[VPN] Re: Cisco VPN for remote users - Pix 515
Dana J. Dawson
Dana.Dawson at qwest.com
Mon Jun 13 16:32:08 EDT 2005
I think your understanding is correct and that your plan should
work, And yes, I think it's usually better to configure your dynamic
vpn client address pool from a unique subnet rather than taking it
from the subnet to which the inside interface connects, but because
the PIX won't do redirects there can be situations where it's best to
use the connected subnet. The usual situation where this is the case
is if there are other routers on that connected network that provide
connectivity to other parts of your network and you have servers that
are configured with just a default gateway. If those servers specify
the PIX as the gateway in hopes that the PIX will also redirect
traffic to those other routers for access to the rest of your
network, that's a problem. You could change the default gateway in
the servers to be one of those other routers and depend on it to do
the redirecting, but sometimes even that's not an appealing option
and the static arp entries with the "alias" keyword is the cleaner
solution. If you think you might need this have questions let me know.
For your reference here are two links to pages at Cisco that I find
useful. The first is to a list of various IPSec sample
configurations for various different products and topologies
(including VPN configurations between Cisco and other vendors'
products). It's not organized as nicely as it could be, but doing a
search within the page for the appropriate keyword ("PIX" in this
case) is frequently helpful:
The other link is from the above page and is a pretty good sample
config for a PIX terminating the "Unity" VPN client (as compared to
the old IRE-based "Cisco Secure" client, which is no longer
available). One thing I usually add which typically doesn't appear
in Cisco's sample PIX configs is the "isakmp nat-traversal 20"
command. This enables the "NAT-T" feature that detects NAT and
encapsulates the ESP traffic in UDP/4500 headers if necessary so that
intermediate NAT devices are less likely to cause trouble. It's a
very useful command for both VPN client and site-to-site VPN
connections and should be on by default in the PIX in my opinion (it
is on by default in the newer versions of IOS - go figure).
The other feature this sample doesn't show is xauth user
authentication. In 6.3 Cisco added local authentication capability
for VPN clients, which is a useful feature for small-scale
deployments. If you have a lot of users, you'll probably want to use
an external AAA server (RADIUS or TACACS+). The command for enabling
crypto map mymap client authentication LOCAL
I've used the same name for the crypto map as appears in the sample
config below, and have specified the "LOCAL" aaa method. That would
allow you to configure local username/password entries for your
users. You could alternatively define a RADIUS or TACACS+ server
method and reference that instead. If you just use the config from
the sample below, your users will not be prompted for a password when
they initiate a VPN connection to the PIX.
Anyway, here's the URL for the PIX sample:
I think that's everything. Good luck, and let me know if you have
Dana J. Dawson Dana.Dawson at qwest.com
Sr. Staff Engineer CCIE #1937
600 Stinson Blvd., Suite 1S
Minneapolis MN 55413-2620
"Hard is where the money is."
On Jun 13, 2005, at 2:36 PM, Tristan RHODES wrote:
> Thanks for your reply. I appreciate your time and effort.
> I am running Pix 6.3 software so I will probably use the inside
> interface like you said.
> |(d) |
> (a) = 6500 interface VLAN 200 (10.10.200.1/24)
> (b) = Pix "outside" interface (10.10.200.254/24)
> (c) = Pix "inside" interface (10.10.201.254/24)
> (d) = 6500 interface VLAN 201 (10.10.201.1/24)
> I think you are telling me that I should use a third network for
> users... perhaps 10.10.203.0/24.
> If this design is correct, my next step is to setup the VPN and
> correctly. Any hints?
More information about the VPN