Remote access VPN's on a 506E 1

[CertifiedNut]

Hi, I have a PIX 506e that I would like to use to give remote staff access to a test environment. I would like to use IPSEC and local authentication so that they can access some servers using RDP. Each user has the standard Cisco VPN client. Does anyone have a config that i could use to acheive this. I'm not well up on PIX firewalls so any help0 would be appreciated.
Thanks
Rick

 

[Supergrrover]

If the pix is already up and running . Just need to add the VPN config

nat (inside) 0 access-list no_nat
sysopt connection permit-ipsec
ip local pool VPNPool 192.168.253.1-192.168.253.254

access-list no_nat permit ip [INTERNAL_IP_Scheme] [VPNPOOL_IP_Scheme]
access-list l2lvpn permit ip [INTERNAL_IP_Scheme] [VPNPOOL_IP_Scheme]

crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto dynamic-map [DYNAMIC_MAPNAME] 10 set transform-set 3DES
crypto map [MAPNAME] 40 ipsec-isakmp dynamic [DYNAMIC_MAPNAME]
crypto map [MAPNAME] client authentication LOCAL
crypto map [MAPNAME] interface outside

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
isakmp identity address
isakmp enable outside

vpngroup [VPN_GROUP_NAME] address-pool VPNPool
vpngroup [VPN_GROUP_NAME] dns-server [INTERNAL_DNS_IP]
vpngroup [VPN_GROUP_NAME] wins-server [INTERNAL_WINS_IP]
vpngroup [VPN_GROUP_NAME] default-domain [DOMAIN_NAME.COM]
vpngroup [VPN_GROUP_NAME] idle-time 1800
vpngroup [VPN_GROUP_NAME] password [GROUP_PASSWORD]

username [USERNAME] password [PASSWORD] privilege 1

NAMEs is brackets can be replaced with whatever you want. IP Schemes should be replaced with "10.2.2.0 255.255.255.0" (substitute your info where appropriate.)

Here is the cisco page on client VPNs

http://www.cisco.com/en/US/products...s_configuration_example09186a00801e71c0.shtml

Hope this helps.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[CertifiedNut]

Hi Thanks for the reply It's very helpful. Sorry for not getting back sooner, but have been away for a week. I'm starting from scratch with the 506E build. Will this make any difference to your suggested configuation?

Rick

 

[Supergrrover]

Just add these lines to get it up

hostname [HOSTNAME]
domain-name [DOMAIN.com]

ip address inside [INTERNAL_IP] [INTERNAL_SUBNET]

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

ip address outside {[EXTERNAL_IP] [EXTERNAL_SUBNET] | dhcp setroute}
route outside 0.0.0.0 0.0.0.0 [DEFAULT_GATEWAY] *** not needed if dhcp setroute option used




If it is acting as your DHCP server for the inside add these
dhcpd address [INTERNAL_IP_START]-[INTERNAL_IP_END] inside
dhcpd dns [DNS_IP#1] [DNS_IP#2]
dhcpd wins [WINS_IP#1]
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[CertifiedNut]

Hi Brent,
Thanks again for your help. I'm slowly moving forward here. I can now connect to the network via a remote client. It doesn't ask me for a username and password at the client, the Firewall seems to accept the group id and password as the only form of authentication. Once connected though i cannot get through to any services on the network especially Remote Desktop (RDP and i have opened up ports 3389 to accomodate access) which is the reason for setting up remote access. This is the current running config...

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ############## encrypted

passwd ############## encrypted

hostname MotaTestFW

domain-name mota###.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service HTTPPorts tcp

port-object eq www

port-object range 81 81

port-object range 8080 8080

port-object eq https

access-list inside_access_in permit udp any any eq 3389

access-list inside_access_in permit tcp any any object-group HTTPPorts

access-list inside_access_in permit udp any any eq domain

access-list outside_access_in permit udp any eq 3389 any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 86.54.76.244 255.255.255.240

ip address inside 192.168.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNPool 192.168.253.1-192.168.253.254

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 86.54.76.241 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

crypto ipsec transform-set 3DES esp-3des esp-sha-hmac

crypto dynamic-map map2 10 set transform-set 3DES

crypto map map1 40 ipsec-isakmp dynamic map2

crypto map map1 interface outside

crypto map map2 client authentication LOCAL

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup MotaTestNW address-pool VPNPool

vpngroup MotaTestNW dns-server 192.168.10.11

vpngroup MotaTestNW wins-server 192.168.10.11

vpngroup MotaTestNW default-domain motability.co.uk

vpngroup MotaTestNW idle-time 1800

vpngroup MotaTestNW password ********

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group MotaTestNW accept dialin pptp

vpdn group MotaTestNW ppp authentication chap

vpdn group MotaTestNW client configuration address local VPNPool

vpdn group MotaTestNW client configuration dns 192.168.10.11

vpdn group MotaTestNW pptp echo 300

vpdn group MotaTestNW client authentication local

vpdn username PeterM password *********

vpdn username RichardH password *********

vpdn username etcaccess password *********

vpdn username iscaccess password *********

vpdn username k2access password *********

username etcaccess password ############## encrypted privilege 5

username PeterM password ############## encrypted privilege 15

username k2access password ############## encrypted privilege 5

username iscaccess password ############## encrypted privilege 2

username RichardH password ############## encrypted privilege 15

terminal width 80

Cryptochecksum:da4573bb8e9b5b34c4c0b6d9c1098259

: end

Any clues as to where I have gone wrong?

Thanks

Rick

 

[Supergrrover]

You left out these

nat (inside) 0 access-list no_nat
sysopt connection permit-ipsec

access-list no_nat permit ip [INTERNAL_IP_Scheme] [VPNPOOL_IP_Scheme]
access-list l2lvpn permit ip [INTERNAL_IP_Scheme] [VPNPOOL_IP_Scheme]

These tell the pix to let traffic through to the VPN client without natting the address.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Supergrrover]

For the client auth

crypto map map2 client authentication LOCAL
change to
crypto map map1 client authentication LOCAL


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[CertifiedNut]

Hi Brent,

Many thanks for your help. The Firewall now works very well and we have remote access to the test environment here. I have learn't a lot on they way, so many thanks.

Rick