How to configure Cisco Pix 506E for remote access with AES 256 bit encryption

Here is how I configured a Cisco Pix 506E for remote access.  This is the runnig config, I changed the ip and other info for security reasons.

 Cisco

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100

!— Define the privilege mode password
enable password QveUAuiX encrypted

!— the telnet password
passwd QveUAui encrypted

!— Define the host name
hostname Wii

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

!— Define access list 101 to enable spilt tunnel
access-list 101 permit ip 10.10.11.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list 101 permit ip host 10.10.30.1 10.10.20.0 255.255.255.0

!— Define access list 102 to avoid network address translation (NAT)on IPsec packets.
access-list 102 permit ip 10.10.11.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list 102 permit ip host 10.10.30.1 10.10.20.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500

!—Define the Public ip on ethernet0
ip address outside 72.10.10.100 255.255.255.248

!—Define the LAN ip on ethernet1
ip address inside 10.10.11.2 255.255.255.0

ip audit info action alarm
ip audit attack action alarm

!—Define the dhcp pool for remote client
ip local pool Remote-dhcp-pool 10.10.20.100-10.10.20.150
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface

!— Do not NAT IPsec packets
nat (inside) 0 access-list 102

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!— Configure default route
route outside 0.0.0.0 0.0.0.0 72.10.10.99 1

!— Configure route to internal network
route inside 10.10.30.0 255.255.255.0 10.10.11.1 1

timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

!— Allow packets from IPsec tunnel pass through without checking against conduits and access lists
sysopt connection permit-ipsec

!— Configure the transform set, use AES 256 bit encryption algorithm
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

!— Configure dynamic crypto map and add it to static crypto map
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2

!— Enable local authentication, prompt for user authentication
crypto map map1 client authentication LOCAL

!— Bind crypto map to outside interface (Ethernet 0)
crypto map map1 interface outside

isakmp enable outside
isakmp identity address
!— Define isakmp policy to be used while negotiatin the isakmp SA. Use AES 256 bit as encryption. The available AES options are AES, AES 192 and AES 256. AES 192 is unsupported by VPN client.
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

!— Define VPN group called nintendo and policy attributes downloaded to the Easy VPN client (remote client).
vpngroup nintendo address-pool Remote-dhcp-pool
vpngroup nintendo dns-server 10.10.11.10
vpngroup nintendo default-domain wiivil.com

!— Configure access list 101 to enable split tunnel for remote client. Removing this line will diable spilt tunnel, this is recommended to higher security.
Vpngroup Nintendo split-tunnel 101

vpngroup nintendo idle-time 1800
vpngroup nintendo password ********
!— Enable telnet in LAN interface (Ethernet 1).
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside

!— define remote user Wii and set password to wiivil
username Wii password wiivil encrypted privilege 2

!— define remote user Zelda and set password to nintendo
username zelda password nintendo encrypted privilege 2
terminal width 80
Cryptochecksum:b8b824d9c20b2ec0bc2170bb5d8b5e71
: end

About Andrew Lin

Hi, I have always wanted to creat a blog site but never had the time. I have been working in Information Technology for over 15 years. I specialize mainly in networks and server technologies and dabble a little with the programming aspects. Andrew Lin

View all posts by Andrew Lin →