Setting up VPN on a PIX 515E is a straightforward process when using ASDM, and it is not much more difficult to do within the CLI either. I will take you through all the steps needed to configure a working VPN solution on your firewall as well as post an example of the config at the end.
First you need to open ASDM from your desktop computer and connect to your firewall.
We will be configuring a Remote Access VPN and will be keeping the default of enabling inbound IPSec session to bypass interface access lists.
We are going to choose to use the Cisco VPN Client, release 3.x or higher or other Easy VPN Remote product.
For our setup we are going to keep it simple and go with a a pre-shared key and name the Tunnel Group vpn_group.
I set up authentication using the local user database on the PIX firewall.
At this point you can create either just one user account, or a number of them. This will be the users VPN user name and password. Both this account and the shared key will be needed to successfully authenticate with the VPN Server.
Next we need to setup a VPN DHCP IP pool. You will need enough IPs to cover the maximum amount of clients that will ever be logged on at one time. I used a different IP range than the main internal IP network of 192.168.0.0 and went with 192.168.2.0 for the VPN IP pool, with a range from 192.168.2.50 – 192.168.2.60 with a subnet of 255.255.255.0
Next you can enter your Primary DNS and Secondary DNS servers as well as the WINS and Default Domain name information.
I kept the defaults for the IKE Policy and went with 3DES Encryption, SHA Authentication, and for the DH group 2.
For the IPSec Encryption and Authentication I chose 3DES and SHA.
Next we need to setup the Address Translation Encryption and Split Tunneling. I enter my internal network IP of 192.168.0.0 /24 and as I wanted the ability to have access to the local LAN and Internet while connected to the VPN I enabled split tunneling. If you do not want users to have this option, just do not check this option. Click on the Add button to add your network and continue by clicking Next.
You will then be presented with a summary of your choices and have the option of going back to make any needed changes. Once you are happy click on Finish and the commands will be written to the configuration. You will want to save your config afterwards as quite a few chances will be made in this process.
I had issues after first setting up the VPN connection until I activated enable IPSec over NAT-T under the IKE global parameters. You can fine tune your VPN configuration by going through the various options and making the needed changes based on your needs.
In the end you can view the connections to your VPN on the main home menu of ASDM.
As you can see, configuring a VPN tunnel with ASDM is simple enough to do.
The following is the full config from the PIX firewall, which also shows a PPPoE configuration using a DSL modem in bridge mode.
PIX Version 7.2(3)
enable password XXXXXXXXXXXXXXX encrypted
description PPPoE Interface
pppoe client vpdn group pppoe
ip address X.X.X.X 255.255.255.255 pppoe setroute
description Internal Network
ip address 192.168.0.1 255.255.255.0
description DMZ Interface
ip address X.X.X.X 255.255.252.0
passwd XXXXXXXXXXXXXXX encrypted
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
access-list vpn_client_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Local_LAN_Access remark Local LAN Access
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list outside_cryptomap_65535.20 extended deny ip any any
access-list 102 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_client_splitTunnelAcl_1 standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging console emergencies
logging monitor emergencies
logging trap informational
logging asdm informational
logging mail alerts
logging from-address EMAILADDRESS
logging recipient-address EMAILADDRESS level errors
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpn_pool 192.168.1.100-192.168.1.105 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication telnet console LOCAL
http server enable
http X.X.X.X 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
telnet X.X.X.X 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe request dialout pppoe
vpdn group pppoe localname USERNAME
vpdn group pppoe ppp authentication chap
vpdn username USERNAME password *********
dhcpd dns 18.104.22.168 22.214.171.124
dhcpd lease 1500
dhcpd ping_timeout 10
dhcpd domain DOMAINNAME.COM
dhcpd auto_config outside vpnclient-wins-override
dhcpd option 3 ip 192.168.0.1
dhcpd address 192.168.0.5-192.168.0.49 inside
dhcpd dns 126.96.36.199 188.8.131.52 interface inside
dhcpd lease 1500 interface inside
dhcpd ping_timeout 10 interface inside
dhcpd domain DOMAINNAME.COM interface inside
dhcpd option 3 ip X.X.X.X interface inside
dhcpd enable inside
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect icmp error
service-policy global_policy global
group-policy vpn_client internal
group-policy vpn_client attributes
dns-server value 184.108.40.206 220.127.116.11
split-tunnel-network-list value vpn_client_splitTunnelAcl
default-domain value DOMAINNAME.COM
username admin password XXXXXXXXXXXXXX encrypted privilege 15
username USERNAME password XXXXXXXXXXXXXXX encrypted privilege 0
username USERNAME attributes
tunnel-group vpn_client type ipsec-ra
tunnel-group vpn_client general-attributes
tunnel-group vpn_client ipsec-attributes
prompt hostname context
I hope this has been helpful in your attempts to setup a VPN on your firewall. If you have any questions, please feel to drop me a email at firstname.lastname@example.org