onfiguring the PIX Firewall and VPN Clients Using PPTP, MPP



Similar documents
Configuring the Cisco Secure PIX Firewall with a Single Intern

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

Table of Contents. Cisco Configuring an IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Application Notes SL1000/SL500 VPN with Cisco PIX 501

PIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example

PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

Table of Contents. Cisco Configuring the PPPoE Client on a Cisco Secure PIX Firewall

ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example

2.0 HOW-TO GUIDELINES

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Configuring the Cisco PIX Firewall for SSH by Brian Ford

SDM: Site to Site IPsec VPN Between ASA/PIX and an IOS Router Configuration Example

Cisco Which VPN Solution is Right for You?

Using PIX Firewall in SOHO Networks

VPN. VPN For BIPAC 741/743GE

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

IPSec interoperability between Palo Alto firewalls and Cisco ASA. Tech Note PAN-OS 4.1. Revision A 2011, Palo Alto Networks, Inc.

ASA and Native L2TP IPSec Android Client Configuration Example

Table of Contents. Cisco Cisco VPN Client FAQ

BONUS TUTORIAL CISCO ASA 5505 CONFIGURATION WRITTEN BY: HARRIS ANDREA ALL YOU NEED TO KNOW TO CONFIGURE AND IMPLEMENT THE BEST FIREWALL IN THE MARKET

BRI to PRI Connection Using Data Over Voice

Cisco Secure PIX Firewall with Two Routers Configuration Example

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

PIX/ASA 7.x with Syslog Configuration Example

Sample Configuration Using the ip nat outside source static

Lab Configure a PIX Firewall VPN

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Sample Configuration Using the ip nat outside source list C

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

LAN-Cell to Cisco Tunneling

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Lab a Configure Remote Access Using Cisco Easy VPN

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Cisco ASA, PIX, and FWSM Firewall Handbook

7.1. Remote Access Connection

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Remote Access VPN Business Scenarios

Securing Networks with PIX and ASA

Godinich Consulting. VPN's Between Mikrotik and 3rd Party Devices

REMOTE ACCESS VPN NETWORK DIAGRAM

PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example

GregSowell.com. Mikrotik VPN

Fireware How To Authentication

TABLE OF CONTENTS NETWORK SECURITY 2...1

Case Study for Layer 3 Authentication and Encryption

ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example

Scenario: IPsec Remote-Access VPN Configuration

VPN. Date: 4/15/2004 By: Heena Patel

Understanding the Cisco VPN Client

Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions

Scenario: Remote-Access VPN Configuration

Configuring L2TP over IPSec

Integrating Cisco Secure PIX Firewall and IP/VC Videoconferencing Networks

Cisco CCNP Implementing Secure Converged Wide Area Networks (ISCW)

Course Syllabus. Fundamentals of Windows Server 2008 Network and Applications Infrastructure. Key Data. Audience. Prerequisites. At Course Completion

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

isco Connecting Routers Back to Back Through the AUX P

Application Note: Onsight Device VPN Configuration V1.1

Matrix Technical Support Mailer 167 NAVAN CNX200 PPTP VPN with Windows Client

Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions

Configuring RADIUS Dial Up with Livingston Server Authentication

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

IP Office Technical Tip

VPN Configuration Guide. Cisco ASA 5500 Series

Configure ISDN Backup and VPN Connection

How to configure VPN function on TP-LINK Routers


Module 6 Configure Remote Access VPN

Configuring the PIX Firewall with PDM

Network Security 1 Module 4 Trust and Identity Technology

Network Security 2. Module 6 Configure Remote Access VPN

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Setting up VPN Access for Remote Diagnostics Support

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Enable VPN PPTP Server Function

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

How to configure VPN function on TP-LINK Routers

Configuring Logging. Information About Logging CHAPTER

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

co Sample Configurations for Cisco 7200 Broadband Aggreg

Expert Reference Series of White Papers. Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA

Cisco ASA Configuration Guidance

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Security Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router Firewalls. Intrusion Detection Systems

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Configuring Remote Access IPSec VPNs

VPN Solutions. Lesson 10. etoken Certification Course. April 2004

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client

Implementing, Managing and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services Course No.

Transcription:

onfiguring the PIX Firewall and VPN Clients Using PPTP, MPP

Table of Contents Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1 Components Used...2 Configure...2 Network Diagram...2 Configurations...3 Cisco VPN 3000 Client 2.5.x or Cisco VPN Client 3.0...6 Windows 2000 or Win 98 PPTP Client Setup...6 Verify...6 Troubleshoot...6 Troubleshooting Commands...6 Microsoft related issues:...7 Related Information...8 i

Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec Introduction Before You Begin Conventions Prerequisites Components Used Configure Network Diagram Configurations Cisco VPN 3000 Client 2.5.x or Cisco VPN Client 3.0 Windows 2000 or Win 98 PPTP Client Setup Verify Troubleshoot Troubleshooting Commands Microsoft related issues: Related Information Introduction In this sample configuration, four different kinds of clients connect and encrypt traffic with the Cisco Secure PIX Firewall as tunnel endpoint: Users running CiscoSecure VPN Client 1.1 on Microsoft Windows 95/98/NT Users running the Cisco Secure VPN 3000 Client 2.5.x on Windows 95/98/NT Users running native Windows 2000/98 Point to Point Tunneling Protocol (PPTP) clients Users running the Cisco VPN Client 3.0.x on Windows 95/98/NT/2000. In this example, we configured a single pool for IP Security (IPSec) and PPTP, but the pools could also be made separate. Before You Begin Conventions For more information on document conventions, see the Cisco Technical Tips Conventions. Prerequisites There are no specific prerequisites for this document.

Components Used The information in this document is based on the software and hardware versions below. PIX Software Release 6.1.1 CiscoSecure VPN Client 1.1 Cisco VPN 3000 Client version 2.5 Cisco VPN Client 3.X Microsoft Windows 2000 and Windows 98 clients Note: This was tested on PIX Software Release 6.1.1 but should work on Release 5.2.X and 5.3.1. PIX Software Release 6.X is required for the Cisco VPN Client 3.X. (Support for the Cisco VPN 3000 Client 2.5 was added in PIX Software Release 5.2.X. The configuration also works for PIX Software Release 5.1.x, except for the VPN 3000 client part.) IPSec and PPTP/Microsoft Point to Point Encryption (MPPE) should be made to work separately first. If they do not work separately, they will not work together. Configure In this section, you are presented with the information to configure the PIX Firewall and VPN clients using PPTP, MPPE and IPSec. Note: To find additional information on the commands used in this document, use the IOS Command Lookup tool. Network Diagram This document uses the network setup shown in the diagram below.

Configurations This document uses the configurations shown below. Cisco PIX Firewall PIX Version 5.2(3) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname goss 515A fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521

fixup protocol sip 5060 names access list 101 permit ip 10.99.99.0 255.255.255.0 192.168.1.0 255.255.255.0 pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor no logging buffered no logging trap no logging history logging facility 20 logging queue 512 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 172.18.124.152 255.255.255.0 ip address inside 10.99.99.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool bigpool 192.168.1.1 192.168.1.254 no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 access list 101 route outside 0.0.0.0 0.0.0.0 172.18.124.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa server TACACS+ protocol tacacs+ aaa server RADIUS protocol radius no snmp server location no snmp server contact snmp server community public no snmp server enable traps floodguard enable sysopt connection permit ipsec sysopt connection permit pptp no sysopt route dnat crypto ipsec transform set myset esp des esp md5 hmac crypto dynamic map dynmap 10 set transform set myset crypto map mymap 10 ipsec isakmp dynamic dynmap crypto map mymap client configuration address initiate crypto map mymap client configuration address respond crypto map mymap interface outside isakmp enable outside! CiscoSecure_VPNClient_key. isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp client configuration address pool local bigpool outside! ISAKMP Policy for Cisco VPN Client 2.5 or! CiscoSecure VPN Client 1.1. isakmp policy 10 authentication pre share

isakmp policy 10 encryption des isakmp policy 10 hash md5! The 1.1 and 2.5 clients use Diffie Hellman (D H)! group 1 policy (PIX default). isakmp policy 10 group 1 isakmp policy 10 lifetime 86400!! ISAKMP Policy for VPN Client 3.0. isakmp policy 20 authentication pre share isakmp policy 20 encryption des isakmp policy 20 hash md5! The 3.0 clients use D H group 2 policy! and PIX 6.0 code. isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup vpn3000 all address pool bigpool vpngroup vpn3000 all dns server 10.99.99.99 vpngroup vpn3000 all wins server 10.99.99.99 vpngroup vpn3000 all default domain password vpngroup vpn3000 all idle time 1800! VPN 3000 group_name and group_password. vpngroup vpn3000 all password ******** telnet timeout 5 ssh timeout 5 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe auto vpdn group 1 client configuration address local bigpool vpdn group 1 client authentication local! PPTP username and password. vpdn username cisco password cisco vpdn enable outside terminal width 80 CiscoSecure VPN Client 1.1 1 TACconn My Identity Connection security: Secure Remote Party Identity and addressing ID Type: IP subnet 10.99.99.0 255.255.255.0 Port all Protocol all Connect using secure tunnel ID Type: IP address 172.18.124.152

Pre shared Key=CiscoSecure_VPNClient_key Authentication (Phase 1) Proposal 1 Authentication method: pre shared key Encryp Alg: DES Hash Alg: MD5 SA life: Unspecified Key Group: DH 1 Key exchange (Phase 2) Proposal 1 Encapsulation ESP Encrypt Alg: DES Hash Alg: MD5 Encap: tunnel SA life: Unspecified no AH 2 Other Connections Connection security: Non secure Local Network Interface Name: Any IP Addr: Any Port: All Cisco VPN 3000 Client 2.5.x or Cisco VPN Client 3.0 Select Options > Properties > Authentication. Group name and group password match the group_name and group_password on the PIX as in: vpngroup vpn3000 all password ******** Host name = 172.18.124.152 Windows 2000 or Win 98 PPTP Client Setup You may contact the vendor who makes the PPTP client. For information on setting this up, see How to Configure the Cisco Secure PIX Firewall to Use PPTP. Verify There is currently no verification procedure available for this configuration. Troubleshoot This section provides information you can use to troubleshoot your configuration. Troubleshooting Commands Note: Before issuing debug commands, please see Important Information on Debug Commands.

PIX IPSec Debug debug crypto ipsec To see the IPSec negotiations of phase 2. debug crypto isakmp To see the Internet Security Association and Key Management Protocol (ISAKMP) negotiations of phase 1. debug crypto engine Shows the traffic that is encrypted PIX PPTP Debug debug ppp io Display the packet information for the PPTP PPP virtual interface. debug ppp error Display PPTP PPP virtual interface error messages. debug vpdn error Display PPTP protocol error messages. debug vpdn packets Display PPTP packet information about PPTP traffic. debug vpdn events Display PPTP tunnel event change information. debug ppp uauth Displays the PPTP PPP virtual interface AAA user authentication debugging messages. Microsoft related issues: How to Keep RAS Connections Active After Logging Off When you log off from a Windows Remote Access Service (RAS) client, any RAS connections will be disconnected automatically. To remain connected after logging off, you may enable the KeepRasConnections key in the registry on the RAS client. User Is Not Alerted When Logging On with Cached Credentials Symptoms When you attempt to log on to a domain from a Windows based workstation or member server and a domain controller cannot be located, no error message is displayed. Instead, you are logged on to the local computer using cached credentials. How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues There may be instances when you are experiencing name resolution issues on your TCP/IP network and you need to use Lmhosts files to resolve NetBIOS names. This article discusses the proper method of creating an Lmhosts file to aid in name resolution and domain validation.

Related Information IP Security (IPSec) Product Support Pages PIX Command Reference PIX Product Support Page Requests for Comments (RFCs) Configuring IPSec Network Security Configuring Internet Key Exchange Security Protocol Technical Support Cisco Systems All contents are Copyright 1992 2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Updated: Nov 04, 2002 Document ID: 14095

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information