• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1869
  • Last Modified:

Adding VPN to existing PIX config

Pix IOS V 7.0 which im not used to but here goes

Existing PIX Config - ---- IP addresses changed to protect the innocent

---------------------------------------------------------------------------------------
: Saved
: Written by enable_15 at 02:40:47.806 UTC Sat Feb 27 1993
!
PIX Version 7.0(4)
!
hostname xxxxxxxxxxx
domain-name xxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxxxxxxxx
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 194.194.194.194 255.255.255.248
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 100.100.100.250 255.255.0.0
!
passwd xxxxxxxxxxxxxxxxxxxxxxx
boot system flash:/pix704.bin
ftp mode passive
object-group service FTP tcp
 description Ftp Ports
 port-object eq ftp-data
 port-object eq ftp
access-list vpnclient standard permit 100.100.0.0 255.255.0.0
access-list nonatinside extended permit ip 100.100.0.0 255.255.0.0 192.168.100.0 255.255.255.0
access-list nonatinside extended permit ip 100.100.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list sitetraffic extended permit ip 100.100.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list sitetraffic extended permit ip 192.168.100.0 255.255.255.0 30.30.30.0 255.255.255.0
access-list split standard permit 100.100.0.0 255.255.0.0
access-list split standard permit 192.168.2.0 255.255.255.0
access-list outside-in1 extended permit icmp any any
access-list outside-in1 extended permit tcp host x.x.x.x host 193.193.193.193 eq smtp
access-list outside_access_in extended permit tcp any eq www any
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit tcp any object-group FTP any
access-list vpn extended permit esp any any
access-list outside_mpc_in extended permit esp any any
access-list ftp extended permit tcp any eq ftp any
access-list ftp extended permit tcp any eq ftp-data any
access-list ftp extended permit tcp any any eq ftp-data
access-list ftp extended permit tcp any any eq ftp
access-list http extended permit tcp any eq www any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool poolname 192.168.100.1-192.168.100.200
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image flash:/asdm-501.bin
asdm location 192.168.100.0 255.255.255.0 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonatinside
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 193.193.193.193 100.100.100.4 netmask 255.255.255.255
access-group outside-in1 in interface outside
route outside 0.0.0.0 0.0.0.0 194.194.194.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host 100.100.100.254
 timeout 5
 key xxxxxx
aaa-server AuthIn protocol radius
aaa-server AuthIn host 100.100.100.254
 timeout 30
 key xxxxxx
group-policy pol1 internal
group-policy pol1 attributes
 wins-server value 100.100.100.1 100.100.100.254
 dns-server value 100.100.100.254
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpnclient
 default-domain value xxxxxx
username wnppix password xxxxxxxxxxxxxxxxxxxx encrypted privilege 15
http server enable
http 100.100.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map localdynmap 200 set transform-set myset
crypto map localmap 10 match address sitetraffic
crypto map localmap 10 set peer 193.193.193.193
crypto map localmap 10 set transform-set myset
crypto map localmap 200 ipsec-isakmp dynamic localdynmap
crypto map localmap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 192.192.192.192 type ipsec-l2l
tunnel-group 192.192.192.192 ipsec-attributes
 pre-shared-key oy51orgr964oeh
tunnel-group pol1 type ipsec-ra
tunnel-group pol1 general-attributes
 address-pool localpool
 authentication-server-group (outside) RADIUS
 default-group-policy pol1
tunnel-group pol1 ipsec-attributes
 pre-shared-key access
tunnel-group fred type ipsec-ra
tunnel-group fred general-attributes
 address-pool localpool
tunnel-group fred ipsec-attributes
 pre-shared-key fred
tunnel-group 193.193.193.193 type ipsec-l2l
tunnel-group 193.193.193.193 ipsec-attributes
 pre-shared-key xxxxxxx
telnet 100.100.0.0 255.255.0.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.128 outside
ssh x.x.x.x 255.255.255.128 outside
ssh timeout 5
console timeout 0
!
class-map http
 match access-list http
class-map ftp
 match access-list ftp
class-map vpn
 match access-list vpn
class-map default-class
 match default-inspection-traffic
!
!
policy-map qos
 class http
  priority
 class vpn
  police 1024000 256000
 class ftp
  police 512000 128000
 class default-class
  inspect sqlnet
  inspect h323 ras
  inspect xdmcp
  inspect tftp
  inspect icmp error
  inspect rtsp
  inspect sunrpc
  inspect mgcp
  inspect esmtp
  inspect sip
  inspect netbios
  inspect pptp
  inspect ctiqbe
  inspect snmp
  inspect icmp
  inspect rsh
  inspect ils
  inspect h323 h225
  inspect dns
  inspect skinny
!
priority-queue outside
  tx-ring-limit 128
Cryptochecksum:b0803a294e39bda33cb3425cf5707921
: end
------------------------------------------------------------------------------------

OK I Need to add another Site to Site VPN from this PIX to another Firewall (A Symantec SEF but I can sort that end out)


This is what I would normally Add at the PIX to connect to the other site.

access-list 101 permit ip 10.254.254.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 102 permit ip 10.254.254.0 255.255.255.0 10.1.0.0 255.255.0.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
crypto ipsec transform-set USEME esp-3des esp-sha-hmac
crypto map work 10 ipsec-isakmp
crypto map work 10 match address 102
crypto map work 10 set pfs group2
crypto map work 10 set peer 190.190.190.190
crypto map work 10 set transform-set USEME
crypto map work interface outside
isakmp enable outside
isakmp key 12345678901234567890 address 190.190.190.190 netmask 255.255.255.225
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Questions:

1. However the exiting PIX has a policy 10 (can I have a different policy (20) and use both)?
2. My memory is hazy - I seen to remember you can only have one cryptomap applied is this correct?
3. What command need adding to the PIX to acheive the same as I would normally do?



0
Pete Long
Asked:
Pete Long
  • 5
  • 2
2 Solutions
 
Pete LongConsultantAuthor Commented:
I notice the only difference on their policy is thay are using md5 and I usually use sha - I can use the same policy (and change the hashing to md5 on the other end if that simplifies things?)
0
 
calvinetterCommented:
 Hi Pete, like you I'm more a hand at PIX 6.x, but a couple of things that apply to both worlds:
>1. However the exiting PIX has a policy 10 (can I have a different policy (20) and use both)?
  Yes you can use both.  The PIX as always will try to match the lowest-priority policy (10 in this case), but as long as your 'policy 20' matches the same parameters as the new Symantec peer, it'll create a separate tunnel with it.
>2. My memory is hazy - I seen to remember you can only have one cryptomap applied is this correct?
  Correct, still applies to PIX 7.x, AFAIK.

I'll defer to lrmoore & others well-versed in 7.x for the actual implementation.
cheers
0
 
Pete LongConsultantAuthor Commented:
Thanks for you input - Its appreciated

OK I can have two sets of policy - but The second wont match the
crypto ipsec transform-set myset esp-3des esp-md5-hmac

can I declare 2

ie

crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set USEME esp-3des esp-sha-hmac

I seem to remember you can declaire up to three transform sets in a command  - but can you have more than one command?
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
calvinetterCommented:
>I seem to remember you can declaire up to three transform sets in a command  - but can you have more than one command?
   What you're thinking of is being able to have up to 3 transforms...
>crypto ipsec transform-set myset esp-3des esp-md5-hmac
   ...the above is a single transform set, which has 2 transforms: " esp-3des" & "esp-md5-hmac".

Yes, you can have several transform sets defined, such as the pair in your above post.

cheers
0
 
Pete LongConsultantAuthor Commented:
Brilliant :)

The only new problems I can now see is Symatec requires the following

crypto map work 10 set pfs group2

As we can only have one crypto map applied will adding that to the existing cryptpmap break the existing VPNs on the Pix?

And if so I need to add the new Peer can a crytomap have multiple peers?

This "crypto map localmap 10 set peer 193.193.193.193"   Allready Exists
I need to add a new Peer for the new VPN
crypto map localmap 10 set peer 190.190.190.190

Is this feasable?

----------------------------------------------------------------------------------------------------------------------------------
Also I usually add

sysopt connection permit-ipsec

To allow VPN traffic back in without filtering  - is that command still valid, and if so will it effect the exiting VPNs?
0
 
Pete LongConsultantAuthor Commented:
right multiple peers are ok apparently

Quote----------"crypto map mymap 10 set peer 192.168.1.100
The security association will be set up with the peer having an IP address of 192.168.1.100. Specify multiple peers by repeating this command."
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a0080106f66.html

so

Can pfs be added?
and will the sysopt connection permit-ipsec command be ok?
0
 
Pete LongConsultantAuthor Commented:
Hi Keith - This issue is not closed though there has been no response for a while - I will close it out

Pete
0
 
Keith AlabasterCommented:
Morning Pete.

Thanks

Regards
keith
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now