Solved

Help with IPSEC on pix 515

Posted on 2004-03-26
14
1,577 Views
Last Modified: 2013-11-16
I am trying to setup a pix 515 to allow ipsec traffic from a dmz to and inside network can anyone help with this


lets say dmz address is 192.0.0.0 and inside network is 10.0.0.0

I want to setup my pix to only allow traffic for the purpose of active directory replication from dmz to inside

this is what I think I need to do

1. Create an ike key
isakmp key (key we normally use) address 192.168.0.0 netmask 255.255.255.0

2. create access lits dmz ipsec to allow pix to determin traffic from the dc's to be ipsec traffic

access-list dmzipsec permit 192.168.0.0 255.255.255.0 10.0.0.1 255.255.0.0
access-list dmzipsec permit 192.168.0.0 255.255.255.0 10.0.0.1 255.255.0.0


3. create crypto map to corp for dmz traffic

crypto map "toCorp" 20 ipsec isakmp
crypto map "toCorp" 20 match address dmzipsec
crypto map "toCorp" 20 set peer 192.168.0.0
crypto map "toCorp" 20 set transform-set siteform

4. apply crypto map to interface (DMZ2)

crypto map dmzipsec interface dmz2

5. add to access list all ( this allows the nat statement, nat(inside) 0 acess-list all ) to also
apply to ipsec trafic from dmz.

access-list all permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0

can anyone shed some light on this for me please
0
Comment
Question by:cfaulknor
  • 5
  • 4
  • 3
  • +2
14 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10689330
To create a VPN, you need two endpoints.  You can't sepcify a peer as a network address....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10689368
Since the two interfaces are on the same PIX, you don't really have a "peer" in this instance.
You really can't setup IPSEC tunnel between two interfaces on the same box.
You can setup IPSEC tunnel between the server in the DMZ and the DMZ interface.
Or, you can simply use nat zero and not NAT between the two interfaces, and use an access-list on the DMZ interface that only permits AD traffic
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10697010
>I am trying to setup a pix 515 to allow ipsec traffic from a dmz to and inside network can anyone help with this

>I want to setup my pix to only allow traffic for the purpose of active directory replication from dmz to inside

Which is it?  You want to allow IPSEC traffic through or you want to allow AD traffic?  Either way you do not need to configure IPSEC on the PIX itself.  You just need a static and an access-list (or conduit) between the dmz and inside to permit the traffic.

-Pascal
0
 

Author Comment

by:cfaulknor
ID: 10701474
I need to setup a ipsec tunnell from dmz to inside.

basiclly and traffic the comes from dmz domain controllers to be sent through the pix with ipsec encryption, hope this helps explain
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10701572
So you want to establish an ipsec tunnel from a host in your dmz to a host on your inside network for the purpose of AD replication?  Why?  The pupose of ipsec tunnels is to transport traffic securely over an insecure medium.  In your case the traffic never leaves your network.  There is no reason to encrypt it.

Either way the only configuration you need on your pix is a static and an access-list (or conduit) allowing the host in your dmz to access your inside host.  The PIX will not have any ipsec config inside it.

-Pascal
0
 

Author Comment

by:cfaulknor
ID: 10719325
the deal is some of the ports required for active directory replication are used by virus's to infect networks and our security person would like to not use an access list or conduit to pass active directory traffic through the pix so he suggested a ipsec tunnell for this purpose.

is he on the wrong track or can traffic be passed through a pix from dmz to inside while being encrypted, or is there a better way.

we do have an access list for the moment but anticipate more entries and our pix is looking a little cluttered with all the entries for all the dc's and ports needing to pass traffic back and forth.


currently our dns is setup to replicate forest wide and so all dc's in all domains need to see each other( not the best method in my opinion) I believe children should only replicate th their parent. correct me if I am wrong

so is there a better way to pass traffic more secure like ipsec ?
or am I wasting my time trying to do this, and should maybe try to get the dns to domain level replication and only have static entries for the parent domain in the pix access list ?

Chuck
0
 
LVL 6

Expert Comment

by:Pascal666
ID: 10720740
Your static statement will specify traffic is only NAT'd from to dmz to inside.  Your conduit (or access-list) will specify traffic is only permited to that port from the one host you specify.  For example:

static (inside,dmz) 172.16.1.87 172.16.1.87 netmask 255.255.255.255 0 0
conduit permit tcp host 172.16.1.87 eq 7205 host 192.168.100.2

-Pascal
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:cfaulknor
ID: 10723821
this is what we have in the pix at the moment the problem we encountered  is the amount of clutter in the pix because of all of the access list entries for all of the dc's

So back to the issue is it possible to use ipsec to eliminate all the clutter
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10724018
Short answer. NO
There is no capability to encrypt between two interfaces on the same box (inside/dmz)

0
 

Author Comment

by:cfaulknor
ID: 10724118
is there a way to pass encrypted traffic through a pix say from server to server ipsec ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10724324
Yes. You can setup an IPSEC policy between two Win2k servers, and only permit the esp traffic through the PIX. The drawback is that is server-to-server not server to network.

0
 

Author Comment

by:cfaulknor
ID: 10724384
can you tell me the pix command needed for allowing this
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 10724451
permit esp in the access-lists

access-list dmz_to_inside permit tcp host a.b.c.d host 1.2.3.4 eq 500  <-- esp = tcp/500
access-list dmz_to_inside permit udp host a.b.c.d host 1.2.3.4 eq 50  <-- isakmp = udp/50
access-group dmz_to_inside in interface dmz

Beware, that this is permitting ALL traffic from the DMZ host to the inside host, through the encrypted tunnel. If that DMZ server gets compromized, you have zero visibility or control over the packets going from that compromized server to your inside server, and your whole network is now compromised. At least with your "untidy" access-lists you can control the ports and use the built-in Intrusion Detection of the PIX to mitigate the vulnerabilities.


0
 

Expert Comment

by:rharrill
ID: 11163251
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now