PIX to Cisco VPN 3000 Client
Complete the tasks outlined in this Practical Exercise. Also review the Practical Exercise solution to see how you did and to see what concepts you might need to review.
In this Practical Exercise, you are the administrator of a PIX firewall that will be the terminating endpoint for VPNs from a VPN 3000 client.
Background Information
You will configure your firewall to accept connections from both the Cisco VPN Client 2.5.X and the Cisco VPN Client 3.x. The 2.5.X client will use D-H group 1, the PIX default, and the 3.x client will use D-H group 2. The isakmp policy # group 2 command lets the 3.x clients make a connection. You will define multiple ISAKMP policies to allow the different versions of the VPN 3000 clients to use your firewall as its tunnel endpoint. You will assign IP addresses to the clients as they connect. You will use the topology illustrated in Figure 14-11.
Figure 14-11. PIX to Cisco VPN 3000 Client
Task 1: Configure PIX
- Step 1. At the PIX console, provide all the configuration required to
configure the PIX firewall:
-
- Define traffic for the mode pool.
-
- Define the mode pool.
-
- Prevent NAT for the pool.
-
- Enable IPSec sysopt.
-
- Enable ISAKMP.
-
- Define IKE parameters for VPN 3000 3.x.
-
- Define IKE parameters for VPN 3000 2.x.
-
- Define IKE parameters for all clients.
-
- Define IPSec parameters.
-
Task 2: Define the Client Parameters
- Step 1. On the client PC, provide all the configuration required to
create the connection IPSec settings:
-
- Click New to create a new connection, and assign a name to your entry in the Connection Entry box.
-
- Enter the IP address of the destination's public interface.
-
- Under Group Access Information, enter the group name and group password.
-
- Click Finish to save the profile in the Registry.
-
- Click Connect to test the connection.
-