This is my first trial at VPN so you must excuse my naiveity. I want to be able to access my office network (DSL static IP range 5 addresses) from home using my laptop pc and a VPN 3.6.3 Client (through ISDN/Modem dialup access). My office ADSL box has a range of 5 static IP addresses and I am running a PIX between that ADSL box and the network HUB. The PIX NAT's (I think) the internal PC's so they have access outside through one outside IP address.
Here is my current (modified slightly for security) pix setup.
configure terminal
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********** encrypted
passwd ********** encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_in deny tcp host 192.168.1.11 any
access-list acl_in deny udp host 192.168.1.11 any
access-list acl_in permit tcp host 192.168.1.9 any
access-list acl_in permit udp host 192.168.1.9 any
access-list acl_in permit tcp host 192.168.1.10 any
access-list acl_in permit udp host 192.168.1.10 any
access-list acl_in permit tcp host 192.168.1.12 any
access-list acl_in permit udp host 192.168.1.12 any
access-list acl_in permit tcp host 192.168.1.14 any
access-list acl_in permit udp host 192.168.1.14 any
access-list acl_in permit tcp host 192.168.1.15 any
access-list acl_in permit udp host 192.168.1.15 any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 123.40.123.73 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.9 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 123.40.123.78 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.11-192.168.1.42 inside
dhcpd dns 124.120.123.33 124.120.123.34
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
write mem
show config
Surely this is quite a simple set-up but I am worried about other people having access. What security will this 3.6.3 client have and how can I minimize risks?
My ultimate goal is to allow remote access to the intranet on our home network 192.168.1.10 and access to a mail server which is also running on 192.168.1.10 to send and receive mail and be able to drag and drop files to the hard drive on 192.168.1.10. I would also like the remote user have access to a print server on the network 192.168.1.43
I would be happy to reward the person who solves this problem for me. I have looked at different solutions but as I said before am worried about security issues.
Thanks in advance
Here is my current (modified slightly for security) pix setup.
configure terminal
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********** encrypted
passwd ********** encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_in deny tcp host 192.168.1.11 any
access-list acl_in deny udp host 192.168.1.11 any
access-list acl_in permit tcp host 192.168.1.9 any
access-list acl_in permit udp host 192.168.1.9 any
access-list acl_in permit tcp host 192.168.1.10 any
access-list acl_in permit udp host 192.168.1.10 any
access-list acl_in permit tcp host 192.168.1.12 any
access-list acl_in permit udp host 192.168.1.12 any
access-list acl_in permit tcp host 192.168.1.14 any
access-list acl_in permit udp host 192.168.1.14 any
access-list acl_in permit tcp host 192.168.1.15 any
access-list acl_in permit udp host 192.168.1.15 any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 123.40.123.73 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.9 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 123.40.123.78 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.11-192.168.1.42 inside
dhcpd dns 124.120.123.33 124.120.123.34
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
write mem
show config
Surely this is quite a simple set-up but I am worried about other people having access. What security will this 3.6.3 client have and how can I minimize risks?
My ultimate goal is to allow remote access to the intranet on our home network 192.168.1.10 and access to a mail server which is also running on 192.168.1.10 to send and receive mail and be able to drag and drop files to the hard drive on 192.168.1.10. I would also like the remote user have access to a print server on the network 192.168.1.43
I would be happy to reward the person who solves this problem for me. I have looked at different solutions but as I said before am worried about security issues.
Thanks in advance
