Pix 515R, a VPN and ADSL

[Zelandakh]

Scenario:

Corporate site: Cisco Pix 515R. Public IP, currently running fine.

New remote sites going in. ADSL 512, static IP. Got a router that does DHCP, firewall, NAT, router etc. There are 4 sites.

Need to get each site to access my terminal server on the LAN and need to do it securely.

Yizhar has suggested in another thread to someone else to allow access into the Pix to the TS but its not too secure.

VPN would be better or am I trying to walk before I can run? Been told I can put a Microsoft VPN client on the client and run it through the Pic using TACACS to my DC. Sounds like a walk in the park. Not.

Help gratefully received. Got a long lead time for this project - don't have to have it running til next week...

 

[havanajoe]

Hi there -

Here is the way that I had our PIX setup so that I could use my Windows client at home and connect via a PPTP tunnel between my workstation and the PIX. In our case we were using RADIUS authentication, this worked out great. Let me know if you have any questions.


[allows traffic between internal networks and vpn client]

access-list 101 permit ip 192.168.110.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list 101 permit ip 192.168.120.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list 101 permit ip 192.168.130.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list 101 permit ip 192.168.140.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list 101 permit ip 192.168.150.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list 101 permit ip 192.168.160.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list 101 permit ip 192.168.170.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list 101 permit ip 192.168.180.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list 101 permit ip 192.168.190.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list 101 permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0

[sets up the range of dhcp addresses assigned to vpn clients]

ip local pool vpnaddresses 192.168.201.1-192.168.201.254

[stops nat translation of traffic between the vpn clients and the internal networks]
nat (inside) 0 access-list 101

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

[sets up for radius authentication against internal windows DC]

aaa-server my-aaa-server protocol radius
aaa-server my-aaa-server (inside) host <internal radius server ip> <crytpo password> timeout 10

http server enable
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet timeout 30
ssh timeout 5
vpdn group vpn-pptp accept dialin pptp
vpdn group vpn-pptp ppp authentication pap
vpdn group vpn-pptp ppp authentication chap
vpdn group vpn-pptp ppp authentication mschap
vpdn group vpn-pptp ppp encryption mppe 40
vpdn group vpn-pptp client configuration address local vpnaddresses
vpdn group vpn-pptp client configuration dns <dns server ip>
vpdn group vpn-pptp client configuration wins <wins server ip>
vpdn group vpn-pptp client authentication aaa my-aaa-server
vpdn group vpn-pptp pptp echo 60
vpdn enable outside

 

[Zelandakh]

so your first DHCP address given out is 192.168.110.0 then up to 200.0? And your LAN is 192.168.201.0?

Or did I get those the wrong way round?

 

[havanajoe]

Hi -

The DHCP scope for the VPN clients are the 192.168.201.1 - 192.168.201.254. The others (192.168.1xx.0-192.168.2xx.0) are the internal networks that can access and be accessed by the client through the established (192.168.201.x) VPN session. So if you only wanted clients to VPN in and get to the terminal server then you could setup an access list such as access-list 101 permit ip host x.x.x.x (ts) 192.168.201.0 255.255.255.0

 

[Zelandakh]

being somewhat old, I'm still using conduits rather than access lists. Do I need to move all my conduits to access lists before implementing this or can this work in addition?

 

[Zelandakh]

Thinking about it, I'm running 6.01 - can I even use access lists?

 

[havanajoe]

Yes you can use access-lists in 6.01, you can also use a combination of access-lists and conduits. So no you do not have to remove or change your conduits to implement this change. However, it would be a good idea to start planning on changing over from conduits to ACL's for future changes.

 

[yizhar]

HI.

In any case, you should make strong authentication and other security manners like allowing only the needed application to run on the TS server itself, no matter which way the users will get the access to it.
This is trivial but I think that its important to remind.

> Got a router that does DHCP, firewall, NAT, router
If the router has static ip and supports IPSEC, then one option to consider is site to site VPN from the router to the pix.
So, what kind of router/firewall is it?

> Yizhar has suggested in another thread to someone else to allow access into the Pix to the TS but its not too secure.
If you have static ip on the router, you can allow TS access from that address to the pix.
Think of it - what is more risky?
An attacker that will need to come from a specific ip using a TS client and knowing the TS credentials, or an attacker that needs to find credentials for using PPTP client and can connect from all over the world?
(If he can establish either PPTP or TS you're in trouble).
There is no 1 single correct answer.

Anyway, for VPN, try to use the Cisco IPSEC VPN client instead of PPTP. This is more secure for several reasons, one of them is that you can use dual authentication (certificate or group name&password, + username&password).

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Zelandakh]

Thanks for the responses.

To get the project running, I've given the TS a public IP, only opened port 3389 and only opened it to the public IPs of the remote sites.

This gets me up and running and I can cross the bridges of VPNs and other more complex issues later.