?
Solved

VPN

Posted on 2005-03-16
11
Medium Priority
?
247 Views
Last Modified: 2011-09-20
Ok,

I see what you are saying...



I have obtained a static IP from my ISP so that i can tell my pix to accept connections from that IP.

I NEED TO TERMINATE AN IPSEC TUNNEL FROM MY STATIC IP TO THE FIREWALL VIA THE INTERNET.

HOW DO I DO THIS ON A PIX 501, PLEASE SUPPLY EXACT COMMAND LINE



0
Comment
Question by:hitechauto
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 4

Expert Comment

by:amiurchaudry
ID: 13555267
Seeing as you have a Cisco PIX, you do not need a static IP for your client side.  On the client side, you install and run the Cisco VPN client software and you configure a connection on that software which initiates a tunnel that terminates at the sttic address of the PIX firewall.  This is just the address of the outside interface.

The client software uses the vpngroup name that you configure on the PIX and usually the shared key or the certificate if you are using certificates to create and authenticate the tunnel.  After this, there is usually a challenge response for a user authentication which is usually done through an authentication server on the internal LAN behind the firewall.  We have used Novell's BorderManager product in a NDs environment and various Radius servers in an AD environment.

There are a whole series of command on the PIX side to set this up.

ip address outside (ip address) (mask)

This is the address of the outside interface and it is what the client software will try to contact for access

aaa-server RADIUS (inside) host [hostname] [shared secret] timeout  x

This is the internal server that will authenticate users, inside represents the interface that the server is on

VPN  STUFF

  *** Permit Secure Traffic
sysopt connection permit-ipsec
no sysopt route dnat

  *** VPN Connection Traffic Encryption and Authentication
crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set strong-des
crypto map [name] 20 ipsec-isakmp dynamic cisco
crypto map [name] client configuration address initiate
crypto map [name] client configuration address respond
crypto map [name] client authentication RADIUS
crypto map [name] interface outside

  *** VPN KEY Setings
isakmp enable outside
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 50400

  *** VPN Groups and Settings
vpngroup [name] address-pool vpnpool
vpngroup [name] default-domain [domainname]
vpngroup [name] split-tunnel 80
vpngroup [name] idle-time 1800
vpngroup [name] password [shared key]
vpngroup address-pool idle-time 1800
0
 

Author Comment

by:hitechauto
ID: 13555471
Ok,

Now using what i have

I have a static IP and windows XP VPN Client software, that will work fine.

When i dial up to my isp i will then launch remote desktop and enter the firewall hostname or IP.

On the pix...

I am stupid when it comes to pix so you will have to be very specific, i have supplied the current pix config below have a look and let me know what to do (I will need the exact command line to enter)

Here is the config:

Hi-Tech(config)# show config
: Saved
: Written by enable_15 at 07:19:17.849 UTC Mon Mar 14 2005
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password nC1TgPA/j9j.bzQi encrypted
passwd nC1TgPA/j9j.bzQi encrypted
hostname Hi-Tech
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1273
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list OUT_IN permit tcp any host 196.34.84.1 eq smtp
access-list OUT_IN permit tcp any host 196.34.84.1 eq pop3
access-list OUT_IN permit icmp any any echo-reply
access-list OUT_IN permit icmp any any time-exceeded
access-list OUT_IN permit icmp any any timestamp-reply
access-list OUT_IN permit tcp any host 196.34.84.1 eq www
access-list OUT_IN permit tcp any host 196.34.84.1 eq ftp
access-list OUT_IN permit tcp any host 196.34.84.4 eq ftp
access-list OUT_IN permit tcp any any eq 81
access-list IN_OUT permit ip host 192.168.0.1 any
access-list IN_OUT permit ip host 192.168.0.2 any
access-list IN_OUT permit udp any any eq isakmp
access-list IN_OUT permit esp any any
access-list IN_OUT permit tcp any any eq 81
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 196.34.84.13 255.255.255.240
ip address inside 192.168.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.1 255.255.255.255 inside
pdm location 192.168.0.2 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 196.34.84.4-196.34.84.12 netmask 255.255.255.240
global (outside) 1 196.34.84.3 netmask 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 196.34.84.1 smtp 192.168.0.1 smtp netmask 255.255.25
5.255 0 0
static (inside,outside) 196.34.84.1 192.168.0.1 netmask 255.255.255.255 0 0
access-group OUT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 196.34.84.14 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.254 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:a7e25e02cd7f43bf95707ce6d0e0cd74
Hi-Tech(config)#
Hi-Tech(config)#
Hi-Tech(config)#
0
 
LVL 4

Accepted Solution

by:
amiurchaudry earned 2000 total points
ID: 13561861
Add the following,   lines starting *** are comments

[name] is a variable you typ in that represents the crypto map, it is a name.
[vpnname] is the name of the vpngroup that will be configured in the client
[domainname] is the name of your internal lan domain
[sharedkey] is the password that will also be configured on the client
the client connection will be pointed to 196.34.84.13
how will you autthnticate the users who are connecting
this will just establish a tunnel and connection between the two endpoints

Incidentally, it is not advisable to just post your configuration without masking out the critical information as to your addresses and mappings and the encoded passwords


 *** Permit Secure Traffic
sysopt connection permit-ipsec
no sysopt route dnat

  *** VPN Connection Traffic Encryption and Authentication
crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set strong-des
crypto map [name] 20 ipsec-isakmp dynamic cisco
crypto map [name] client configuration address initiate
crypto map [name] client configuration address respond
crypto map [name] client authentication RADIUS
crypto map [name] interface outside

  *** VPN KEY Setings
isakmp enable outside
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 50400

  *** VPN Groups and Settings
vpngroup [vpnname] address-pool vpnpool
vpngroup [vpnname] default-domain [domainname]
vpngroup [vpnname] split-tunnel 80
vpngroup [vpnname] idle-time 1800
vpngroup [vpnname] password [shared key]
vpngroup address-pool idle-time 1800
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 

Author Comment

by:hitechauto
ID: 13562523
Thanks, all seems to be great now

I am however stuck on the following:

when i type "vpngroup [vpnname] address-pool vpnpool"

it doen not seem to accept the command, is says the followong:
Error: ip pool hitech is not defined.

what do i do here?
0
 
LVL 13

Expert Comment

by:gpriceee
ID: 13562545
Hello.  Other than the vpn issue, I took a look at your config and found some things you might want to address:

Before you make any changes, backup your config to a tftp server.  Solar Winds works great.  Once you have it setup, the command is (replace ipaddress with the tftp server address and the filename with something you’ll recognize):
write net ipaddress:file

Version 634 is available and addresses security issues.

Your interface ethernet0 is set to auto.  It is recommended to be set to a specified speed.  Make sure it matches the device to which it’s connected.  Your choices are: 10baset, 10full, 100basetx, 100full.  The command, depending on the speed, is:
interface ethernet0 100full

You’ve enabled fixup protocol dns maximum-length 512.  An old RFC stated that 512 was the max for DNS, but that no longer is the case, and you might run into issues with certain websites such as Yahoo! who they replies at 516.  I would enter:
no fixup protocol dns maximum-length 512

You also don’t have a route entry for your inside interface: you might want to enter (Replace gatewayADDR with your inside gateway.  The number after the gateway should remain 1 in this instance [metric].):
route inside 192.168.0.254 255.255.255.0 gatewayADDR 1

Since you haven’t applied an access-group of IN_OUT to anything, you can probably drop those commands.

Change your xlate timeout for increased performance.  The command is:
Timeout xlate 1:00:00

I hope all goes well for you, and welcome to the pix!
0
 

Author Comment

by:hitechauto
ID: 13562644
thanks for that "gpriceee"

please look at the following:

VPN GROUP SETTINGS:  (list of commands which i had to type with the folling errors)

vpngroup [hitech] address-pool vpnpool                                  error: "ip pool vpnpool is not defined"
vpngroup [vpnname] default-domain [domainname]                "worked fine"
vpngroup [vpnname] split-tunnel 80                                        error "access-list 80 not found"
vpngroup [vpnname] idle-time 1800                                        "worked fine"
vpngroup [vpnname] password [shared key]                           "worked fine"
vpngroup address-pool idle-time 1800                                    "worked fine"

on the password [share key] where it states share key must i type in the password i will use from the client?
0
 
LVL 4

Expert Comment

by:amiurchaudry
ID: 13562663
the 80 refers to an access list that is used to control access

access-list 80 permit ip (src network) (netmask) (dest network) (netmask)

(dest network) is the ip network assigned to incoming vpn clients

ip local pool vpnpool (address range for incoming vpn clients)   usually somethink like  192.168.10.1-192.168.10.254



0
 
LVL 4

Expert Comment

by:amiurchaudry
ID: 13562665
Oh and yes, [share key] is the password that will be used from the client
0
 

Author Comment

by:hitechauto
ID: 13562708
ATT: "amiurchaudry"

Thanks for all the help, question: (sorry for being stupid with all this)

(src network) ??? which ip's are those? is this the static ip i got from my isp? for vpn to accept
(des network) is the destination the ip of my firewall or the IP i want to connect to?

once all this is done, when i use the vpn client to connect, what IP will i use "196.34.84.1" or "196.34.84.12" as you specified.  i stand under correction but i think that we only use one ouside IP and that is "196.34.84.1"

also, once i have entered the host or IP to connect to, what username will i use? i take that where u specified [share key] i replaced that with the password i will be using.

THANKS AGAIN FOR YOUR HELP AND PATIENCE WITH  ME
0
 

Author Comment

by:hitechauto
ID: 13563222
ANY NEWS YET GUYS?????????????

PLEASE HELP AS THIS IS URGENT
0
 
LVL 4

Expert Comment

by:amiurchaudry
ID: 13564475
(src network) is your internal lan behind the firewall
(dest network) is the ip address you will assign to the vpn clinets  probably a private net range

the client will target your external ip address, in your config it is

ip address outside 196.34.84.13 255.255.255.240

The client will be configured with the vpngroup name and the shared key for the connection properties

After that, authentication will be per user on your network from your authentication server;
i have insufficient experience with that aspect of it to guide you; we set it up as authentication through a Radius server (Novell BorderManager) in our NDS environment.




0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month10 days, 20 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question