.
Manucomp Systems
Hours of Operation

Monday to Friday:
9am - 6pm EST

Saturday & Sunday:
Closed

If you would like additional information please contact us toll-free at :

1-866-440-1115
info@manucomp.com

Can't find the product you are looking for?
Request a quote.
IOS Easy VPN Remote Hardware Client to a PIX Easy VPN Server Configuration Example
Back to Cisco Tips

IOS Easy VPN Remote Hardware Client to a PIX
Easy VPN Server Configuration Example


This document provides a sample configuration for IPSec between the Cisco IOS® Easy VPN Remote Hardware Client and the PIX Easy VPN Server.

Note: The Easy VPN Remote feature is also referred to as Hardware Client and EzVPN Client.

Requirements

Ensure that you meet these requirements before you attempt this configuration:

  • Ensure that your Cisco IOS and hardware supports the Easy VPN Remote feature.
  • Ensure that your Easy VPN Server is a PIX Firewall that runs PIX Software Version 6.2 or later.
  • Ensure that you have a 3DES license installed on your PIX. Refer to *Free* Register for a 3DES/AES

Network Diagram

Click here for a larger view of the image
Click the image for a larger view

Configurations

PIX 501 Easy VPN Server:

pix501# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix501
domain-name manucomp.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

!--- Specify the access list to bypass
!--- Network Address Translation (NAT) for VPN traffic.

access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

!--- Specify the split tunneling access list.

access-list 110 permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24

logging console informational
mtu outside 1500
mtu inside 1500
ip address outside 140.4.10.1 255.255.255.0
ip address inside 172.16.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400

!--- Configure NAT/Port Address Translation (PAT)
!--- for non-encrypted traffic, as well as NAT for IPSec traffic.

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.1.0 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0 140.4.10.2 1

timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec

!--- Configure IPSec transform set and dynamic crypto map.

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap

!--- Apply crypto map to the outside interface.

crypto map mymap interface outside

!--- Configure Phase 1 Internet Security Association
!--- and Key Management Protocol (ISAKMP) parameters.

isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

!--- Configure VPN Group parameters that are sent down to the client.

vpngroup vpn-hw-client-group dns-server 172.16.1.1
vpngroup vpn-hw-client-group wins-server 172.16.1.1
vpngroup vpn-hw-client default-domain cisco.com
vpngroup vpn-hw-client split-tunnel 110
vpngroup vpn-hw-client idle-time 1800
vpngroup vpn-hw-client password cisco123

telnet 208.97.111.237 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain manucomp.com
dhcpd option 150 ip 172.16.1.254
terminal width 80
Cryptochecksum:7804f1bcdbc95fa17bc4f41e8c0ebc3e
: end

Cisco 831 IOS Easy VPN Remote Hardware Client:

R-831#sh run
Building configuration...

Current configuration : 2046 bytes

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption

hostname R-831

boot-start-marker
boot-end-marker

enable secret 5 $1$m4k4$MZavrcmPXuB0xKF.8Hfm31

no aaa new-model

ip subnet-zero

no ip domain lookup
ip ips po max-events 100
no ftp-server write-enable

crypto ipsec client ezvpn vpn-hw-client
connect auto
group vpn-hw-client-group key cisco123
mode network-extension
peer 140.4.10.1
acl 110

interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip virtual-reassembly
crypto ipsec client ezvpn vpn-hw-client inside
hold-queue 100 out
!
interface Ethernet1
ip address 140.4.10.2 255.255.255.0
ip virtual-reassembly
duplex auto

crypto ipsec client ezvpn vpn-hw-client
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto

ip classless
ip route 172.16.1.0 255.255.255.0 140.4.10.1
ip http server
no ip http secure-server

access-list 110 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

control-plane

alias exec sb show ip int brief

line con 0
privilege level 15
password cisco
logging synchronous
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco

scheduler max-task-time 5000
end

Verify

PIX Easy VPN Server:

show crypto isakmp sa_Displays all current Internet Key Exchange (IKE) security associations
(SAs) at a peer.

pix501(config)#show crypto isakmp sa

Total : 1
Embryonic : 0

dst
src
state
pending
created
140.4.10.2
140.4.10.1
QM_IDLE
0
1

 

show crypto ipsec sa_Displays IPSec SAs built between peers.

pix501(config)#show crypto ipsec sa

!--- This command is issued after a ping
!--- is attempted from the PC behind the
!--- Easy VPN Client to the PC
!--- behind the server.

interface: outside
Crypto map tag: mymap, local addr. 140.4.10.1
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 140.4.10.2:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

!--- ping packets
!--- are successfully exchanged between the
!--- Easy VPN Remote Hardware Client
!--- and the Easy VPN Server.

local crypto endpt.: 140.4.10.1, remote crypto endpt.: 140.4.10.2
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 13f1aa83
inbound esp sas:
spi: 0xf4dd4178(4108140920)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28567)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x13f1aa83(334604931)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28567)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:

Cisco IOS Easy VPN Remote Hardware Client:

 

show crypto isakmp sa_Displays all current IKE SAs at a peer.

 

R-831#show crypto isakmp sa

dst
src
state
pending
created
140.4.10.1
140.4.10.2
QM_IDLE
0
1

show crypto ipsec sa_Displays IPSec SAs built between peers.

R-831#show crypto ipsec sa

!--- This command is issued after a ping
!--- is attempted from the PC behind the
!--- Easy VPN Client to the PC
!--- behind the server.

interface: Ethernet1
Crypto map tag: Ethernet1-head-0, local addr. 140.4.10.2
protected vrf:
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer: 140.4.10.1:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

!--- ping packets
!--- are successfully exchanged between
!--- the Easy VPN Remote Hardware Client
!--- and the Easy VPN Server.

local crypto endpt.: 140.4.10.2, remote crypto endpt.: 140.4.10.1
path mtu 1500, media mtu 1500
current outbound spi: F4DD4178
inbound esp sas:
spi: 0x13F1AA83(334604931)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 20, flow_id: 1, crypto map: Ethernet1-head-0
crypto engine type: Hardware, engine_id: 2
sa timing: remaining key lifetime (k/sec): (4444258/28648)
ike_cookies: A12E6D0D 2C8D9B92 41AB02FB A00A5B03

IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xF4DD4178(4108140920)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 21, flow_id: 2, crypto map: Ethernet1-head-0
crypto engine type: Hardware, engine_id: 2
sa timing: remaining key lifetime (k/sec): (4444258/28647)
ike_cookies: A12E6D0D 2C8D9B92 41AB02FB A00A5B03
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:

show crypto ipsec client ezvpn_Displays VPN Client or Easy VPN

Remote device configuration information.
R-831#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 2

Tunnel name : vpn-hw-client
Inside interface list: Ethernet0,
Outside interface: Ethernet1
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
DNS Primary: 172.16.1.1
DNS Secondary: 172.16.1.1
NBMS/WINS Primary: 172.16.1.1
NBMS/WINS Secondary: 172.16.1.1
Default Domain: cisco.com
Split Tunnel List: 1
Address : 172.16.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0