Solved

PIX 515 with 3des and DMZ config

Posted on 2004-08-23
4
706 Views
Last Modified: 2013-11-16
Good Morning,

I am setting up a PIX 515 with a DMZ. Does anyone have a sample config of a PIX 515 with 3des and DMZ?

This is my 1st PIX with a DMZ, but I have done checkpoint FW with DMZ previously.

Are there any gotchas that I should be aware of?

Thanks in advance on this.

I am sure that I will be adding to this later on today or tomorrow.

Cepolly
0
Comment
Question by:cepolly
  • 2
  • 2
4 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11869335
Here are a few usefull links. The first contains many examples. My radius example is basically what you are after aswell except that I am using aes instead of 3des.

PIX configuration examples - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
PIX configuration basics - http://www.netcraftsmen.net/welcher/papers/pix01.html
PIX ssh configuration - http://www.tech-recipes.com/modules.php?name=Recipes&rx_id=215
My Pages:-
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
PIX as a home DSL firewall - http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html

The only real gotcha is to make sure the pool of IP addresses you allocate to VPN users is on a different subnet to your internal network. Most people use a range of IP's on the internal network the first time and this does not work properly.
0
 
LVL 1

Author Comment

by:cepolly
ID: 11870478
thanks for the info.

you just brought up something that I did not think of.

I am using 192.168.1.x for internal and 10.0.0.x for dmz.

so then it would just be a matter of giving VPN users 192.168.2.x or 10.0.1.x.

Also, should I use radius and what is required to use it from a server and configuration standpoint?

0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 11870572
Is there any change that you can change the IP addresses you use internally?
192.168.1.x is used by a large number of home DSL routers and you will find that these people will have problems using the VPN client because of this. You don't want to have to reconfigure all their routers.

Yes you can use 192.168.2.x etc... for the VPN users.

In basic VPN configuration you just have a group username and password for access and once authenticates all VPN users can access anything on your local LAN without restriction.

You can also in addition use LOCAL autoentication where the situation is as above but each user also get an additional popup box asking for their individual username and password. This is oviously much more secure as you don't want all users to share a common username/password.

The next option is to use RADIUS which is similar to LOCAL authentication but the account details are stored on a separate database. In addition with RADIUS you can assign an ACL to each person so you can limit what resources each individual user is permitted to access.
0
 
LVL 1

Author Comment

by:cepolly
ID: 11896593
I'm going to start a new post though this pne was answered to the extent of my question.

thank you
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Network Infrastructure for Branch Office 16 95
Static Route 22 53
How to setup 3 isps on a redundant mode? 3 26
ASA Tunnel 18 28
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question