Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Getting closer to implementation

Status
Not open for further replies.
jafo18301

jafo18301

IS-IT--Management
May 28, 2003
55
0
0
US
I am getting closer to implementing a vpn to vpn to vpn solution with remote access. I have the following config from one of the PIX 501s that I am using to connect three offices together. I want to have a private VPN tunnel between the three sites plus remote vpn access. Can someone verify this config and tell me if it will work before I implement it? I'm new to PIX firewalls but have setup many Cisco routers before. Thanks a million for any advice...

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname 2ndpix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

!--- This is traffic to First PIX.

access-list 110 permit ip sss.sss.sss.0 255.255.255.0 sss.sss.sss.0 255.255.255.0

!--- Do not do NAT on traffic to First PIX.

access-list 100 permit ip sss.sss.sss.0 255.255.255.0 sss.sss.sss.0 255.255.255.0
access-list 100 permit tcp any host ppp.ppp.ppp.ppp eq 4200
access-list 100 permit tcp any host ppp.ppp.ppp.ppp eq 9970
access-list 100 permit upd any host ppp.ppp.ppp.ppp eq 4200
access-list 100 permit upd any host ppp.ppp.ppp.ppp eq 9970
static (inside,outside) tcp ppp.ppp.ppp.ppp 4200 sss.sss.sss.sss 4200 netmask 255.255.255.255
static (inside,outside) tcp ppp.ppp.ppp.ppp 9970 sss.sss.sss.sss 9970 netmask 255.255.255.255
access-group 105 in interface outside
ip local pool pptp-pool sss.sss.s.sss-sss.sss.sss.ss
sysopt connection permit-pptp
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client authentication local
vpdn username xxxxxxxx password xxxxxxxx
vpdn enable outside
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside ppp.ppp.ppp.ppp 255.255.255.0
ip address inside sss.sss.sss.s 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400

!--- Do not do NAT on traffic to First PIX.

nat (inside) 0 access-list 100
route outside 0.0.0.0 0.0.0.0 ppp.ppp.ppp.ppp 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac

!--- This is traffic to First PIX.

crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
crypto map newmap 10 set peer rrr.rrr.rrr.rrr
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address rrr.rrr.rrr.rrr netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end



all ppp.ppp.ppp.ppp address are equated with a static IP address. All sss.sss.sss.sss IP Addresses are equated with a local (internal) IP address. all rrr.rrr.rrr.rrr IP Addresses are equated with a remote IP address to another pix.

Thanks again in advance,

Shawn
 
Sort by date Sort by votes
access-list 100 permit tcp any host ppp.ppp.ppp.ppp eq 4200
access-list 100 permit tcp any host ppp.ppp.ppp.ppp eq 9970
access-list 100 permit upd any host ppp.ppp.ppp.ppp eq 4200
access-list 100 permit upd any host ppp.ppp.ppp.ppp eq 9970
static (inside,outside) tcp ppp.ppp.ppp.ppp 4200 sss.sss.sss.sss 4200 netmask 255.255.255.255
static (inside,outside) tcp ppp.ppp.ppp.ppp 9970 sss.sss.sss.sss 9970 netmask 255.255.255.255

Forgive me as I just got back from vacation, but I am unsure as to what you are trying to accomplish with the lines above. I am clear on the static PAT. However, your access-list 100 is saying do not NAT any internal IP that goes to the Public IP on these ports. The reason that I say internal is because of "nat (inside) 0 access-list 100". What traffic is it that you don't want NAT'ed?
 
Upvote 0 Downvote
rudeboy,
Thanks for the reply. I was looking on Cisco's website and it looked like this would be the most secure point to point config I could use. Forgive me since this is really the first time I'm working with a pix firewall device. I usually configure 1750s and 2600s for this type of application. I am trying to setup a vpn to vpn to vpn type of connection. I have 3 different offices that I want to have a secure vpn between. I also want to setup a remote vpn access as well. I am port forwarding a few ports b/c I am going to be using PCAnywhere between all of the sites. Hope this makes sense.

Shawn
 
Upvote 0 Downvote
You'll need to mesh your VPN if you want all sites to see all others. For sites A, B, and C, you'd have tunnels like this:
A <-> B
A <-> C
B <-> C

Your pptp VPN also won't see the sites behind other Pix's. You'll need a different endpoint, or something like a terminal server behind the Pix that serves the client VPN.
 
Upvote 0 Downvote
First off, I agree with lgarner as you will need a meshed environment. Your 3 sites will make a triangle.

Second, Do you want your site to site tunnels to have full access to each others LANs? Like lgarner pointed out above, your pptp clients will have access to the LAN that the PIX is attached to. They won't have access to the other LANs.

PCAnywhere will be used by site to site only or from any public IP on the internet?
 
Upvote 0 Downvote
lgarner & rudeboy,
I have to agree with you both. Using a router, I would be doing the same exact thing. I'm not 100% sure how to do it using a pix firewall. I have seen a lot of different commands that I do not recognize so please be gentle... :) Yes, I want full access from site to site to site. PCAnywhere will be primarily used site by site by site but I will need a remote access to each site using pcanywhere as well. I will have to redo all my configs and see what I come up with. Thanks for the ideas. Back to the drawing board.... :)

Thanks again,

Shawn
 
Upvote 0 Downvote
Actually, the way you have the config now should give you full access from site to site. You don't need the mappings unless you want people from the outside world to access these boxes on public IP's. You will need to have 2 tunnels in each pix.
 
Upvote 0 Downvote
I looked on Cisco's website and found a config for a pix to pix to pix IPSec meshed. It looks like it will do what I want it to do but how do I add the Public IP for remote access with cisco's vpn client? Thanks for all of the help for this newbie... :)

Shawn
 
Upvote 0 Downvote
The vpn client connects to the outside address of the PIX. From there on, you will be talking to private IP's via the VPN tunnel.
 
Upvote 0 Downvote
So I don't have to setup anything on the PIX firewall side? I know the internal VPN tunnels should have no problems but I have never setup a remote setup so I figured something had to be configured. Since I won't know the external IPs of the people accessing the VPN, I assume it will just allow them in if I setup a user account and password for them. Is this correct? Thanks again for straightening everything out for me.

Shawn
 
Upvote 0 Downvote
The link rudeboy provided is a great example and I have used it successfully to set up the PPTP and IPSEC clients but be forewarned it does not show you the ENTIRE PIX config, just the major snippets. For one, it does not show you any ROUTE statements that you will need to reach all your internal networks.

Cheers!

Chucksel
 
Upvote 0 Downvote
Thanks to all for your responses. I added the lines to setup the dynamic maps. As soon as I get the other 2 static IP addresses, I will be putting this config into testing. I also added the port forwarding info for the PC Anywhere ports as well. I will be testing within the next few days and will update everyone as to my progress. Thanks again to everyone for all of your help.

Shawn
 
Upvote 0 Downvote
I would like to, once again, thank everyone for their input and help. I installed the first pix in one of the remote sites. I can vpn to the network but that is about it. I can't termserv, pcanywhere, ping, etc. anything behind the pix. The following is the config that I'm using. All I get is 10.3.3.2 as a gateway and 255.0.0.0 as the mask. I don't believe that those are the only issues. I also put in a port forward to a certain ip address for 2 ports. I cannot hit them as well (even outside of the vpn). What am I doing wrong. Please be patient as I'm still trying to learn this pix stuff. Thanks again...

nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname LPix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names

!--- Traffic to Portland private network:

access-list 120 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

!--- Traffic to Stroudsburg private network:

access-list 130 permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0

!--- Do not perform NAT for traffic to
!--- other PIX Firewall private networks:

access-list 100 permit ip 10.3.3.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list 100 permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 100full
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.0
ip address inside 10.3.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400

!--- Do not perform NAT for traffic to other PIX Firewalls:

nat (inside) 0 access-list 100
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac

!--- IPSec configuration for tunnel to PIX2:

crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 120
crypto map newmap 20 set peer xxx.xxx.xxx.xxx
crypto map newmap 20 set transform-set myset

!--- IPSec configuration for tunnel to PIX1:

crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address 130
crypto map newmap 30 set peer xxx.xxx.xxx.xxx
crypto map newmap 30 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ****** address xxx.xxx.xxx.xxx netmask 255.255.255.255
no-xauth no-config-mode
isakmp key ****** address xxx.xxx.xxx.xxx netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5
ssh timeout 5
terminal width 80

!--- Remote VPN & Port Forwarding:
access-list 100 permit ip xxx.xxx.xxx.xxx 255.255.255.255 10.3.3.0 255.255.255.255
access-list 100 permit tcp any host xxx.xxx.xxx.xxx eq 4200
access-list 100 permit tcp any host xxx.xxx.xxx.xxx eq 9970
access-list 100 permit udp any host xxx.xxx.xxx.xxx eq 4200
access-list 100 permit udp any host xxx.xxx.xxx.xxx eq 9970
static (inside, outside) tcp xxx.xxx.xxx.xxx 4200 10.3.3.20 4200 netmask 255.255.255.255
static (inside, outside) tcp xxx.xxx.xxx.xxx 9970 10.3.3.20 9970 netmask 255.255.255.255
access-group 100 in interface outside
ip local pool bigpool 10.3.3.2-10.3.3.18

sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside

!--- Cisco Secure_VPNClient_key.


isakmp key ******* address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local bigpool outside

!--- ISAKMP Policy for Cisco VPN Client 2.5 or
!--- Cisco Secure VPN Client 1.1.


isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5


!--- The 1.1 and 2.5 VPN Clients use Diffie-Hellman (D-H)
!--- group 1 policy (PIX default).


isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

!--- ISAKMP Policy for VPN Client 3.0 and 4.0.


isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5


!--- The 3.0/4.0 clients use D-H group 2 policy
!--- and PIX 6.0 code.


isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000-all address-pool bigpool
vpngroup vpn3000-all default-domain nologin
vpngroup vpn3000-all idle-time 1800

!--- VPN 3000 group_name and group_password.


vpngroup vpn3000-all password *******
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local bigpool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local

!--- PPTP username and password.


vpdn username xxxxxx password xxxxxxxx
vpdn enable outside





Best Regards to all and a Very Happy and Healthy New Year,

Shawn
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
145
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
146
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
120
nnaarrnn
nnaarrnn
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
49
Russtoleum
Russtoleum
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
51
ISDPCMAN
ISDPCMAN

Part and Inventory Search

Sponsor

Back
Top