|
Posted by Martin Bilgrav on April 29, 2006, 5:41 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi,
> I'm a newbie to Cisco Pix and VPN's. I'm hoping this is a simple
> question.
>
> Here are the spec's.
> Cisco Pix Firewall 515e - 3 interfaces (outside, inside, dmz)
>
> I set up the VPN using the wizard. I'm trying to get smarter on this as
> I go along so I can better refine what I'm trying to do.
>
> All I want is to have a remote office to be able to VPN into our
> network and be able to use their network at the same time. Does this
> require 'Split tunneling'? Do I need to put their internal DNS IP
> address in our config? Also,
>
correct, plus you need to click it on in the VPN GUI
What you must have in your config is "from you" to "their local LAN."
The rest then goes out locally.
> It seems that when more than one of their users tries to VPN into our
> network, the one kicks the other's session out. I'm assuming what's
> going on is they are showing up as one IP address through their NAT
> and that is confusing the PIX (as it obviously needs something else in
> our config) Thanks in advance for any help one might be able to offer a
> newbie trying to learn his way around this thing - Here is my config
Put in the command ISAKMP NAT-T
And check that UDP encap is click on in the VPN GUI (Udp/4500)
Btw you have an very poor DMZ protection !
Everything is allowed from DMZ to inside !
If/when you get compromised, there will be full access.
Also I find it strange that you have several Dyn Maps, and have ISAKMP
enabled on both inside and outside.
Also you run just DES, which is considered weak. You should run atleast
AES128
Regards
Martin Bilgrav
>
> PIX Version 6.3(1)
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 jpiadmz security40
> enable password 26YZBaoaL8CQKfWI encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname jpiapix
> domain-name mydomain.com
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> names
> access-list acl-outside permit tcp any host xx.xx.xx.195 eq smtp
> access-list acl-outside permit tcp any host xx.xx.xx.195 eq https
> access-list acl-outside permit tcp any host xx.xx.xx.195 eq www
> access-list acl-outside permit tcp any host xx.xx.xx.196 eq
> pcanywhere-data
> access-list acl-outside permit tcp any host xx.xx.xx.196 eq 5632
> access-list acl-outside permit tcp any host xx.xx.xx.197 eq www
> access-list acl-outside permit tcp any host xx.xx.xx.200 eq 8234
> access-list acl-outside permit tcp any host xx.xx.xx.200 eq www
> access-list acl-outside permit tcp any host xx.xx.xx.197 eq https
> access-list inside_outbound_nat0_acl permit ip any 10.10.10.192
> 255.255.255.192
> access-list outside_cryptomap_dyn_20 permit ip any 10.10.10.192
> 255.255.255.192
> access-list nonatdmz permit ip 192.168.1.0 255.255.255.0 10.10.10.0
> 255.255.255.0
> access-list outside_cryptomap_dyn_40 permit ip any 10.10.10.192
> 255.255.255.192
> access-list outside_cryptomap_dyn_60 permit ip any 10.10.10.192
> 255.255.255.192
> pager lines 24
> logging on
> logging buffered errors
> mtu outside 1500
> mtu inside 1500
> mtu jpiadmz 1500
> ip address outside xx.xx.xx.194 255.255.255.224
> ip address inside 10.10.10.254 255.255.255.0
> ip address jpiadmz 192.168.1.254 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool jpiapool 10.10.10.210-10.10.10.230
> ip local pool vospool 10.10.10.240-10.10.10.243
> pdm location 10.10.10.0 255.255.255.255 inside
> pdm location 10.10.10.20 255.255.255.255 inside
> pdm location 10.10.10.9 255.255.255.255 inside
> pdm location 10.10.10.21 255.255.255.255 inside
> pdm location 10.10.10.23 255.255.255.255 inside
> pdm location 10.10.10.24 255.255.255.255 inside
> pdm location 192.168.1.10 255.255.255.255 jpiadmz
> pdm location 10.10.10.25 255.255.255.255 inside
> pdm history enable
> arp timeout 14400
> global (outside) 10 interface
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 10 0.0.0.0 0.0.0.0 0 0
> nat (jpiadmz) 10 0.0.0.0 0.0.0.0 0 0
> static (inside,jpiadmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 0 0
>
> static (inside,outside) xx.xx.xx.195 10.10.10.20 netmask
> 255.255.255.255 0 0
> static (inside,outside) xx.xx.xx.196 10.10.10.21 netmask
> 255.255.255.255 0 0
> static (jpiadmz,outside) xx.xx.xx.197 192.168.1.10 netmask
> 255.255.255.255 0 0
> static (inside,outside) xx.xx.xx.200 10.10.10.25 netmask
> 255.255.255.255 0 0
> access-group acl-outside in interface outside
> access-group nonatdmz in interface jpiadmz
> route outside 0.0.0.0 0.0.0.0 xx.xx.xx.193 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> http server enable
> http 10.10.10.0 255.255.255.255 inside
> http 10.10.10.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
> crypto dynamic-map outside_dyn_map 20 match address
> outside_cryptomap_dyn_20
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
> crypto dynamic-map outside_dyn_map 40 match address
> outside_cryptomap_dyn_40
> crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
> crypto dynamic-map outside_dyn_map 60 match address
> outside_cryptomap_dyn_60
> crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp enable inside
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption des
> isakmp policy 20 hash md5
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> vpngroup jpiagroup address-pool jpiapool
> vpngroup jpiagroup dns-server 10.10.10.22 10.10.10.20
> vpngroup jpiagroup default-domain mydomain.com
> vpngroup jpiagroup idle-time 10080
> vpngroup jpiagroup max-time 10080
> vpngroup jpiagroup password ********
> vpngroup vosgroup address-pool vospool
> vpngroup vosgroup dns-server 10.10.10.22 10.10.10.20
> vpngroup vosgroup default-domain mydomain.com
> vpngroup vosgroup idle-time 10080
> vpngroup vosgroup max-time 10080
> vpngroup vosgroup password ********
> telnet 10.10.10.0 255.255.255.0 inside
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> terminal width 80
> Cryptochecksum:14dc11e456817969ef95de73ee082de1
> : end
> [OK]
>
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map