[vpn-help] Please evaluate my Pix 6.1 Config
Evan Thibeault
ethibeault at georgiatrust.org
Wed Aug 28 20:59:06 CDT 2013
Hi all,
I need to configure my Pix 501 device and a Shrewsoft client on Windows 8
to communicate.
I am not well versed in VPN terminology and configuration. My Cisco PDM
(GUI Interface) has recently broken so all I can access is the command line
through telnet.
I'm attaching a captured text file of my Pix config. Could someone look it
over and tell me what settings are incompatible with the Shrewsoft client
and how I need to change them?
I would be very appreciative!
--
*Evan*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130828/79e86376/attachment.html>
-------------- next part --------------
User Access Verification
Password:
Password:
Type help or '?' for a list of available commands.
pixfirewall> enable
Password:
pixfirewall# write terminal
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password (deleted) encrypted
passwd (deleted) encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
<--- More --->
fixup protocol smtp 25
<--- More --->
fixup protocol sqlnet 1521
<--- More --->
fixup protocol tftp 69
<--- More --->
names
<--- More --->
name 192.168.1.0 hh_lan
<--- More --->
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.0.200 255.255.255.248
<--- More --->
access-list inside_outbound_nat0_acl permit ip any hh_lan 255.255.255.0
<--- More --->
access-list inside_outbound_nat0_acl permit ip any 192.168.75.128 255.255.255.224
<--- More --->
access-list outside_cryptomap_20 permit ip any hh_lan 255.255.255.0
<--- More --->
access-list gatrust_splitTunnelAcl_1 permit ip interface inside any
<--- More --->
access-list outside_cryptomap_dyn_540 permit ip any 192.168.75.128 255.255.255.224
<--- More --->
access-list Rhodes_Hall_Staff_splitTunnelAcl permit ip 192.168.75.0 255.255.255.0 any
<--- More --->
pager lines 24
<--- More --->
mtu outside 1500
<--- More --->
mtu inside 1500
<--- More --->
ip address outside (deleted) 255.255.255.252
<--- More --->
ip address inside 192.168.75.1 255.255.255.0
<--- More --->
ip audit info action alarm
<--- More --->
ip audit attack action alarm
<--- More --->
ip local pool vpnclients 192.168.0.150-192.168.0.160
<--- More --->
ip local pool rh_vpn_clients 192.168.75.140-192.168.75.149
<--- More --->
pdm location hh_lan 255.255.255.0 inside
<--- More --->
pdm location hh_lan 255.255.255.0 outside
<--- More --->
pdm location 192.168.0.200 255.255.255.248 outside
<--- More --->
pdm location 0.0.0.0 255.255.255.252 outside
<--- More --->
pdm logging informational 100
<--- More --->
pdm history enable
<--- More --->
arp timeout 14400
<--- More --->
global (outside) 1 interface
<--- More --->
nat (inside) 0 access-list inside_outbound_nat0_acl
<--- More --->
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
<--- More --->
route outside 0.0.0.0 255.255.255.252 (deleted) 1
<--- More --->
route outside 0.0.0.0 0.0.0.0 (deleted) 1
<--- More --->
route outside hh_lan 255.255.255.0 (deleted) 1
<--- More --->
timeout xlate 0:05:00
<--- More --->
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
<--- More --->
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
<--- More --->
timeout uauth 0:05:00 absolute
<--- More --->
aaa-server TACACS+ protocol tacacs+
<--- More --->
aaa-server TACACS+ max-failed-attempts 3
<--- More --->
aaa-server TACACS+ deadtime 10
<--- More --->
aaa-server RADIUS protocol radius
<--- More --->
aaa-server RADIUS max-failed-attempts 3
<--- More --->
aaa-server RADIUS deadtime 10
<--- More --->
aaa-server LOCAL protocol local
<--- More --->
http server enable
<--- More --->
http 192.168.75.0 255.255.255.0 inside
<--- More --->
http 192.168.75.80 255.255.255.255 inside
<--- More --->
no snmp-server location
<--- More --->
no snmp-server contact
<--- More --->
snmp-server community public
<--- More --->
no snmp-server enable traps
<--- More --->
floodguard enable
<--- More --->
sysopt connection permit-ipsec
<--- More --->
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
<--- More --->
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
<--- More --->
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 220 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 240 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 260 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 280 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 300 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 320 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 340 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 360 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 380 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 400 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 420 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 440 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 460 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 480 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 500 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 520 set transform-set ESP-3DES-MD5
<--- More --->
crypto dynamic-map outside_dyn_map 540 match address outside_cryptomap_dyn_540
<--- More --->
crypto dynamic-map outside_dyn_map 540 set transform-set ESP-3DES-MD5
<--- More --->
crypto map outside_map 20 ipsec-isakmp
<--- More --->
crypto map outside_map 20 match address outside_cryptomap_20
<--- More --->
crypto map outside_map 20 set peer (deleted)
<--- More --->
crypto map outside_map 20 set transform-set ESP-3DES-MD5
<--- More --->
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
<--- More --->
crypto map outside_map interface outside
<--- More --->
isakmp enable outside
<--- More --->
isakmp key (deleted) address (deleted) netmask 255.255.255.255 no-xauth no-config-mode
<--- More --->
isakmp policy 20 authentication pre-share
<--- More --->
isakmp policy 20 encryption 3des
<--- More --->
isakmp policy 20 hash md5
<--- More --->
isakmp policy 20 group 2
<--- More --->
isakmp policy 20 lifetime 86400
<--- More --->
vpngroup Rhodes_Hall_Staff address-pool rh_vpn_clients
<--- More --->
vpngroup Rhodes_Hall_Staff dns-server 192.168.75.5
<--- More --->
vpngroup Rhodes_Hall_Staff split-tunnel Rhodes_Hall_Staff_splitTunnelAcl
<--- More --->
vpngroup Rhodes_Hall_Staff idle-time 1800
<--- More --->
vpngroup Rhodes_Hall_Staff password (deleted)
<--- More --->
telnet 192.168.75.80 255.255.255.255 inside
<--- More --->
telnet timeout 5
<--- More --->
ssh timeout 5
<--- More --->
console timeout 0
<--- More --->
vpdn username (deleted) password (deleted)
<--- More --->
terminal width 80
<--- More --->
Cryptochecksum:d587815ab0bf38bade693980d8d9730d
<--- More --->
: end
<--- More --->
[OK]
<--- More --->
pixfirewall#
More information about the vpn-help
mailing list