{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreigw2s4gp36ojmuwu72zohtehxaawph3rf7ypg6q5oyhlu3ehcwbyu",
"uri": "at://did:plc:wnit4jb553jiwptxnj5srnmr/app.bsky.feed.post/3mgklfcdy3yb2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreifnt3ciyb52uz5xr2dxgbamxk4ctiwjoofuo3g5e4epi4hi4b2ko4"
},
"mimeType": "image/jpeg",
"size": 25560
},
"description": "Configure Cisco EasyVPN on a PIX Firewall",
"path": "/pix-easyvpn/",
"publishedAt": "2026-03-08T14:45:25.000Z",
"site": "https://cg1network.com",
"textContent": "Centralization and simplification: servers push policies to remote devices.\n\nThe VPN remote router typically initiates a tunnel with the VPN server. VPN client software generates tunnels to IOS routers, concentrators, and PIX firewalls.\n\n**EasyVPN supports**\n\n * HMAC-MD5 and HMAC-SHA1 Authentication\n * pre-shared keys and RDS signatures\n * DH Groups 2 and 5\n * DES and 3DES Encryption\n * IPSec ESP and LZS Payload compression\n * IPSec Tunnel Mode\n\n\n\n**EasyVPN does not support**\n\n * DSS - Digital Signature Standard\n * DH Group 1\n * IPSec AH\n * Transport Mode\n * Manual Keys\n\n\n\n**PIX Easy VPN Server 6.3**\n\n * Mode Configuration\n * Extended Authentication (XAUTH)\n * Updated support for VPN 3000 series\n * Certificates\n * DH Group 5\n * AES Encryption\n\n\n\n**Cisco VPN Client 3.X+**\n\n * Comes free with VPN 3000 concentrator\n * Windows, Linux, Solaris, MAC, Certicom\n * IPSec, PPTP, L2TP, L2TP over IPSec\n * Access via Analog, ISDN, DSL, Cable, Wireless\n * Unlimited Cisco VPN client software licenses\n\nCisco VPN Client (Simple Mode)Cisco VPN Client - Connections TabCisco VPN Client - Certificates TabCisco VPN Client - Log TabCisco VPN Client - New Connection Entry\n\n**Cisco VPN 3002 Hardware Client**\n\n * 3002 has 1 public interface and 1 private interface\n * 3002-8E 8 port 100mbps switch built in\n\nCisco VPN 3002 Hardware ClientCisco VPN 3002-8E Hardware Client\n\n### Easy VPN Remote Operation Modes\n\n * Client Mode\n * Allows for NAT/PAT as the client translates automatically\n * generates ACL’s necessary for the tunnel\n * PIX applies PAT to IP Addresses, PC's IP is not visible to the central site\n * Split tunneling is supported\n * Network Extension Mode\n * designates VPN clients to use fully routable IP addresses\n * PAT is not used, original addresses are not changed\n * Split tunneling is supported\n\n\n\n**Easy VPN Connection Process**\n\n 1. IKE Phase 1 (Pre-shared keys use Aggressive Mode, Certificates use Main Mode)\n 2. Remote will negotiate IKE SA, and the server accepts SA\n 3. Server initiates XAUTH Challenge\n 4. Server initiates mode config (IP Address is the only required parameter)\n 5. IKE Quick Mode completes the connection\n\n\n\n### **Configure EasyVPN with XAUTH**\n\n 1. Create an ISAKMP Policy for remote clients\n 2. Create IP Address Pool\n 3. Define Group Policy for Mode Config push\n 4. Create transform set\n 5. Generate a dynamic crypto map\n 6. Assign a dynamic crypto map to a static crypto map\n 7. Apply the dynamic crypto map to the PIX interface\n 8. Configure XAUTH\n 9. Set NAT and NAT 0\n 10. Enable DPD (Dead Peer Detection)\n\n\n\n\n isakmp enable outside\n isakmp policy 15 authentication pre-share\n isakmp policy 15 encryption des\n isakmp policy 15 hash sha\n isakmp policy 15 group 2\n\n ip local pool EASYVPOOL 172.16.10.10-172.16.10.254\n\n vpngroup EASYV password CISCO123\n vpngroup EASYV dns-server 10.0.1.55\n vpngroup EASYV wins-server 10.0.1.55\n vpngroup EASYV default-domain example.com\n vpngroup EASYV address-pool EASYVPOOL\n vpngroup EASYV idle-time 1200\n\n crypto ipsec transform-set EASYV esp-des esp-sha-hmac\n\n crypto dynamic-map REMOTEMAP 10 set transform-set EASYV\n crypto map STATICMAP 10 ipsec-isakmp dynamic REMOTEMAP\n\n crypto map REMOTEMAP interface outside\n\n aaa-server ACS protocol tacacs+\n aaa-server ACS (inside) host 10.0.1.55 CISCO1234 timeout 8\n crypto map REMOTEMAP client authentication ACS\n\n access-list 121 permit ip 10.0.0.0 255.255.255.0 172.16.10.0 255.255.255.0\n nat (inside) 0 access-list 121\n nat (inside) 1 0.0.0.0 0.0.0.0 0 0\n global (outside) 1 interface\n\n isakmp keepalive 30 10\n\n### EasyVPN Remote\n\nConfigure a remote PIX to connect to the central server.\n\n\n vpnclient vpngroup DEVELOP password CISCO123\n vpnclient username USER password CISCO321\n vpnclient server 192.168.10.2\n vpnclient mode network-extension-mode\n vpnclient enable\n\n### SUA - Secure Unit Authentication\n\n * Security enhancement in version 6.3 when PIX is used as EasyVPN Remote\n * One-time passwords and two-factor authentication are used to authenticate remote PIX\n * SUA is part of an EasyVPN pushed policy\n * Works differently depending on the mode\n * uses HTTP requests - http://PIX-Address/vpnclient/connstatus.html\n\n\n\nlocally configured credentials are ignored, the HTTP request is forwarded to the PIX connection page. Once authentication is complete, the tunnel will come up, and all users can access the central site.\n\n\n vpngroup DEVELOP secure-unit-authentication\n\n### IUA - Individual User Authentication\n\n * Forces inside VPN remote clients to be individually authenticated based on their IP address\n * IUA is part of an EasyVPN pushed policy\n * Each user is prompted when it attempts connection\n * Supports static passwords and OTP mechanisms\n\n\n\n\n vpngroup DEVELOP user-authentication",
"title": "PIX - EasyVPN",
"updatedAt": "2026-03-08T14:45:25.000Z"
}