PIX 515 with 3des and DMZ config

Good Morning,

I am setting up a PIX 515 with a DMZ. Does anyone have a sample config of a PIX 515 with 3des and DMZ?

This is my 1st PIX with a DMZ, but I have done checkpoint FW with DMZ previously.

Are there any gotchas that I should be aware of?

Thanks in advance on this.

I am sure that I will be adding to this later on today or tomorrow.

Cepolly
LVL 1
cepollyAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
grbladesConnect With a Mentor Commented:
Is there any change that you can change the IP addresses you use internally?
192.168.1.x is used by a large number of home DSL routers and you will find that these people will have problems using the VPN client because of this. You don't want to have to reconfigure all their routers.

Yes you can use 192.168.2.x etc... for the VPN users.

In basic VPN configuration you just have a group username and password for access and once authenticates all VPN users can access anything on your local LAN without restriction.

You can also in addition use LOCAL autoentication where the situation is as above but each user also get an additional popup box asking for their individual username and password. This is oviously much more secure as you don't want all users to share a common username/password.

The next option is to use RADIUS which is similar to LOCAL authentication but the account details are stored on a separate database. In addition with RADIUS you can assign an ACL to each person so you can limit what resources each individual user is permitted to access.
0
 
grbladesCommented:
Here are a few usefull links. The first contains many examples. My radius example is basically what you are after aswell except that I am using aes instead of 3des.

PIX configuration examples - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
PIX configuration basics - http://www.netcraftsmen.net/welcher/papers/pix01.html
PIX ssh configuration - http://www.tech-recipes.com/modules.php?name=Recipes&rx_id=215
My Pages:-
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
PIX as a home DSL firewall - http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html

The only real gotcha is to make sure the pool of IP addresses you allocate to VPN users is on a different subnet to your internal network. Most people use a range of IP's on the internal network the first time and this does not work properly.
0
 
cepollyAuthor Commented:
thanks for the info.

you just brought up something that I did not think of.

I am using 192.168.1.x for internal and 10.0.0.x for dmz.

so then it would just be a matter of giving VPN users 192.168.2.x or 10.0.1.x.

Also, should I use radius and what is required to use it from a server and configuration standpoint?

0
 
cepollyAuthor Commented:
I'm going to start a new post though this pne was answered to the extent of my question.

thank you
0
All Courses

From novice to tech pro — start learning today.