

We will be configuring a Remote Access VPN and will be keeping the default of enabling inbound IPSec session to bypass interface access lists.

vpn_002

 

 

 

 

 

 

We are going to choose to use the Cisco VPN Client, release 3.x or higher or other Easy VPN Remote product.

vpn_003

 

 

 

 

 

 

For our setup we are going to keep it simple and go with a a pre-shared key and name the Tunnel Group vpn_group.

vpn_004

 

 

 

 

 

 

I set up authentication using the local user database on the PIX firewall.

vpn_005

 

 

 

 

 

 

At this point you can create either just one user account, or a number of them.  This will be the users VPN user name and password.  Both this account and the shared key will be needed to successfully authenticate with the VPN Server.

vpn_006

 

 

 

 

 

 

Next we need to setup a VPN DHCP IP pool.  You will need enough IPs to cover the maximum amount of clients that will ever be logged on at one time.  I used a different IP range than the main internal IP network of 192.168.0.0 and went with 192.168.2.0 for the VPN IP pool, with a range from 192.168.2.50 – 192.168.2.60 with a subnet of 255.255.255.0

vpn_007

 

 

 

 

 

 

Next you can enter your Primary DNS and Secondary DNS servers as well as the WINS and Default Domain name information.

vpn_008

 

 

 

 

 

 

I kept the defaults for the IKE Policy and went with 3DES Encryption, SHA Authentication, and for the DH group 2.

vpn_009

 

 

 

 

 

 

For the IPSec Encryption and Authentication I chose 3DES and SHA.

vpn_010

 

 

 

 

 

 

Next we need to setup the Address Translation Encryption and Split Tunneling.  I enter my internal network IP of 192.168.0.0 /24 and as I wanted the ability to have access to the local LAN and Internet while connected to the VPN I enabled split tunneling.  If you do not want users to have this option, just do not check this option.  Click on the Add button to add your network and continue by clicking Next.

vpn_011

 

 

 

 

 

 

You will then be presented with a summary of your choices and have the option of going back to make any needed changes.  Once you are happy click on Finish and the commands will be written to the configuration.  You will want to save your config afterwards as quite a few chances will be made in this process.

vpn_012

 

 

 

 

 

 

I had issues after first setting up the VPN connection until I activated enable IPSec over NAT-T under the IKE global parameters.  You can fine tune your VPN configuration by going through the various options and making the needed changes based on your needs.

vpn_013

 

 

 

 

 

 

In the end you can view the connections to your VPN on the main home menu of ASDM.

vpn_014

 

 

 

 

 

 

 

 

As you can see, configuring a VPN tunnel with ASDM is simple enough to do.

The following is the full config from the PIX firewall, which also shows a PPPoE configuration using a DSL modem in bridge mode.

PIX Version 7.2(3)
!
hostname Firewall
domain-name DOMAINNAME.COM
enable password XXXXXXXXXXXXXXX encrypted
names
!
interface Ethernet0
description PPPoE Interface
nameif outside
security-level 0
pppoe client vpdn group pppoe
ip address X.X.X.X 255.255.255.255 pppoe setroute
!
interface Ethernet1
description Internal Network
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet2
description DMZ Interface
nameif DMZ
security-level 50
ip address X.X.X.X 255.255.252.0
!
passwd XXXXXXXXXXXXXXX encrypted
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name DOMAINNAME.COM
access-list vpn_client_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Local_LAN_Access remark Local LAN Access
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list outside_cryptomap_65535.20 extended deny ip any any
access-list 102 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_client_splitTunnelAcl_1 standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging console emergencies
logging monitor emergencies
logging trap informational
logging asdm informational
logging mail alerts
logging from-address EMAILADDRESS
logging recipient-address EMAILADDRESS level errors
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpn_pool 192.168.1.100-192.168.1.105 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication telnet console LOCAL
http server enable
http X.X.X.X 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
telnet X.X.X.X 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe request dialout pppoe
vpdn group pppoe localname USERNAME
vpdn group pppoe ppp authentication chap
vpdn username USERNAME password *********
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 1500
dhcpd ping_timeout 10
dhcpd domain DOMAINNAME.COM
dhcpd auto_config outside vpnclient-wins-override
dhcpd option 3 ip 192.168.0.1
!
dhcpd address 192.168.0.5-192.168.0.49 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd lease 1500 interface inside
dhcpd ping_timeout 10 interface inside
dhcpd domain DOMAINNAME.COM interface inside
dhcpd option 3 ip X.X.X.X interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect ipsec-pass-thru
inspect icmp error
!
service-policy global_policy global
group-policy vpn_client internal
group-policy vpn_client attributes
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_client_splitTunnelAcl
default-domain value DOMAINNAME.COM
username admin password XXXXXXXXXXXXXX encrypted privilege 15
username USERNAME password XXXXXXXXXXXXXXX encrypted privilege 0
username USERNAME attributes
vpn-group-policy vpn_client
tunnel-group vpn_client type ipsec-ra
tunnel-group vpn_client general-attributes
address-pool vpn_pool
default-group-policy vpn_client
tunnel-group vpn_client ipsec-attributes
pre-shared-key *
smtp-server X.X.X.X
prompt hostname context
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: end

I hope this has been helpful in your attempts to setup a VPN on your firewall.  If you have any questions, please feel to drop me a email at ivan.windon@l3pdu.com

Leave a Reply

Your email address will not be published. Required fields are marked *

20 − 10 =