Solved

Some firewall config clarification and VPN configuration questions--easy points.

Posted on 2004-09-14
7
1,212 Views
Last Modified: 2013-11-16
Each day I understand a little more about the different commands.  I have had a moment of clarity and wanted to run my thoughts by someone:

Here is what I have now.
nat (inside) 0 access-list 102
ip local pool vpnpool 192.168.111.1-192.168.111.15
access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.0
vpngroup hello address-pool vpnpool
vpngroup hello split-tunnel 102

I was told to add access-list 103 for the split tunnel command leading to this new config:

nat (inside) 0 access-list 102
ip local pool vpnpool 192.168.111.1-192.168.111.15
access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list 103 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.0
vpngroup hello address-pool vpnpool
vpngroup hello split-tunnel 103

Access list 102 identifies the traffic that is exempted from NAT for the VPN?
Access list 103 is not filtering traffic it merely identifies which traffic (based on source and destination IP) will be encrypted across the VPN?

I need to configure a PIX 501 v06.3(3) to support different types of people connecting.  Some employees and some contractors (i.e. limited access to certain IPs and possibly certain types of traffic)  I might want these people to copy files but not start a telnet session.  Not sure yet.  The higher ups are still working that out.

I will create a new vpngroup for the contractors with a separate address-pool.  Is there a way to limit where these people can go?  I had thought the access-lists would be the way to go, but I am not sure.  Would this work to support the multiple vpngroups?

nat (inside) 0 access-list 102
nat (inside) 0 access-list 122
ip local pool vpnpool 192.168.111.1-192.168.111.15
ip local pool contractorpool 192.168.121.1-192.168.121.7
access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list 103 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list 122 permit ip 192.168.100.0 255.255.255.0 192.168.121.0 255.255.255.0
access-list 123 permit ip 192.168.100.0 255.255.255.0 192.168.121.0 255.255.255.0
vpngroup hello address-pool vpnpool
vpngroup hello split-tunnel 103
. . .
vpngroup contractor address-pool contractor pool
vpngroup contractor split-tunnel 123
<I am only putting a few of the command lines here.  I know there are others that would need to be included>

Could I add the following to access-list 122 to restrict traffic?
access-list 122 deny tcp 192.168.100.0 255.255.255.0 192.168.121.0 255.255.255.0 eq telnet
access-list 122 permit ip 192.168.100.0 255.255.255.0 192.168.121.0 255.255.255.0

To prevent the contractors from surfing the Internet could I just change
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
to
nat (inside) 1 192.168.100.0 255.255.255.0
nat (inside) 1 192.168.111.0 255.255.255.0 <assuming I decide to let regular people surf>

My final question is how do I prevent simultaneous access to both the remote user's local LAN and to the corporate LAN while VPN'ed?

Depending on the complexity of the answers I'll be happy to split these up into other questions, so I can get people an appropriate point value.
Thanks.
0
Comment
Question by:averyb
  • 4
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12060654
>nat (inside) 0 access-list 102
>nat (inside) 0 access-list 122

Not quite. You can only have one nat "0"
Simply add multiple lines to the one access-list 102 for each tunnel

You have the concept down pretty well. Using different groups, and by definition different acls that define the VPN traffic, you can easily define what a group can do. An alternative is to use RADIUS authentication and multiple access-lists based on user or group affiliation. The Radius server tells the PIX what acl to apply based on the user login.

>To prevent the contractors from surfing the Internet
Assume you mean while connected to the VPN?
Same question as:
>how do I prevent simultaneous access to both the remote user's local LAN and to the corporate LAN while VPN'ed?
Same answer for both dilemas - split-tunnel acls, i.e.:

access-list 101 permit ip any <vpnpool> <netmask>
vpngroup <GROUP> split-tunnel 101
The above configuration enables split-tunneling and permits simultaneous Internet and VPN use. Simply disable split-tunnel and your wish is fulfilled:

no vpngroup <GROUP> split-tunnel <acl>

0
 
LVL 4

Author Comment

by:averyb
ID: 12065849
Here is an updated configuration:

access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.240
access-list 102 deny tcp host 192.168.100.2 192.168.112.0 255.255.255.248 eq telnet
access-list 102 permit ip host 192.168.100.2 192.168.112.0 255.255.255.248

access-list 103 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.240
access-list 103 permit ip host 192.168.100.2 192.168.112.0 255.255.255.248

nat (inside) 0 access-list 102
ip local pool vpnpool1 192.168.111.1-192.168.111.15
ip local pool vpnpool2 192.168.112.1-192.168.112.7
vpngroup vpn1 address-pool vpnpool1
vpngroup vpn1 dns-server 192.168.100.254
vpngroup vpn1 default-domain blah.com
vpngroup vpn1 split-tunnel 102
vpngroup vpn1 idle-time 1800
vpngroup vpn1 password ********
vpngroup split-tunnel idle-time 1800
vpngroup vpn2 address-pool vpnpool2
vpngroup vpn2 dns-server 192.168.100.254
vpngroup vpn2 default-domain blah.com
vpngroup vpn2 split-tunnel 102
vpngroup vpn2 idle-time 1800
vpngroup vpn2 password ********

Which access-list should I associate with split-tunnel for each vpn?  Going under the premise that I should use separate access-lists for split-tunnel and nat (inside) 0.  People coming in under VPN1 can go everywhere on the corporate network.  VPN2 users, however, are limited to just the one server.

Three types of access from the remote user's perspective:
1) Access to their local LAN
2) Access to corporate LAN
3) Access to Internet (through corporate LAN)
Can I only allow #2 without #1 or #3?
Does #2 imply/require #3 and vice versa?

Thanks again for the help.
0
 
LVL 4

Author Comment

by:averyb
ID: 12069407
Continuation on the same subject:

What telnet command is needed to allow vpn1 folks to telnet to the firewall?

telnet 0.0.0.0 0.0.0.0 inside is already in there.
telnet 192.168.111.0 255.255.255.240 outside didn't work.



0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 4

Author Comment

by:averyb
ID: 12069540
I think I am backwards on these access-lists.

access-list 102 permit ip host 192.168.100.2 192.168.112.0 255.255.255.24
0
 
LVL 4

Author Comment

by:averyb
ID: 12069580

Ignore that last post

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12070812
>What telnet command is needed to allow vpn1 folks to telnet to the firewall?

No can do. Telnet will never be allowed from anywhere on the outside interface. It's a "feature" of the PIX.
Why would you ever want a user to telnet directly to the firewall? If you want to manage it from a VPN, suggest using either SSH or the secure web gui.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12074254
Actually, if you need to telnet to the PIX from a VPN, use the management-access command:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#wp1137951


0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now