Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN and Windows Domain

Status
Not open for further replies.
lost4life

lost4life

IS-IT--Management
Jul 2, 2003
33
US
I have two questions. I am configuring a pix 525 for IPSec. Our remote office needs access to resources on the inside network. Setup is as follows:

nat (inside) 0 access-list 101
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto map remoteamap 10 ipsec-isakmp
crypto map remotemap 10 match address 101
crypto map remotemap 10 set pfs
crypto map remotemap 10 set peer REMOTEOFFICEIP
crypto map remotemap 10 set transform-set vpnset
crypto map remotemap 10 set security-association lifetime seconds 75000 kilobytes 4608000
crypto map remotemap interface outside
isakmp enable outside
isakmp key ***** address REMOTEOFFICEIP netmask 255.255.255.255
isakmp identity hostname
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 75000

We have a Windows NT domain: Wins and DHCP on the inside. No where am I seeing anything to assign the remote office an inside IP address or where the wins and PDC are. Do I have to set up a Raduis server or what????
My next question. We have 6 interfaces. development servers are in the DMZ but are part of the domain. How do I get the dmz to be able to log into the PDC that is on the inside? This is what I have:
static (inside,outside) 192.168.9.253 192.168.6.253 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.9.27 192.168.6.27 netmask 255.255.255.255 0 0
access-list acl_QaDev permit tcp any host 192.168.9.253 eq 139
access-list acl_QaDev permit udp any host 192.168.9.253 eq netbios-dgm
access-list acl_QaDev permit udp any host 192.168.9.253 eq netbios-ns
access-list acl_QaDev permit tcp any host 192.168.9.27 eq 139
access-list acl_QaDev permit udp any host 192.168.9.27 eq netbios-dgm
access-list acl_QaDev permit udp any host 192.168.9.27 eq netbios-ns

Thank you for your help!!
 
Sort by date Sort by votes
HI.

> No where am I seeing anything to assign the remote office an inside IP address or where the wins and PDC are
You are using a site to site VPN, which is transparent to internal hosts (they see it as a simple WAN link).
So you should deploy WINS configuration to remote clients using a DHCP server at remote office (or manual configuration).
Does the remote office have its own server(s)?
If needed, then please provide more info about remote office (how many hosts, servers, etc).

> How do I get the dmz to be able to log into the PDC that is on the inside?
I think that you can install a domain controller on the DMZ, so that only the domain controller will have direct access to the internal domain.

Anyway, here are few links about similar issues (I think that you can search and find something more specific in MS technet):


Yizhar Hurwitz
 
Upvote 0 Downvote
We have about 15 users at the remote office.I have setup a cisco 1721 router, DHCP, WINs, and BDC server for those users at that location. The part that I am confused on is when they request a file for example on a computer that is on our inside interface of the PIX, how does it get resolved/work? They do not have an inside IP address. How does the 1721 router know that request to our inside interface need to go through the vpn tunnel. Will the BDC still be able to get updates form the PDC at our location so remote users can log into the domain? With PPTP, you set the dns,wins, and dhcp servers manually, but with IPSec there are no commands to set them.

remoteOffice
internalIP 192.168.100.102-192.168.100.125
|
Cisco 1721
210.210.210.10
|
internet
|
OurRouter
221.221.221.1
|
PIX
221.2211.221.254
|
LiveWeb---inside----DMZ
|
192.168.6.x

cisco 1721 IPSec config
crypto isakmp enable
crypto isakmp identity address
crypto isakmp policy 1
encryption des
hash md5
authentication pre-share
crypto isakmp key KEYGOESHERE address ExternalIPofPIX
crypto ipsec transform-set transformset-1 esp-des esp-md5-hmac
crypto map cryptomap local-address Ethernet 0
crypto map cryptomap 1 ipsec-isakmp
match address 100
set peer ExternalIPofPIX
set transform-set cm-transformset-1
set security-association lifetime seconds 3600
set security-association lifetime kilobytes 4608000
crypto map cm-cryptomap
access-list 100 permit ip host REMOTEOFFICEIP host ExternalIPofPIX

The best drawing I could do. The more I work on this, the more confused I get. By the way, I used your pix configuration tool- very cool.
 
Upvote 0 Downvote
HI.

> crypto map cryptomap 1 ipsec-isakmp
> match address 100
> access-list 100 permit ip host REMOTEOFFICEIP host ExternalIPofPIX

I think that the router configuration is wrong, and that acl 100 should reffer to the private addresses, like:
access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.6.0 0.0.0.255

However I'm not sure about the router config, and anyway it is best to look here:

And it is even better to purchase additional pix firewall for the branch office, to act as firewall and VPN endpoint, because that way the router does routing (only) and the pix does the security related things.


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
776
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
643
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
229
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
788
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
175
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top