cfaulknor
asked on
Help with IPSEC on pix 515
I am trying to setup a pix 515 to allow ipsec traffic from a dmz to and inside network can anyone help with this
lets say dmz address is 192.0.0.0 and inside network is 10.0.0.0
I want to setup my pix to only allow traffic for the purpose of active directory replication from dmz to inside
this is what I think I need to do
1. Create an ike key
isakmp key (key we normally use) address 192.168.0.0 netmask 255.255.255.0
2. create access lits dmz ipsec to allow pix to determin traffic from the dc's to be ipsec traffic
access-list dmzipsec permit 192.168.0.0 255.255.255.0 10.0.0.1 255.255.0.0
access-list dmzipsec permit 192.168.0.0 255.255.255.0 10.0.0.1 255.255.0.0
3. create crypto map to corp for dmz traffic
crypto map "toCorp" 20 ipsec isakmp
crypto map "toCorp" 20 match address dmzipsec
crypto map "toCorp" 20 set peer 192.168.0.0
crypto map "toCorp" 20 set transform-set siteform
4. apply crypto map to interface (DMZ2)
crypto map dmzipsec interface dmz2
5. add to access list all ( this allows the nat statement, nat(inside) 0 acess-list all ) to also
apply to ipsec trafic from dmz.
access-list all permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0
can anyone shed some light on this for me please
lets say dmz address is 192.0.0.0 and inside network is 10.0.0.0
I want to setup my pix to only allow traffic for the purpose of active directory replication from dmz to inside
this is what I think I need to do
1. Create an ike key
isakmp key (key we normally use) address 192.168.0.0 netmask 255.255.255.0
2. create access lits dmz ipsec to allow pix to determin traffic from the dc's to be ipsec traffic
access-list dmzipsec permit 192.168.0.0 255.255.255.0 10.0.0.1 255.255.0.0
access-list dmzipsec permit 192.168.0.0 255.255.255.0 10.0.0.1 255.255.0.0
3. create crypto map to corp for dmz traffic
crypto map "toCorp" 20 ipsec isakmp
crypto map "toCorp" 20 match address dmzipsec
crypto map "toCorp" 20 set peer 192.168.0.0
crypto map "toCorp" 20 set transform-set siteform
4. apply crypto map to interface (DMZ2)
crypto map dmzipsec interface dmz2
5. add to access list all ( this allows the nat statement, nat(inside) 0 acess-list all ) to also
apply to ipsec trafic from dmz.
access-list all permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0
can anyone shed some light on this for me please
Tim Holman
To create a VPN, you need two endpoints. You can't sepcify a peer as a network address....
Since the two interfaces are on the same PIX, you don't really have a "peer" in this instance.
You really can't setup IPSEC tunnel between two interfaces on the same box.
You can setup IPSEC tunnel between the server in the DMZ and the DMZ interface.
Or, you can simply use nat zero and not NAT between the two interfaces, and use an access-list on the DMZ interface that only permits AD traffic
You really can't setup IPSEC tunnel between two interfaces on the same box.
You can setup IPSEC tunnel between the server in the DMZ and the DMZ interface.
Or, you can simply use nat zero and not NAT between the two interfaces, and use an access-list on the DMZ interface that only permits AD traffic
>I am trying to setup a pix 515 to allow ipsec traffic from a dmz to and inside network can anyone help with this
>I want to setup my pix to only allow traffic for the purpose of active directory replication from dmz to inside
Which is it? You want to allow IPSEC traffic through or you want to allow AD traffic? Either way you do not need to configure IPSEC on the PIX itself. You just need a static and an access-list (or conduit) between the dmz and inside to permit the traffic.
-Pascal
>I want to setup my pix to only allow traffic for the purpose of active directory replication from dmz to inside
Which is it? You want to allow IPSEC traffic through or you want to allow AD traffic? Either way you do not need to configure IPSEC on the PIX itself. You just need a static and an access-list (or conduit) between the dmz and inside to permit the traffic.
-Pascal
ASKER
I need to setup a ipsec tunnell from dmz to inside.
basiclly and traffic the comes from dmz domain controllers to be sent through the pix with ipsec encryption, hope this helps explain
basiclly and traffic the comes from dmz domain controllers to be sent through the pix with ipsec encryption, hope this helps explain
So you want to establish an ipsec tunnel from a host in your dmz to a host on your inside network for the purpose of AD replication? Why? The pupose of ipsec tunnels is to transport traffic securely over an insecure medium. In your case the traffic never leaves your network. There is no reason to encrypt it.
Either way the only configuration you need on your pix is a static and an access-list (or conduit) allowing the host in your dmz to access your inside host. The PIX will not have any ipsec config inside it.
-Pascal
Either way the only configuration you need on your pix is a static and an access-list (or conduit) allowing the host in your dmz to access your inside host. The PIX will not have any ipsec config inside it.
-Pascal
ASKER
the deal is some of the ports required for active directory replication are used by virus's to infect networks and our security person would like to not use an access list or conduit to pass active directory traffic through the pix so he suggested a ipsec tunnell for this purpose.
is he on the wrong track or can traffic be passed through a pix from dmz to inside while being encrypted, or is there a better way.
we do have an access list for the moment but anticipate more entries and our pix is looking a little cluttered with all the entries for all the dc's and ports needing to pass traffic back and forth.
currently our dns is setup to replicate forest wide and so all dc's in all domains need to see each other( not the best method in my opinion) I believe children should only replicate th their parent. correct me if I am wrong
so is there a better way to pass traffic more secure like ipsec ?
or am I wasting my time trying to do this, and should maybe try to get the dns to domain level replication and only have static entries for the parent domain in the pix access list ?
Chuck
is he on the wrong track or can traffic be passed through a pix from dmz to inside while being encrypted, or is there a better way.
we do have an access list for the moment but anticipate more entries and our pix is looking a little cluttered with all the entries for all the dc's and ports needing to pass traffic back and forth.
currently our dns is setup to replicate forest wide and so all dc's in all domains need to see each other( not the best method in my opinion) I believe children should only replicate th their parent. correct me if I am wrong
so is there a better way to pass traffic more secure like ipsec ?
or am I wasting my time trying to do this, and should maybe try to get the dns to domain level replication and only have static entries for the parent domain in the pix access list ?
Chuck
Your static statement will specify traffic is only NAT'd from to dmz to inside. Your conduit (or access-list) will specify traffic is only permited to that port from the one host you specify. For example:
static (inside,dmz) 172.16.1.87 172.16.1.87 netmask 255.255.255.255 0 0
conduit permit tcp host 172.16.1.87 eq 7205 host 192.168.100.2
-Pascal
static (inside,dmz) 172.16.1.87 172.16.1.87 netmask 255.255.255.255 0 0
conduit permit tcp host 172.16.1.87 eq 7205 host 192.168.100.2
-Pascal
ASKER
this is what we have in the pix at the moment the problem we encountered is the amount of clutter in the pix because of all of the access list entries for all of the dc's
So back to the issue is it possible to use ipsec to eliminate all the clutter
So back to the issue is it possible to use ipsec to eliminate all the clutter
Short answer. NO
There is no capability to encrypt between two interfaces on the same box (inside/dmz)
There is no capability to encrypt between two interfaces on the same box (inside/dmz)
ASKER
is there a way to pass encrypted traffic through a pix say from server to server ipsec ?
Yes. You can setup an IPSEC policy between two Win2k servers, and only permit the esp traffic through the PIX. The drawback is that is server-to-server not server to network.
ASKER
can you tell me the pix command needed for allowing this
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.