[VPN] Re: Cisco VPN for remote users - Pix 515

Dana J. Dawson Dana.Dawson at qwest.com
Mon Jun 13 16:32:08 EDT 2005 

Tristan,

I think your understanding is correct and that your plan should  
work,  And yes, I think it's usually better to configure your dynamic  
vpn client address pool from a unique subnet rather than taking it  
from the subnet to which the inside interface connects, but because  
the PIX won't do redirects there can be situations where it's best to  
use the connected subnet.  The usual situation where this is the case  
is if there are other routers on that connected network that provide  
connectivity to other parts of your network and you have servers that  
are configured with just a default gateway.  If those servers specify  
the PIX as the gateway in hopes that the PIX will also redirect  
traffic to those other routers for access to the rest of your  
network, that's a problem.  You could change the default gateway in  
the servers to be one of those other routers and depend on it to do  
the redirecting, but sometimes even that's not an appealing option  
and the static arp entries with the "alias" keyword is the cleaner  
solution.  If you think you might need this have questions let me know.

For your reference here are two links to pages at Cisco that I find  
useful.  The first is to a list of various IPSec sample  
configurations for various different products and topologies  
(including VPN configurations between Cisco and other vendors'  
products).  It's not organized as nicely as it could be, but doing a  
search within the page for the appropriate keyword ("PIX" in this  
case) is frequently helpful:

<http://www.cisco.com/en/US/tech/tk583/tk372/ 
tech_configuration_examples_list.html>

The other link is from the above page and is a pretty good sample  
config for a PIX terminating the "Unity" VPN client (as compared to  
the old IRE-based "Cisco Secure" client, which is no longer  
available).  One thing I usually add which typically doesn't appear  
in Cisco's sample PIX configs is the "isakmp nat-traversal 20"  
command.  This enables the "NAT-T" feature that detects NAT and  
encapsulates the ESP traffic in UDP/4500 headers if necessary so that  
intermediate NAT devices are less likely to cause trouble.  It's a  
very useful command for both VPN client and site-to-site VPN  
connections and should be on by default in the PIX in my opinion (it  
is on by default in the newer versions of IOS - go figure).

The other feature this sample doesn't show is xauth user  
authentication.  In 6.3 Cisco added local authentication capability  
for VPN clients, which is a useful feature for small-scale  
deployments.  If you have a lot of users, you'll probably want to use  
an external AAA server (RADIUS or TACACS+).  The command for enabling  
xauth is:

   crypto map mymap client authentication LOCAL

I've used the same name for the crypto map as appears in the sample  
config below, and have specified the "LOCAL" aaa method.  That would  
allow you to configure local username/password entries for your  
users.  You could alternatively define a RADIUS or TACACS+ server  
method and reference that instead.  If you just use the config from  
the sample below, your users will not be prompted for a password when  
they initiate a VPN connection to the PIX.

Anyway, here's the URL for the PIX sample:

<http://www.cisco.com/en/US/tech/tk583/tk372/ 
technologies_configuration_example09186a008009442e.shtml>

I think that's everything.  Good luck, and let me know if you have  
more questions.

Dana

---
Dana J. Dawson                     Dana.Dawson at qwest.com
Sr. Staff Engineer                 CCIE #1937
Qwest Communications
600 Stinson Blvd., Suite 1S
Minneapolis  MN  55413-2620

"Hard is where the money is."

On Jun 13, 2005, at 2:36 PM, Tristan RHODES wrote:

> Dana,
>
> Thanks for your reply.  I appreciate your time and effort.
>
> I am running Pix 6.3 software so I will probably use the inside
> interface like you said.
>
> [6500](a)-----(b)[515](c)-----|
>     |(d)                                    |
>     ---------------------------------
>
> Legend:
> (a) = 6500 interface VLAN 200 (10.10.200.1/24)
> (b) = Pix "outside" interface (10.10.200.254/24)
> (c) = Pix "inside" interface (10.10.201.254/24)
> (d) = 6500 interface VLAN 201 (10.10.201.1/24)
>
> I think you are telling me that I should use a third network for
> users... perhaps 10.10.203.0/24.
>
> If this design is correct, my next step is to setup the VPN and  
> routing
> correctly.  Any hints?
>
> Tristan

More information about the VPN mailing list