PDA

View Full Version : Remote Access VPN

khayes
04-13-2009, 01:47 PM
Hello all,

I have a Few questions i'd like to ask.

1. I have a Cisco 506e PIX and I'm trying to do a remote access vpn, now at one time I got this working, but I forgot what I did to get it to work. I only have one static IP address to work with and everytime I get ready and connect to the vpn connection it will authenticate me using the cisco vpn client, but I can't access anything. Could this be a routing issue?

2. I also noticed that when I do the PAT, it wants me to do a static, and I do the static my local area network is effected by this and can't go out to the internet is there a way to do a dymanic PAT?

3. Is it easier to do PPTP through a RRAS server for remote access VPN? I'm using 3 static private IP's for my vpn pool.

Thanks,
K
lildeezul
04-13-2009, 06:41 PM
Hello, Look is the ISCW section of this forum, i made a mode that explains IPsec negotiation and connection process.. Hopefully that will help.

I do not know the exact commands and sequences on a PIX firewall , but the same concepts apply..

If your using the Cisco easy vpn client (remote) and PIX (easy vpn server) must accept and negotiate a set of parameters such as encrpytion, authentication, HMAC, and keepalives and ect... The cisco client will dump a set of parameters and the pix must agree on alteast one.

hope this help
Big Evil
04-14-2009, 06:25 AM
1. I have a Cisco 506e PIX and I'm trying to do a remote access vpn, now at one time I got this working, but I forgot what I did to get it to work. I only have one static IP address to work with and everytime I get ready and connect to the vpn connection it will authenticate me using the cisco vpn client, but I can't access anything. Could this be a routing issue?

So the VPN allows you to connet, but you can't access your LAN?
Run a debug or a show access-list and see the hits.



2. I also noticed that when I do the PAT, it wants me to do a static, and I do the static my local area network is effected by this and can't go out to the internet is there a way to do a dymanic PAT?

Try: (its off a ASA 5505, but it should work, with a tweek)

access-list outside_in extended permit tcp any interface outside eq www
static (inside,outside) tcp interface www 192.168.x.x www netmask 255.255.255.255
access-group outside_in in interface outside



3. Is it easier to do PPTP through a RRAS server for remote access VPN? I'm using 3 static private IP's for my vpn pool.

Its less secure than IPsec, but yes.

HTH