Solved

PIX 515 Configuration

Posted on 2004-08-16
5
429 Views
Last Modified: 2013-11-16
We are using a PIX 515 and I would like to configure it to allow VPN users access to the DMZ servers (204.253.206.xxx) - they currently have access to inside and outside.  Could someone help with this?  Related Config is below.

I would also like to configure inside users to RDP into VPN users.  Is this possible?

access-list outside_dmz deny tcp any any eq 445
access-list outside_dmz permit tcp any host xx.xxx.xxx.210 eq smtp
access-list outside_dmz permit tcp any host xx.xxx.xxx.210 eq pop3
access-list outside_dmz permit tcp any host xx.xxx.xxx.210 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.211 eq smtp
access-list outside_dmz permit tcp any host xx.xxx.xxx.211 eq pop3
access-list outside_dmz permit tcp any host xx.xxx.xxx.211 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.195 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.196 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.197 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.198 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.199 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.200 eq www
access-list outside_dmz permit tcp any host 204.253.206.16 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.253 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.203 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.204 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.205 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.206 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.207 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.216 eq www
access-list outside_dmz permit tcp any host xx.xxx.xxx.210 eq 6129
access-list outside_dmz permit tcp any host xx.xxx.xxx.195 eq 6129
access-list outside_dmz permit tcp any host xx.xxx.xxx.253 eq 6129
access-list outside_dmz permit udp any any eq domain
access-list outside_dmz permit tcp any host xx.xxx.xxx.222 eq 3389
access-list dmz_access_in permit udp any any
access-list dmz_access_in permit tcp any any
access-list dmz_access_in permit icmp any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.22

access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.192 255.255.255.22

access-list outside_cryptomap_dyn_40 permit ip any 192.168.1.192 255.255.255.22

access-list split permit ip 192.168.1.0 255.255.255.0 any
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside-out deny tcp any any eq 445
access-list inside-out permit ip any any

global (outside) 10 xx.xxx.xxx.221
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
alias (inside) xx.xxx.xxx.196 204.253.206.11 255.255.255.255
alias (inside) xx.xxx.xxx.197 204.253.206.12 255.255.255.255
alias (inside) xx.xxx.xxx.198 204.253.206.13 255.255.255.255
alias (inside) xx.xxx.xxx.199 204.253.206.14 255.255.255.255
alias (inside) xx.xxx.xxx.200 204.253.206.15 255.255.255.255
alias (inside) xx.xxx.xxx.215 204.253.206.16 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) xx.xxx.xxx.210 204.253.206.30 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.211 204.253.206.31 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.195 204.253.206.10 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.196 204.253.206.11 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.197 204.253.206.12 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.198 204.253.206.13 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.199 204.253.206.14 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.200 204.253.206.15 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.215 204.253.206.16 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.202 204.253.206.20 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.203 204.253.206.21 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.204 204.253.206.22 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.205 204.253.206.23 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.206 204.253.206.24 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.207 204.253.206.25 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.216 204.253.206.26 netmask 255.255.255.255 0 0
static (dmz,outside) xx.xxx.xxx.222 204.253.206.50 netmask 255.255.255.255 0 0
access-group outside_dmz in interface outside
access-group inside-out in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.193 1
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication xxx
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup SRI address-pool xxx
vpngroup SRI dns-server 192.168.1.4 192.168.1.5
vpngroup SRI default-domain xxx.com
vpngroup SRI split-tunnel split
vpngroup SRI idle-time 1800
vpngroup SRI password ********
0
Comment
Question by:jss1199
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11810603
Try adding:
nat (dmz) 0 access-list nonat

Assuming that this is your VPN address pool:
192.168.1.192 255.255.255.22  <-- missing something at the end?

What is your inside LAN subnet? Same 192.168.1.x ?



0
 
LVL 19

Author Comment

by:jss1199
ID: 11811636
The VPN pool is:
ip local pool xxx_VPN 192.168.1.201-192.168.1.210

The inside LAN is also 192.168.1.x

I'll try adding the nat statement
0
 
LVL 19

Author Comment

by:jss1199
ID: 11811765
lrmoore - After adding the nat (dmz) 0 access-list nonat and connecting to the VPN, I still cannot access DMZ servers.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 11812203
I think  you may have to change your VPN address pool to be something other than the internal LAN.

If you have it something like 192.168.2.x, then your nat0 access-lists makes more sense:

access-list nonat1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat2 permit ip 204.253.206.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nonat1
nat (dmz) 0 access-list nonat2

Also suggest that you remove this access list from the DMZ interface, since you are permitting everything anyway:
access-list dmz_access_in permit udp any any
access-list dmz_access_in permit tcp any any
access-list dmz_access_in permit icmp any any
no access-group dmz_access_in in interface dmz
^^

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12092766
Are you still working on this? Do you need more information?
Can you close out this question?
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now