dslreports logo
site
spacer

spacer
 
    «« DSL Hurdles Share Tool
spc

spacer




how-to block ads



The network layout that this configuration works for is
192.168.0.0 /24 -> Zywall 2x -> Speedstream 5100(PPOE)->internet ->Cisco 1720 -> x.x.x.192 /26 public ip pool -> Pix 501 -> 192.168.1.0 /24
The outside interface of the Pix is x.x.x.194

Pix config

MYCOFW# write t
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname MYCOFW
domain-name MYCOMPANY.com
access-list To-Internet permit ip 192.168.1.0 255.255.255.0 any
access-list To-Internet permit ip 192.168.2.0 255.255.255.0 any
access-list To-Internet permit icmp any any
access-list From-Internet permit tcp any host x.x.x.196 eq smtp
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 echo
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 echo-reply
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 unreachable
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 time-exceeded
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list to-internet permit icmp any any
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.194 255.255.255.192
ip address inside 192.168.1.25 255.255.255.0
ip local pool MYCOippool 192.168.2.1-192.168.2.254
global (outside) 1 x.x.x.200-x.x.x.250 netmask 255.255.255.192
global (outside) 1 x.x.x.251
nat (inside) 0 access-list NoNAT
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
access-group From-Internet in interface outside
access-group To-Internet in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
http 192.168.1.0 255.255.255.0 inside
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set MyCOTransf esp-3des esp-md5-hmac
crypto dynamic-map MYCOdynmap 10 set transform-set MYCOTransf
crypto map MYCOmap 10 ipsec-isakmp dynamic MYCOdynmap
crypto map MYCOmap client configuration address initiate
crypto map MYCOmap client configuration address respond
crypto map MYCOmap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp client configuration address-pool local MYCOippool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup MYCOvpn address-pool NONATippool
vpngroup MYCOvpn dns-server 205.171.3.65
vpngroup MYCOvpn wins-server 192.168.1.1
vpngroup MYCOvpn default-domain MYCOMPANY.com
vpngroup MYCOvpn idle-time 1800
vpngroup MYCOvpn password ********
vpngroup MYCO address-pool NONATippool
vpngroup MYCO dns-server 192.168.1.1 205.171.3.65
vpngroup MYCO wins-server 192.168.1.1
vpngroup MYCO default-domain MYCO.com
vpngroup MYCO idle-time 1800
vpngroup MYCO password ********
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local NONATippool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username xxxx password xxxx
vpdn username yyyy password yyyyy
vpdn username zzzz password zzzzz
vpdn enable outside

Zywall Config:

Menu 27.1.1 - IPSec Setup

Index #= 1 Name= Work
Active= Yes Keep Alive= Yes Nat Traversal= No
Local ID type= IP Content=
My IP Addr= 0.0.0.0
Peer ID type= IP Content= x.x.x.194
Secure Gateway Address= x.x.x.194
Protocol= 17
Local: Addr Type= SUBNET
IP Addr Start= 192.168.0.0 End/Subnet Mask= 255.255.255.0
Port Start= 0 End= N/A
Remote: Addr Type= SUBNET
IP Addr Start= 192.168.1.0 End/Subnet Mask= 255.255.255.0
Port Start= 0 End= N/A
Enable Replay Detection= Yes
Key Management= IKE

Menu 27.1.1.1 - IKE Setup

Phase 1
Negotiation Mode= Main
PSK= ********
Encryption Algorithm= 3DES
Authentication Algorithm= MD5
SA Life Time (Seconds)= 28800
Key Group= DH2

Phase 2
Active Protocol= ESP
Encryption Algorithm= 3DES
Authentication Algorithm= MD5
SA Life Time (Seconds)= 28800
Encapsulation= Tunnel
Perfect Forward Secrecy (PFS)= None

In addition I had to enable 2 firewall rules on the Zywall Wan/WanZywall interface.
1) Source address (x.x.x.192 255.255.255.192) Destination (Any) forward Any Tcp Any Udp

2) source address (Any) Destination (Any) forward (ike,gre,ah,esp) I also include icmp & auth, though I don't think these are necessary for the vpn, they help with dslr line monitoring & my mail server.

This is a thumbnail of the image, click to enlarge.


Expand got feedback?

by TerryMiller See Profile edited by aryoba See Profile
last modified: 2008-12-29 16:13:38