We help IT Professionals succeed at work.

Help with IPSEC on pix 515

cfaulknor
cfaulknor asked
on
Medium Priority
1,668 Views
Last Modified: 2013-11-16
I am trying to setup a pix 515 to allow ipsec traffic from a dmz to and inside network can anyone help with this


lets say dmz address is 192.0.0.0 and inside network is 10.0.0.0

I want to setup my pix to only allow traffic for the purpose of active directory replication from dmz to inside

this is what I think I need to do

1. Create an ike key
isakmp key (key we normally use) address 192.168.0.0 netmask 255.255.255.0

2. create access lits dmz ipsec to allow pix to determin traffic from the dc's to be ipsec traffic

access-list dmzipsec permit 192.168.0.0 255.255.255.0 10.0.0.1 255.255.0.0
access-list dmzipsec permit 192.168.0.0 255.255.255.0 10.0.0.1 255.255.0.0


3. create crypto map to corp for dmz traffic

crypto map "toCorp" 20 ipsec isakmp
crypto map "toCorp" 20 match address dmzipsec
crypto map "toCorp" 20 set peer 192.168.0.0
crypto map "toCorp" 20 set transform-set siteform

4. apply crypto map to interface (DMZ2)

crypto map dmzipsec interface dmz2

5. add to access list all ( this allows the nat statement, nat(inside) 0 acess-list all ) to also
apply to ipsec trafic from dmz.

access-list all permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0

can anyone shed some light on this for me please
Comment
Watch Question

CERTIFIED EXPERT

Commented:
To create a VPN, you need two endpoints.  You can't sepcify a peer as a network address....
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Since the two interfaces are on the same PIX, you don't really have a "peer" in this instance.
You really can't setup IPSEC tunnel between two interfaces on the same box.
You can setup IPSEC tunnel between the server in the DMZ and the DMZ interface.
Or, you can simply use nat zero and not NAT between the two interfaces, and use an access-list on the DMZ interface that only permits AD traffic
>I am trying to setup a pix 515 to allow ipsec traffic from a dmz to and inside network can anyone help with this

>I want to setup my pix to only allow traffic for the purpose of active directory replication from dmz to inside

Which is it?  You want to allow IPSEC traffic through or you want to allow AD traffic?  Either way you do not need to configure IPSEC on the PIX itself.  You just need a static and an access-list (or conduit) between the dmz and inside to permit the traffic.

-Pascal

Author

Commented:
I need to setup a ipsec tunnell from dmz to inside.

basiclly and traffic the comes from dmz domain controllers to be sent through the pix with ipsec encryption, hope this helps explain
So you want to establish an ipsec tunnel from a host in your dmz to a host on your inside network for the purpose of AD replication?  Why?  The pupose of ipsec tunnels is to transport traffic securely over an insecure medium.  In your case the traffic never leaves your network.  There is no reason to encrypt it.

Either way the only configuration you need on your pix is a static and an access-list (or conduit) allowing the host in your dmz to access your inside host.  The PIX will not have any ipsec config inside it.

-Pascal

Author

Commented:
the deal is some of the ports required for active directory replication are used by virus's to infect networks and our security person would like to not use an access list or conduit to pass active directory traffic through the pix so he suggested a ipsec tunnell for this purpose.

is he on the wrong track or can traffic be passed through a pix from dmz to inside while being encrypted, or is there a better way.

we do have an access list for the moment but anticipate more entries and our pix is looking a little cluttered with all the entries for all the dc's and ports needing to pass traffic back and forth.


currently our dns is setup to replicate forest wide and so all dc's in all domains need to see each other( not the best method in my opinion) I believe children should only replicate th their parent. correct me if I am wrong

so is there a better way to pass traffic more secure like ipsec ?
or am I wasting my time trying to do this, and should maybe try to get the dns to domain level replication and only have static entries for the parent domain in the pix access list ?

Chuck
Your static statement will specify traffic is only NAT'd from to dmz to inside.  Your conduit (or access-list) will specify traffic is only permited to that port from the one host you specify.  For example:

static (inside,dmz) 172.16.1.87 172.16.1.87 netmask 255.255.255.255 0 0
conduit permit tcp host 172.16.1.87 eq 7205 host 192.168.100.2

-Pascal

Author

Commented:
this is what we have in the pix at the moment the problem we encountered  is the amount of clutter in the pix because of all of the access list entries for all of the dc's

So back to the issue is it possible to use ipsec to eliminate all the clutter
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Short answer. NO
There is no capability to encrypt between two interfaces on the same box (inside/dmz)

Author

Commented:
is there a way to pass encrypted traffic through a pix say from server to server ipsec ?
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Yes. You can setup an IPSEC policy between two Win2k servers, and only permit the esp traffic through the PIX. The drawback is that is server-to-server not server to network.

Author

Commented:
can you tell me the pix command needed for allowing this
Sr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.