Re: Please help with Pix 501
- From: roberson@xxxxxxxxxxxxxxxxxx (Walter Roberson)
- Date: Sun, 30 Oct 2005 13:49:33 +0000 (UTC)
In article <1130676599.451431.40020@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
millsusaf <ebrianmills@xxxxxxxxx> wrote:
>Network:
>Cable modem to Pix 501, (outside int DHCP)(running 6.3(1) code)
You should upgrade to a 6.3(4) due to security issues. The upgrade
is free even if you have no support contract.
>And this is what I am trying to accomplish:
>I travel a little and want to be able to get to my network resources at
>home while on the road.
How will you deal with the changing IP address of your outside
interface? DHCP'd outside addresses are somewhat incompatible with
acting as a VPN server.
> I want to be able to VPN into my home network
>from any IP, and get to my FTP server, IP cameras, telnet to
>AP/Vonage/Pix, and PCs via Remote Assistance/Remote Desktop (basically
>just like I were at home). I also would like to keep everything
>blocked coming into my network except ICMP requests/replies and of
>course a VPN tunnel or two (for family to be able to VPN in for
>pictures, etc).
In order to implement the restrictions above, you will need to
remove your sysopt connection permit-ipsec statement (which permits
ipsec traffic to connect to everything) and instead add in the
appropriate restrictions to your outside ACL.
>With my current config I am able to get the VPN tunnel up and can get
>to my IP cameras but that is it. No ping, telnet, no access to FTP,
>nothing else.
>ip local pool ipool 172.26.69.10-172.26.69.25
That's possibly the cause of your trouble. Look at the 'mask'
parameter.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027172
>crypto ipsec transform-set myset esp-des esp-md5-hmac
>isakmp policy 10 authentication pre-share
>isakmp policy 10 encryption des
>isakmp policy 10 hash md5
>isakmp policy 10 group 2
>vpngroup MillsVPN dns-server 24.31.195.63 24.31.195.64
The dns servers you are setting are in the USA. If you are living
in the USA then unless you are a banned person you are entitled to
a free 3DES / AES license key. [The other encryption provisions about
possibly being a national of an enemy country, have to do with
-exporting- encryption from the USA.] On the other hand, you did not
mention where you travel to... traveling outside USA with your VPN client
is "exporting" for which there are special considerations...
--
"It is important to remember that when it comes to law, computers
never make copies, only human beings make copies. Computers are given
commands, not permission. Only people can be given permission."
-- Brad Templeton
.
- Follow-Ups:
- Re: Please help with Pix 501
- From: millsusaf
- Re: Please help with Pix 501
- Prev by Date: Re: how to check QOS implementation???
- Next by Date: Multiple internal networks
- Previous by thread: Re: how to check QOS implementation???
- Next by thread: Re: Please help with Pix 501
- Index(es):
Relevant Pages
|
