hi,
I am new to cisco and have been asked to implement vpn conectivity, (cisco 3.5 client), with Windows IAS authentication to the internal domain, but using an IAS server in the dmz.
I have been able to get vpn connectivity with the following config, (which I was able to get here), but I have been unable to have my dmz communicate with the insdie network, or have the inside network communicate with the dmz. (the IAS authentication is only working with local accounts... not domain accounts)
I can't even ping the dmz interface from an inside pc.
Does anyone out there have any idea how I can accomplish this?
Thank you in advance.
My current config....
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security30
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
hostname one
domain-name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol smtp 25
names
pager lines 24
logging on
logging trap debugging
logging host inside 10.0.1.40
interface ethernet0 10full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
ip address outside xxx.xxx.xx.xx 255.255.255.0
ip address inside 10.0.1.1 255.255.0.0
ip address DMZ1 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xx.xxx
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 80 permit ip 10.0.0.0 255.255.0.0 10.0.150.0 255.255.255.0
nat (inside) 0 access-list 80
static (inside,outside) xxx.xxx.xx.xx 10.0.1.28 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xx.xx 10.0.1.6 netmask 255.255.255.255 0 0
conduit permit tcp host xxx.xxx.xx.xx eq conduit permit tcp host xxx.xxx.xx.xx eq 443 any
conduit permit tcp host xxx.xxx.xx.xx eq smtp any
route outside 0.0.0.0 0.0.0.0 209.73.41.1 1
route inside 172.16.0.0 255.255.0.0 10.10.1.254 1
route inside 172.20.0.0 255.255.0.0 10.10.1.254 1
route inside 192.168.250.0 255.255.255.0 10.10.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
ip local pool vpnippool 10.0.150.1-10.10.150.100
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (dmz) host 192.168.0.15
no snmp-server location
no snmp-server contact
snmp-server community
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
crypto map partnet-map client configuration address initiate;
crypto ipsec transform-set strong-des esp-des esp-sha-hmc
crypto dynamic-map cisco 4 set transform-set strong-des
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client authentication partnerauth
crypto map partner-map interface outside
isakmp key 12345 address 0.0.0.0 netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
vpngroup vpngroup address-pool vpnippool
vpngroup vpngroup dns-server 10.0.1.126
vpngroup vpngroup wins-server 10.0.1.127
vpngroup vpngroup default-domain domain.com
vpngroup vpngroup idle-time 1800
sysopt conection permit-ipsec
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
I am new to cisco and have been asked to implement vpn conectivity, (cisco 3.5 client), with Windows IAS authentication to the internal domain, but using an IAS server in the dmz.
I have been able to get vpn connectivity with the following config, (which I was able to get here), but I have been unable to have my dmz communicate with the insdie network, or have the inside network communicate with the dmz. (the IAS authentication is only working with local accounts... not domain accounts)
I can't even ping the dmz interface from an inside pc.
Does anyone out there have any idea how I can accomplish this?
Thank you in advance.
My current config....
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security30
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
hostname one
domain-name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol smtp 25
names
pager lines 24
logging on
logging trap debugging
logging host inside 10.0.1.40
interface ethernet0 10full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
ip address outside xxx.xxx.xx.xx 255.255.255.0
ip address inside 10.0.1.1 255.255.0.0
ip address DMZ1 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xx.xxx
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 80 permit ip 10.0.0.0 255.255.0.0 10.0.150.0 255.255.255.0
nat (inside) 0 access-list 80
static (inside,outside) xxx.xxx.xx.xx 10.0.1.28 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xx.xx 10.0.1.6 netmask 255.255.255.255 0 0
conduit permit tcp host xxx.xxx.xx.xx eq conduit permit tcp host xxx.xxx.xx.xx eq 443 any
conduit permit tcp host xxx.xxx.xx.xx eq smtp any
route outside 0.0.0.0 0.0.0.0 209.73.41.1 1
route inside 172.16.0.0 255.255.0.0 10.10.1.254 1
route inside 172.20.0.0 255.255.0.0 10.10.1.254 1
route inside 192.168.250.0 255.255.255.0 10.10.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
ip local pool vpnippool 10.0.150.1-10.10.150.100
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (dmz) host 192.168.0.15
no snmp-server location
no snmp-server contact
snmp-server community
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
crypto map partnet-map client configuration address initiate;
crypto ipsec transform-set strong-des esp-des esp-sha-hmc
crypto dynamic-map cisco 4 set transform-set strong-des
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map client authentication partnerauth
crypto map partner-map interface outside
isakmp key 12345 address 0.0.0.0 netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
vpngroup vpngroup address-pool vpnippool
vpngroup vpngroup dns-server 10.0.1.126
vpngroup vpngroup wins-server 10.0.1.127
vpngroup vpngroup default-domain domain.com
vpngroup vpngroup idle-time 1800
sysopt conection permit-ipsec
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
