[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1606
  • Last Modified:

Help with IPSEC on pix 515

I am trying to setup a pix 515 to allow ipsec traffic from a dmz to and inside network can anyone help with this


lets say dmz address is 192.0.0.0 and inside network is 10.0.0.0

I want to setup my pix to only allow traffic for the purpose of active directory replication from dmz to inside

this is what I think I need to do

1. Create an ike key
isakmp key (key we normally use) address 192.168.0.0 netmask 255.255.255.0

2. create access lits dmz ipsec to allow pix to determin traffic from the dc's to be ipsec traffic

access-list dmzipsec permit 192.168.0.0 255.255.255.0 10.0.0.1 255.255.0.0
access-list dmzipsec permit 192.168.0.0 255.255.255.0 10.0.0.1 255.255.0.0


3. create crypto map to corp for dmz traffic

crypto map "toCorp" 20 ipsec isakmp
crypto map "toCorp" 20 match address dmzipsec
crypto map "toCorp" 20 set peer 192.168.0.0
crypto map "toCorp" 20 set transform-set siteform

4. apply crypto map to interface (DMZ2)

crypto map dmzipsec interface dmz2

5. add to access list all ( this allows the nat statement, nat(inside) 0 acess-list all ) to also
apply to ipsec trafic from dmz.

access-list all permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0

can anyone shed some light on this for me please
0
cfaulknor
Asked:
cfaulknor
  • 5
  • 4
  • 3
  • +2
1 Solution
 
Tim HolmanCommented:
To create a VPN, you need two endpoints.  You can't sepcify a peer as a network address....
0
 
lrmooreCommented:
Since the two interfaces are on the same PIX, you don't really have a "peer" in this instance.
You really can't setup IPSEC tunnel between two interfaces on the same box.
You can setup IPSEC tunnel between the server in the DMZ and the DMZ interface.
Or, you can simply use nat zero and not NAT between the two interfaces, and use an access-list on the DMZ interface that only permits AD traffic
0
 
Pascal666Commented:
>I am trying to setup a pix 515 to allow ipsec traffic from a dmz to and inside network can anyone help with this

>I want to setup my pix to only allow traffic for the purpose of active directory replication from dmz to inside

Which is it?  You want to allow IPSEC traffic through or you want to allow AD traffic?  Either way you do not need to configure IPSEC on the PIX itself.  You just need a static and an access-list (or conduit) between the dmz and inside to permit the traffic.

-Pascal
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
cfaulknorAuthor Commented:
I need to setup a ipsec tunnell from dmz to inside.

basiclly and traffic the comes from dmz domain controllers to be sent through the pix with ipsec encryption, hope this helps explain
0
 
Pascal666Commented:
So you want to establish an ipsec tunnel from a host in your dmz to a host on your inside network for the purpose of AD replication?  Why?  The pupose of ipsec tunnels is to transport traffic securely over an insecure medium.  In your case the traffic never leaves your network.  There is no reason to encrypt it.

Either way the only configuration you need on your pix is a static and an access-list (or conduit) allowing the host in your dmz to access your inside host.  The PIX will not have any ipsec config inside it.

-Pascal
0
 
cfaulknorAuthor Commented:
the deal is some of the ports required for active directory replication are used by virus's to infect networks and our security person would like to not use an access list or conduit to pass active directory traffic through the pix so he suggested a ipsec tunnell for this purpose.

is he on the wrong track or can traffic be passed through a pix from dmz to inside while being encrypted, or is there a better way.

we do have an access list for the moment but anticipate more entries and our pix is looking a little cluttered with all the entries for all the dc's and ports needing to pass traffic back and forth.


currently our dns is setup to replicate forest wide and so all dc's in all domains need to see each other( not the best method in my opinion) I believe children should only replicate th their parent. correct me if I am wrong

so is there a better way to pass traffic more secure like ipsec ?
or am I wasting my time trying to do this, and should maybe try to get the dns to domain level replication and only have static entries for the parent domain in the pix access list ?

Chuck
0
 
Pascal666Commented:
Your static statement will specify traffic is only NAT'd from to dmz to inside.  Your conduit (or access-list) will specify traffic is only permited to that port from the one host you specify.  For example:

static (inside,dmz) 172.16.1.87 172.16.1.87 netmask 255.255.255.255 0 0
conduit permit tcp host 172.16.1.87 eq 7205 host 192.168.100.2

-Pascal
0
 
cfaulknorAuthor Commented:
this is what we have in the pix at the moment the problem we encountered  is the amount of clutter in the pix because of all of the access list entries for all of the dc's

So back to the issue is it possible to use ipsec to eliminate all the clutter
0
 
lrmooreCommented:
Short answer. NO
There is no capability to encrypt between two interfaces on the same box (inside/dmz)

0
 
cfaulknorAuthor Commented:
is there a way to pass encrypted traffic through a pix say from server to server ipsec ?
0
 
lrmooreCommented:
Yes. You can setup an IPSEC policy between two Win2k servers, and only permit the esp traffic through the PIX. The drawback is that is server-to-server not server to network.

0
 
cfaulknorAuthor Commented:
can you tell me the pix command needed for allowing this
0
 
lrmooreCommented:
permit esp in the access-lists

access-list dmz_to_inside permit tcp host a.b.c.d host 1.2.3.4 eq 500  <-- esp = tcp/500
access-list dmz_to_inside permit udp host a.b.c.d host 1.2.3.4 eq 50  <-- isakmp = udp/50
access-group dmz_to_inside in interface dmz

Beware, that this is permitting ALL traffic from the DMZ host to the inside host, through the encrypted tunnel. If that DMZ server gets compromized, you have zero visibility or control over the packets going from that compromized server to your inside server, and your whole network is now compromised. At least with your "untidy" access-lists you can control the ports and use the built-in Intrusion Detection of the PIX to mitigate the vulnerabilities.


0
 
rharrillCommented:
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

  • 5
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now