Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Some firewall config clarification and VPN configuration questions--easy points.

Posted on 2004-09-14
7
Medium Priority
?
1,239 Views
Last Modified: 2013-11-16
Each day I understand a little more about the different commands.  I have had a moment of clarity and wanted to run my thoughts by someone:

Here is what I have now.
nat (inside) 0 access-list 102
ip local pool vpnpool 192.168.111.1-192.168.111.15
access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.0
vpngroup hello address-pool vpnpool
vpngroup hello split-tunnel 102

I was told to add access-list 103 for the split tunnel command leading to this new config:

nat (inside) 0 access-list 102
ip local pool vpnpool 192.168.111.1-192.168.111.15
access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list 103 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.0
vpngroup hello address-pool vpnpool
vpngroup hello split-tunnel 103

Access list 102 identifies the traffic that is exempted from NAT for the VPN?
Access list 103 is not filtering traffic it merely identifies which traffic (based on source and destination IP) will be encrypted across the VPN?

I need to configure a PIX 501 v06.3(3) to support different types of people connecting.  Some employees and some contractors (i.e. limited access to certain IPs and possibly certain types of traffic)  I might want these people to copy files but not start a telnet session.  Not sure yet.  The higher ups are still working that out.

I will create a new vpngroup for the contractors with a separate address-pool.  Is there a way to limit where these people can go?  I had thought the access-lists would be the way to go, but I am not sure.  Would this work to support the multiple vpngroups?

nat (inside) 0 access-list 102
nat (inside) 0 access-list 122
ip local pool vpnpool 192.168.111.1-192.168.111.15
ip local pool contractorpool 192.168.121.1-192.168.121.7
access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list 103 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list 122 permit ip 192.168.100.0 255.255.255.0 192.168.121.0 255.255.255.0
access-list 123 permit ip 192.168.100.0 255.255.255.0 192.168.121.0 255.255.255.0
vpngroup hello address-pool vpnpool
vpngroup hello split-tunnel 103
. . .
vpngroup contractor address-pool contractor pool
vpngroup contractor split-tunnel 123
<I am only putting a few of the command lines here.  I know there are others that would need to be included>

Could I add the following to access-list 122 to restrict traffic?
access-list 122 deny tcp 192.168.100.0 255.255.255.0 192.168.121.0 255.255.255.0 eq telnet
access-list 122 permit ip 192.168.100.0 255.255.255.0 192.168.121.0 255.255.255.0

To prevent the contractors from surfing the Internet could I just change
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
to
nat (inside) 1 192.168.100.0 255.255.255.0
nat (inside) 1 192.168.111.0 255.255.255.0 <assuming I decide to let regular people surf>

My final question is how do I prevent simultaneous access to both the remote user's local LAN and to the corporate LAN while VPN'ed?

Depending on the complexity of the answers I'll be happy to split these up into other questions, so I can get people an appropriate point value.
Thanks.
0
Comment
Question by:averyb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12060654
>nat (inside) 0 access-list 102
>nat (inside) 0 access-list 122

Not quite. You can only have one nat "0"
Simply add multiple lines to the one access-list 102 for each tunnel

You have the concept down pretty well. Using different groups, and by definition different acls that define the VPN traffic, you can easily define what a group can do. An alternative is to use RADIUS authentication and multiple access-lists based on user or group affiliation. The Radius server tells the PIX what acl to apply based on the user login.

>To prevent the contractors from surfing the Internet
Assume you mean while connected to the VPN?
Same question as:
>how do I prevent simultaneous access to both the remote user's local LAN and to the corporate LAN while VPN'ed?
Same answer for both dilemas - split-tunnel acls, i.e.:

access-list 101 permit ip any <vpnpool> <netmask>
vpngroup <GROUP> split-tunnel 101
The above configuration enables split-tunneling and permits simultaneous Internet and VPN use. Simply disable split-tunnel and your wish is fulfilled:

no vpngroup <GROUP> split-tunnel <acl>

0
 
LVL 4

Author Comment

by:averyb
ID: 12065849
Here is an updated configuration:

access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.240
access-list 102 deny tcp host 192.168.100.2 192.168.112.0 255.255.255.248 eq telnet
access-list 102 permit ip host 192.168.100.2 192.168.112.0 255.255.255.248

access-list 103 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.240
access-list 103 permit ip host 192.168.100.2 192.168.112.0 255.255.255.248

nat (inside) 0 access-list 102
ip local pool vpnpool1 192.168.111.1-192.168.111.15
ip local pool vpnpool2 192.168.112.1-192.168.112.7
vpngroup vpn1 address-pool vpnpool1
vpngroup vpn1 dns-server 192.168.100.254
vpngroup vpn1 default-domain blah.com
vpngroup vpn1 split-tunnel 102
vpngroup vpn1 idle-time 1800
vpngroup vpn1 password ********
vpngroup split-tunnel idle-time 1800
vpngroup vpn2 address-pool vpnpool2
vpngroup vpn2 dns-server 192.168.100.254
vpngroup vpn2 default-domain blah.com
vpngroup vpn2 split-tunnel 102
vpngroup vpn2 idle-time 1800
vpngroup vpn2 password ********

Which access-list should I associate with split-tunnel for each vpn?  Going under the premise that I should use separate access-lists for split-tunnel and nat (inside) 0.  People coming in under VPN1 can go everywhere on the corporate network.  VPN2 users, however, are limited to just the one server.

Three types of access from the remote user's perspective:
1) Access to their local LAN
2) Access to corporate LAN
3) Access to Internet (through corporate LAN)
Can I only allow #2 without #1 or #3?
Does #2 imply/require #3 and vice versa?

Thanks again for the help.
0
 
LVL 4

Author Comment

by:averyb
ID: 12069407
Continuation on the same subject:

What telnet command is needed to allow vpn1 folks to telnet to the firewall?

telnet 0.0.0.0 0.0.0.0 inside is already in there.
telnet 192.168.111.0 255.255.255.240 outside didn't work.



0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 4

Author Comment

by:averyb
ID: 12069540
I think I am backwards on these access-lists.

access-list 102 permit ip host 192.168.100.2 192.168.112.0 255.255.255.24
0
 
LVL 4

Author Comment

by:averyb
ID: 12069580

Ignore that last post

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12070812
>What telnet command is needed to allow vpn1 folks to telnet to the firewall?

No can do. Telnet will never be allowed from anywhere on the outside interface. It's a "feature" of the PIX.
Why would you ever want a user to telnet directly to the firewall? If you want to manage it from a VPN, suggest using either SSH or the secure web gui.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12074254
Actually, if you need to telnet to the PIX from a VPN, use the management-access command:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1137951


0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question