Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Cisco Pix 501 Config Hell..p!

  • 17-10-2007 8:40pm
    #1
    Registered Users, Registered Users 2 Posts: 358 ✭✭


    Folks,

    I simply need to config a Pix 501 to allow remote VPN connections with split tunnelling enabled so that the remote workes can still access their local LAN.

    The problem is although I can create the VPN connection, I cannot ping remote machines and therefore cannot remote desktop to these machines. When i make a slight change to the config, i might be able to access the remote network, but not the local network. I really havent a clue what i am doing and i am going around in circles! I can use the PDM and the terminal. i tired the VPN wizard in the PDM and that is what i am working from.

    Im sure I am missing something simple..

    Please help me :o
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list LVPN_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.192
    access-list outside_cryptomap_dyn_20 permit ip any 10.1.1.0 255.255.255.192
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPNPOOL 10.1.1.1-10.1.1.50
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list LVPN_splitTunnelAcl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup LVPN address-pool VPNPOOL
    vpngroup LVPN dns-server 10.0.0.20
    vpngroup LVPN wins-server 10.0.0.20
    vpngroup LVPN split-tunnel LVPN_splitTunnelAcl
    vpngroup LVPN idle-time 1800
    vpngroup LVPN password ********
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.33 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    


Comments

  • Registered Users, Registered Users 2 Posts: 8,813 ✭✭✭BaconZombie


    Is your external host name really .CISCOPIX.COM ?


  • Registered Users, Registered Users 2 Posts: 358 ✭✭Philbert


    BOFH_139 wrote: »
    Is your external host name really .CISCOPIX.COM ?
    Its not, but I didnt think that would make a difference?


  • Registered Users, Registered Users 2 Posts: 8,813 ✭✭✭BaconZombie


    Philbert wrote: »
    Its not, but I didnt think that would make a difference?

    That the first thing you should change, do you have a DNS name or are you just justing an IP?


  • Registered Users, Registered Users 2 Posts: 4,162 ✭✭✭_CreeD_


    First up split tunneling is a very bad idea if they are internet connected. You degrade your perimeter security to that of their PC rather than that nice corporate class firewall you're relying on. If you wouldn't trust their software firewall to gaurd your network then don't let them split-tunnel.
    Don't worry about the hostname or domain, you should be using the IP on your clients anyway (having a DNS name registered besides being unnecessary is a security liability, the less info. you give away about your internet gateway the better).
    You may have excluded these deliberately but I don't see any explicit routes defined. Your outside interface is taking it's default gateway and from DHCP, as is easiest, so if you haven't already you need to define static routes to your internal subnets (for example you have a WINS at 10.0.0.20). If you use an internal router make sure it has a route to 10.1.1.0/24 through your PIX.
    Also enable your VPN clients to bypass your Outside access-list "sysopt connection permit-ipsec". If you don't then besides anything else the system will block any return ICMP traffic, you can define explicit access rules that could include remote access and safe ICMP return messages but with your experience level (no offense) that would be a bad idea.


  • Registered Users, Registered Users 2 Posts: 358 ✭✭Philbert


    Creed,

    Most of what you are telling me makes sense, especially the bit about my experience level :).

    However, to actually put that into the configuration of the Pix is simply beyond me, and I dont have the time to learn.

    Which is why I have hired a freelance cisco guy to do it for me :D

    Cheers for your input.


  • Advertisement
Advertisement