Cisco VPN Client

Cisco VPN Client

The PIX Firewall OS version 6.2 introduced the use of the PIX unit as an Easy VPN Remote device (client) when connecting to any Easy VPN Server, such as a Cisco VPN 3000 Concentrator, another PIX Firewall, or in later releases of Cisco IOS Software. The Easy VPN Remote feature for the PIX is also referred to as hardware client/EzVPN client. This “hardware client” feature allows the PIX unit to establish a VPN tunnel to an Easy VPN Server. Host devices on the PIX Firewall–protected LAN can connect through the Easy VPN Server without having to run any VPN client software.

To enable the PIX Firewall as an Easy VPN Remote device, you must select one of the following modes of operation.

Client Mode

In the Client mode, the VPN connections are initiated by traffic, using resources only as needed. In Client mode, the PIX unit performs NAT on all IP addresses of all LAN clients connected through the inside (higher security) interface. This mode also requires the DHCP server to be enabled on the inside interface, as covered in Chapter 18.

Network Extension Mode

In the Network Extension mode, the VPN connections are maintained, even when they aren’t transmitting traffic. This option doesn’t perform NAT on any client IP addresses connected through the inside (higher security) interface.

In Network Extension mode, the IP addresses of clients on the inside interface are received without change at the Easy VPN Server. If these are legal global, they can be forwarded to the public Internet without further processing. Otherwise, the Easy VPN Server can provide NAT for them or they can be forwarded to a private network without translation.

Establishing Preliminary Connectivity

Before attempting to create a VPN connection between the PIX Firewall Easy VPN Remote device and an Easy VPN Server, you must establish network connectivity between both devices through their respective ISPs. This connectivity could include using a DSL or cable modem. Verify connectivity before continuing.

Easy VPN Remote Configuration

Because the Easy VPN Server controls the policy enforced on any Easy VPN Remote device, the remote device configuration is simplified considerably. The basic local configuration can be performed using the command-line interface or by using Cisco PIX Device Manager (PDM), covered in Chapter 22. The local configuration steps required include the following.

The vpnclient commands used to configure the Easy VPN Remote device stores the configuration information in the flash memory of the PIX Firewall, so it’s preserved when the device reboots.

Step 1: Define the VPN group and password by entering the following command:

Pix(config)# vpnclient vpngroup groupname password preshared_key


VPN group configured on the Easy VPN server. Up to 63 characters


IKE preshared key used for authentication by the Easy VPN Server

Step 2: (Optional.) If the Easy VPN Server uses extended authentication (Xauth) to authenticate the PIX Firewall client, enter the following command:

Pix(config)# vpnclient username xauth_username password xauth_password


User name to be used for user authorization. Up to 127 characters


User password to be used for user authorization. Up to 127 characters

Step 3: Identify the remote Easy VPN Server by entering the following command:

Pix(config)# vpnclient server ip_primary [ip_secondary_n]


Primary IP address for the Easy VPN Remote Server

ip_secondary_1, ip_secondary_2, . . . , ip_secondary_n

Any secondary IP addresses (backup VPN headends), from 1 to n, for the Easy VPN Remote Server. The limit will be determined by the device platform

Step 4: Set the Easy VPN Remote mode by entering the following command:

Pix(config)# vpnclient mode {client-mode | network-extension-mode}

Step 5: Enable Easy VPN Remote by entering the following command:

Pix(config)# vpnclient enable

The no vpnclient enable command closes all established VPN tunnels and prevents new VPN tunnels from initiating until you enter a vpnclient enable command. The clear vpnclient command removes all vpnclient commands from your configuration.

Step 6: (Optional.) Use the show vpnclient command to display the current status and configuration of Easy VPN Remote. Enter the following command:

Pix(config)# show vpnclient

The following is an example Easy VPN Remote basic configuration.

Pix(config)# vpnclient vpngroup testgrp_a password testkey_a 
Pix(config)# vpnclient username testuser_1 password testpass_1 
Pix(config)# vpnclient server 
Pix(config)# vpnclient mode client-mode
Pix(config)# show vpnclient
Local Configuration
vpnclient vpngroup testgrp_a password ********
vpnclient username testuser_1 password ********
vpnclient server
vpnclient mode client-mode

Part III: Virtual Private Networks (VPNs)