Solved

PIX 515 with 3des and DMZ config

Posted on 2004-08-23
4
708 Views
Last Modified: 2013-11-16
Good Morning,

I am setting up a PIX 515 with a DMZ. Does anyone have a sample config of a PIX 515 with 3des and DMZ?

This is my 1st PIX with a DMZ, but I have done checkpoint FW with DMZ previously.

Are there any gotchas that I should be aware of?

Thanks in advance on this.

I am sure that I will be adding to this later on today or tomorrow.

Cepolly
0
Comment
Question by:cepolly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11869335
Here are a few usefull links. The first contains many examples. My radius example is basically what you are after aswell except that I am using aes instead of 3des.

PIX configuration examples - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
PIX configuration basics - http://www.netcraftsmen.net/welcher/papers/pix01.html
PIX ssh configuration - http://www.tech-recipes.com/modules.php?name=Recipes&rx_id=215
My Pages:-
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
PIX as a home DSL firewall - http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html

The only real gotcha is to make sure the pool of IP addresses you allocate to VPN users is on a different subnet to your internal network. Most people use a range of IP's on the internal network the first time and this does not work properly.
0
 
LVL 1

Author Comment

by:cepolly
ID: 11870478
thanks for the info.

you just brought up something that I did not think of.

I am using 192.168.1.x for internal and 10.0.0.x for dmz.

so then it would just be a matter of giving VPN users 192.168.2.x or 10.0.1.x.

Also, should I use radius and what is required to use it from a server and configuration standpoint?

0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 11870572
Is there any change that you can change the IP addresses you use internally?
192.168.1.x is used by a large number of home DSL routers and you will find that these people will have problems using the VPN client because of this. You don't want to have to reconfigure all their routers.

Yes you can use 192.168.2.x etc... for the VPN users.

In basic VPN configuration you just have a group username and password for access and once authenticates all VPN users can access anything on your local LAN without restriction.

You can also in addition use LOCAL autoentication where the situation is as above but each user also get an additional popup box asking for their individual username and password. This is oviously much more secure as you don't want all users to share a common username/password.

The next option is to use RADIUS which is similar to LOCAL authentication but the account details are stored on a separate database. In addition with RADIUS you can assign an ACL to each person so you can limit what resources each individual user is permitted to access.
0
 
LVL 1

Author Comment

by:cepolly
ID: 11896593
I'm going to start a new post though this pne was answered to the extent of my question.

thank you
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question