Link to home
Start Free TrialLog in
Avatar of averyb
averybFlag for United States of America

asked on

Some firewall config clarification and VPN configuration questions--easy points.

Each day I understand a little more about the different commands.  I have had a moment of clarity and wanted to run my thoughts by someone:

Here is what I have now.
nat (inside) 0 access-list 102
ip local pool vpnpool 192.168.111.1-192.168.111.15
access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.0
vpngroup hello address-pool vpnpool
vpngroup hello split-tunnel 102

I was told to add access-list 103 for the split tunnel command leading to this new config:

nat (inside) 0 access-list 102
ip local pool vpnpool 192.168.111.1-192.168.111.15
access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list 103 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.0
vpngroup hello address-pool vpnpool
vpngroup hello split-tunnel 103

Access list 102 identifies the traffic that is exempted from NAT for the VPN?
Access list 103 is not filtering traffic it merely identifies which traffic (based on source and destination IP) will be encrypted across the VPN?

I need to configure a PIX 501 v06.3(3) to support different types of people connecting.  Some employees and some contractors (i.e. limited access to certain IPs and possibly certain types of traffic)  I might want these people to copy files but not start a telnet session.  Not sure yet.  The higher ups are still working that out.

I will create a new vpngroup for the contractors with a separate address-pool.  Is there a way to limit where these people can go?  I had thought the access-lists would be the way to go, but I am not sure.  Would this work to support the multiple vpngroups?

nat (inside) 0 access-list 102
nat (inside) 0 access-list 122
ip local pool vpnpool 192.168.111.1-192.168.111.15
ip local pool contractorpool 192.168.121.1-192.168.121.7
access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list 103 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list 122 permit ip 192.168.100.0 255.255.255.0 192.168.121.0 255.255.255.0
access-list 123 permit ip 192.168.100.0 255.255.255.0 192.168.121.0 255.255.255.0
vpngroup hello address-pool vpnpool
vpngroup hello split-tunnel 103
. . .
vpngroup contractor address-pool contractor pool
vpngroup contractor split-tunnel 123
<I am only putting a few of the command lines here.  I know there are others that would need to be included>

Could I add the following to access-list 122 to restrict traffic?
access-list 122 deny tcp 192.168.100.0 255.255.255.0 192.168.121.0 255.255.255.0 eq telnet
access-list 122 permit ip 192.168.100.0 255.255.255.0 192.168.121.0 255.255.255.0

To prevent the contractors from surfing the Internet could I just change
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
to
nat (inside) 1 192.168.100.0 255.255.255.0
nat (inside) 1 192.168.111.0 255.255.255.0 <assuming I decide to let regular people surf>

My final question is how do I prevent simultaneous access to both the remote user's local LAN and to the corporate LAN while VPN'ed?

Depending on the complexity of the answers I'll be happy to split these up into other questions, so I can get people an appropriate point value.
Thanks.
Avatar of Les Moore
Les Moore
Flag of United States of America image

>nat (inside) 0 access-list 102
>nat (inside) 0 access-list 122

Not quite. You can only have one nat "0"
Simply add multiple lines to the one access-list 102 for each tunnel

You have the concept down pretty well. Using different groups, and by definition different acls that define the VPN traffic, you can easily define what a group can do. An alternative is to use RADIUS authentication and multiple access-lists based on user or group affiliation. The Radius server tells the PIX what acl to apply based on the user login.

>To prevent the contractors from surfing the Internet
Assume you mean while connected to the VPN?
Same question as:
>how do I prevent simultaneous access to both the remote user's local LAN and to the corporate LAN while VPN'ed?
Same answer for both dilemas - split-tunnel acls, i.e.:

access-list 101 permit ip any <vpnpool> <netmask>
vpngroup <GROUP> split-tunnel 101
The above configuration enables split-tunneling and permits simultaneous Internet and VPN use. Simply disable split-tunnel and your wish is fulfilled:

no vpngroup <GROUP> split-tunnel <acl>

Avatar of averyb

ASKER

Here is an updated configuration:

access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.240
access-list 102 deny tcp host 192.168.100.2 192.168.112.0 255.255.255.248 eq telnet
access-list 102 permit ip host 192.168.100.2 192.168.112.0 255.255.255.248

access-list 103 permit ip 192.168.100.0 255.255.255.0 192.168.111.0 255.255.255.240
access-list 103 permit ip host 192.168.100.2 192.168.112.0 255.255.255.248

nat (inside) 0 access-list 102
ip local pool vpnpool1 192.168.111.1-192.168.111.15
ip local pool vpnpool2 192.168.112.1-192.168.112.7
vpngroup vpn1 address-pool vpnpool1
vpngroup vpn1 dns-server 192.168.100.254
vpngroup vpn1 default-domain blah.com
vpngroup vpn1 split-tunnel 102
vpngroup vpn1 idle-time 1800
vpngroup vpn1 password ********
vpngroup split-tunnel idle-time 1800
vpngroup vpn2 address-pool vpnpool2
vpngroup vpn2 dns-server 192.168.100.254
vpngroup vpn2 default-domain blah.com
vpngroup vpn2 split-tunnel 102
vpngroup vpn2 idle-time 1800
vpngroup vpn2 password ********

Which access-list should I associate with split-tunnel for each vpn?  Going under the premise that I should use separate access-lists for split-tunnel and nat (inside) 0.  People coming in under VPN1 can go everywhere on the corporate network.  VPN2 users, however, are limited to just the one server.

Three types of access from the remote user's perspective:
1) Access to their local LAN
2) Access to corporate LAN
3) Access to Internet (through corporate LAN)
Can I only allow #2 without #1 or #3?
Does #2 imply/require #3 and vice versa?

Thanks again for the help.
Avatar of averyb

ASKER

Continuation on the same subject:

What telnet command is needed to allow vpn1 folks to telnet to the firewall?

telnet 0.0.0.0 0.0.0.0 inside is already in there.
telnet 192.168.111.0 255.255.255.240 outside didn't work.



Avatar of averyb

ASKER

I think I am backwards on these access-lists.

access-list 102 permit ip host 192.168.100.2 192.168.112.0 255.255.255.24
Avatar of averyb

ASKER


Ignore that last post

>What telnet command is needed to allow vpn1 folks to telnet to the firewall?

No can do. Telnet will never be allowed from anywhere on the outside interface. It's a "feature" of the PIX.
Why would you ever want a user to telnet directly to the firewall? If you want to manage it from a VPN, suggest using either SSH or the secure web gui.
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial