Wireless setup in DMZ and then use VPN 1

[Steven16]

I want to use our Wireless access point hanging off our DMZ. Then I want the wireless users to VPN thru to the inside lan.

What do I need to do? (a.b.c.d = Public IP, q.w.e.r = private IP, z.x.c.v = another public IP)

Comments highly appeciated!
-steve



: To impliment Intel Wireless Access Point; hang off DMZ with IP of:W.A.P.220

PIX# sho config
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 Outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security20 : change to Security50
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
...
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_out permit gre any any
access-list acl_out permit tcp any host a.b.c.204 eq www
access-list acl_out permit tcp any host a.b.c.141 eq pop3
access-list acl_out permit tcp any host a.b.c.141 eq smtp
access-list acl_out permit tcp any host a.b.c.141 eq 443
access-list acl_out permit ip host z.x.c.132 host a.b.c.150
access-list 101 permit ip q.w.9.0 255.255.255.128 q.w.9.128 255.255.255.128
access-list 101 permit ip q.w.8.0 255.255.255.0 q.w.9.128 255.255.255.128
access-list 101 permit ip q.w.10.0 255.255.255.0 q.w.9.128 255.255.255.128
access-list 101 permit ip q.w.11.0 255.255.255.0 q.w.9.128 255.255.255.128
pager lines 24
logging on
logging trap notifications
logging host inside q.w.8.30
no logging message 111005
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu Outside 1500
mtu inside 1500
mtu DMZ 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address Outside a.b.c.200 255.255.255.128
ip address inside q.w.8.1 255.255.252.0
ip address DMZ 127.0.0.1 255.255.255.255 : change to: DMZ q.w.11.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool corpvpnpool q.w.9.129-q.w.9.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address Outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (Outside) 1 a.b.c.202
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,Outside) a.b.c.141 q.w.8.14 netmask 255.255.255.255 0 0
static (inside,Outside) a.b.c.150 q.w.8.77 netmask 255.255.255.255 0 0
access-group acl_out in interface Outside
established tcp 0 0
established udp 0 0
route Outside 0.0.0.0 0.0.0.0 a.b.c.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server adauth protocol radius
aaa-server adauth (inside) host q.w.e.r ****** timeout 10
aaa authentication telnet console adauth
aaa authentication ssh console adauth
...
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
auth-prompt accept OK - You are authenicated.
auth-prompt reject Authentication failed. Try Again.
crypto ipsec transform-set MYSET2 esp-3des esp-sha-hmac
crypto dynamic-map corpvpndyn 10 set transform-set MYSET2
crypto map corpvpn 10 ipsec-isakmp dynamic corpvpndyn
crypto map corpvpn client authentication adauth
crypto map corpvpn interface Outside
isakmp enable Outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup REMOTE address-pool corpvpnpool
vpngroup REMOTE dns-server q.w.e.32 q.w.e.11
vpngroup REMOTE wins-server q.w.e.11
vpngroup REMOTE default-domain ******
vpngroup REMOTE split-tunnel 101
vpngroup REMOTE idle-time 1800
vpngroup REMOTE password ********

 

[haknwak]

Not exactly sure the complete process, but I think you need another VPN - from DMZ to inside - the statement 'crypto map corpvpn interface Outside' creates the existing on the outside - maybe you can create second one bound to the DMZ?

Think someone will have more details. "If you lived here, you'd be home by now!"

George Carlin

 

[sfrank8734]

definitely will need to add the statement 'crypto map corpvn interface DMZ'. I defined two crypto policies so I can tweak the settings on my second VPN link, and I use different vpngroups to do split tunneling on one but not the other. In my example, I have an interface "outside" which is like yours and another called "wireless" which is dedicated to an AP (also, I use RADIUS authent):

! outside
crypto ipsec transform-set mytransform esp-3des esp-md5-hmac
! wireless, I might tweak this down in the future to a
! lesser level of encryption
crypto ipsec transform-set wlantransform esp-3des esp-md5-hmac
! outside
crypto dynamic-map mydynmap 10 set transform-set mytransform
! wireless
crypto dynamic-map wlandynmap 10 set transform-set wlantransform
! here is my original crypto map for outside--this one
! does client vpn and site-to-site vpn
crypto map mymap 5 ipsec-isakmp
crypto map mymap 5 match address 110
crypto map mymap 5 set peer *************
crypto map mymap 5 set transform-set mytransform
crypto map mymap 10 ipsec-isakmp dynamic mydynmap
crypto map mymap client authentication RADIUS
crypto map mymap interface outside
! and here is my wireless one, client only
!
crypto map wlanmap 5 ipsec-isakmp dynamic wlandynmap
crypto map wlanmap client authentication RADIUS
crypto map wlanmap interface wireless
! enable them both
isakmp enable outside
isakmp enable wireless
isakmp key ******** address ******* netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
! here's my internet telecommuter vpngroup definition
vpngroup policy idle-time 1800
vpngroup pool2 address-pool [removed]
vpngroup pool2 dns-server [removed]
vpngroup pool2 wins-server [removed]
vpngroup pool2 split-tunnel 80
vpngroup pool2 idle-time 1800
vpngroup pool2 password ********
! and here's the group I use for the wireless group
! note there is no split tunneling here--they cannot access
! the internet from my wireless lan without being vpn'd
! in, so there is only 1 tunnel !
vpngroup wlan address-pool [removed]
vpngroup wlan dns-server [removed]
vpngroup wlan idle-time 3600
vpngroup wlan password ********
vpngroup group idle-time 1800

 

[Steven16]

Before i start my mods, my Intel Access point has DHCP.
How do I incorporate those dhcp addresses into the vpn?
Details will help alot!

-steve

 

[Steven16]

Here is another thought:
Since I have a PIX 520 not in production, I could invariably use it internally solely for wireless VPN traffic. But would I still have the DHCP doling out ip's issue?