Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 714
  • Last Modified:

PIX 515 with 3des and DMZ config

Good Morning,

I am setting up a PIX 515 with a DMZ. Does anyone have a sample config of a PIX 515 with 3des and DMZ?

This is my 1st PIX with a DMZ, but I have done checkpoint FW with DMZ previously.

Are there any gotchas that I should be aware of?

Thanks in advance on this.

I am sure that I will be adding to this later on today or tomorrow.

Cepolly
0
cepolly
Asked:
cepolly
  • 2
  • 2
1 Solution
 
grbladesCommented:
Here are a few usefull links. The first contains many examples. My radius example is basically what you are after aswell except that I am using aes instead of 3des.

PIX configuration examples - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
PIX configuration basics - http://www.netcraftsmen.net/welcher/papers/pix01.html
PIX ssh configuration - http://www.tech-recipes.com/modules.php?name=Recipes&rx_id=215
My Pages:-
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
PIX as a home DSL firewall - http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html

The only real gotcha is to make sure the pool of IP addresses you allocate to VPN users is on a different subnet to your internal network. Most people use a range of IP's on the internal network the first time and this does not work properly.
0
 
cepollyAuthor Commented:
thanks for the info.

you just brought up something that I did not think of.

I am using 192.168.1.x for internal and 10.0.0.x for dmz.

so then it would just be a matter of giving VPN users 192.168.2.x or 10.0.1.x.

Also, should I use radius and what is required to use it from a server and configuration standpoint?

0
 
grbladesCommented:
Is there any change that you can change the IP addresses you use internally?
192.168.1.x is used by a large number of home DSL routers and you will find that these people will have problems using the VPN client because of this. You don't want to have to reconfigure all their routers.

Yes you can use 192.168.2.x etc... for the VPN users.

In basic VPN configuration you just have a group username and password for access and once authenticates all VPN users can access anything on your local LAN without restriction.

You can also in addition use LOCAL autoentication where the situation is as above but each user also get an additional popup box asking for their individual username and password. This is oviously much more secure as you don't want all users to share a common username/password.

The next option is to use RADIUS which is similar to LOCAL authentication but the account details are stored on a separate database. In addition with RADIUS you can assign an ACL to each person so you can limit what resources each individual user is permitted to access.
0
 
cepollyAuthor Commented:
I'm going to start a new post though this pne was answered to the extent of my question.

thank you
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now