Pete Long
asked on
Adding VPN to existing PIX config
Pix IOS V 7.0 which im not used to but here goes
Existing PIX Config - ---- IP addresses changed to protect the innocent
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- -
: Saved
: Written by enable_15 at 02:40:47.806 UTC Sat Feb 27 1993
!
PIX Version 7.0(4)
!
hostname xxxxxxxxxxx
domain-name xxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxxxxxxxx
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 194.194.194.194 255.255.255.248
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 100.100.100.250 255.255.0.0
!
passwd xxxxxxxxxxxxxxxxxxxxxxx
boot system flash:/pix704.bin
ftp mode passive
object-group service FTP tcp
description Ftp Ports
port-object eq ftp-data
port-object eq ftp
access-list vpnclient standard permit 100.100.0.0 255.255.0.0
access-list nonatinside extended permit ip 100.100.0.0 255.255.0.0 192.168.100.0 255.255.255.0
access-list nonatinside extended permit ip 100.100.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list sitetraffic extended permit ip 100.100.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list sitetraffic extended permit ip 192.168.100.0 255.255.255.0 30.30.30.0 255.255.255.0
access-list split standard permit 100.100.0.0 255.255.0.0
access-list split standard permit 192.168.2.0 255.255.255.0
access-list outside-in1 extended permit icmp any any
access-list outside-in1 extended permit tcp host x.x.x.x host 193.193.193.193 eq smtp
access-list outside_access_in extended permit tcp any eq www any
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit tcp any object-group FTP any
access-list vpn extended permit esp any any
access-list outside_mpc_in extended permit esp any any
access-list ftp extended permit tcp any eq ftp any
access-list ftp extended permit tcp any eq ftp-data any
access-list ftp extended permit tcp any any eq ftp-data
access-list ftp extended permit tcp any any eq ftp
access-list http extended permit tcp any eq www any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool poolname 192.168.100.1-192.168.100. 200
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image flash:/asdm-501.bin
asdm location 192.168.100.0 255.255.255.0 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonatinside
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 193.193.193.193 100.100.100.4 netmask 255.255.255.255
access-group outside-in1 in interface outside
route outside 0.0.0.0 0.0.0.0 194.194.194.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host 100.100.100.254
timeout 5
key xxxxxx
aaa-server AuthIn protocol radius
aaa-server AuthIn host 100.100.100.254
timeout 30
key xxxxxx
group-policy pol1 internal
group-policy pol1 attributes
wins-server value 100.100.100.1 100.100.100.254
dns-server value 100.100.100.254
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient
default-domain value xxxxxx
username wnppix password xxxxxxxxxxxxxxxxxxxx encrypted privilege 15
http server enable
http 100.100.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map localdynmap 200 set transform-set myset
crypto map localmap 10 match address sitetraffic
crypto map localmap 10 set peer 193.193.193.193
crypto map localmap 10 set transform-set myset
crypto map localmap 200 ipsec-isakmp dynamic localdynmap
crypto map localmap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 192.192.192.192 type ipsec-l2l
tunnel-group 192.192.192.192 ipsec-attributes
pre-shared-key oy51orgr964oeh
tunnel-group pol1 type ipsec-ra
tunnel-group pol1 general-attributes
address-pool localpool
authentication-server-grou p (outside) RADIUS
default-group-policy pol1
tunnel-group pol1 ipsec-attributes
pre-shared-key access
tunnel-group fred type ipsec-ra
tunnel-group fred general-attributes
address-pool localpool
tunnel-group fred ipsec-attributes
pre-shared-key fred
tunnel-group 193.193.193.193 type ipsec-l2l
tunnel-group 193.193.193.193 ipsec-attributes
pre-shared-key xxxxxxx
telnet 100.100.0.0 255.255.0.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.128 outside
ssh x.x.x.x 255.255.255.128 outside
ssh timeout 5
console timeout 0
!
class-map http
match access-list http
class-map ftp
match access-list ftp
class-map vpn
match access-list vpn
class-map default-class
match default-inspection-traffic
!
!
policy-map qos
class http
priority
class vpn
police 1024000 256000
class ftp
police 512000 128000
class default-class
inspect sqlnet
inspect h323 ras
inspect xdmcp
inspect tftp
inspect icmp error
inspect rtsp
inspect sunrpc
inspect mgcp
inspect esmtp
inspect sip
inspect netbios
inspect pptp
inspect ctiqbe
inspect snmp
inspect icmp
inspect rsh
inspect ils
inspect h323 h225
inspect dns
inspect skinny
!
priority-queue outside
tx-ring-limit 128
Cryptochecksum:b0803a294e3 9bda33cb34 25cf570792 1
: end
-------------------------- ---------- ---------- ---------- ---------- ---------- --------
OK I Need to add another Site to Site VPN from this PIX to another Firewall (A Symantec SEF but I can sort that end out)
This is what I would normally Add at the PIX to connect to the other site.
access-list 101 permit ip 10.254.254.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 102 permit ip 10.254.254.0 255.255.255.0 10.1.0.0 255.255.0.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
crypto ipsec transform-set USEME esp-3des esp-sha-hmac
crypto map work 10 ipsec-isakmp
crypto map work 10 match address 102
crypto map work 10 set pfs group2
crypto map work 10 set peer 190.190.190.190
crypto map work 10 set transform-set USEME
crypto map work interface outside
isakmp enable outside
isakmp key 12345678901234567890 address 190.190.190.190 netmask 255.255.255.225
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Questions:
1. However the exiting PIX has a policy 10 (can I have a different policy (20) and use both)?
2. My memory is hazy - I seen to remember you can only have one cryptomap applied is this correct?
3. What command need adding to the PIX to acheive the same as I would normally do?
Existing PIX Config - ---- IP addresses changed to protect the innocent
--------------------------
: Saved
: Written by enable_15 at 02:40:47.806 UTC Sat Feb 27 1993
!
PIX Version 7.0(4)
!
hostname xxxxxxxxxxx
domain-name xxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxxxxxxxx
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 194.194.194.194 255.255.255.248
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 100.100.100.250 255.255.0.0
!
passwd xxxxxxxxxxxxxxxxxxxxxxx
boot system flash:/pix704.bin
ftp mode passive
object-group service FTP tcp
description Ftp Ports
port-object eq ftp-data
port-object eq ftp
access-list vpnclient standard permit 100.100.0.0 255.255.0.0
access-list nonatinside extended permit ip 100.100.0.0 255.255.0.0 192.168.100.0 255.255.255.0
access-list nonatinside extended permit ip 100.100.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list sitetraffic extended permit ip 100.100.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list sitetraffic extended permit ip 192.168.100.0 255.255.255.0 30.30.30.0 255.255.255.0
access-list split standard permit 100.100.0.0 255.255.0.0
access-list split standard permit 192.168.2.0 255.255.255.0
access-list outside-in1 extended permit icmp any any
access-list outside-in1 extended permit tcp host x.x.x.x host 193.193.193.193 eq smtp
access-list outside_access_in extended permit tcp any eq www any
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit tcp any object-group FTP any
access-list vpn extended permit esp any any
access-list outside_mpc_in extended permit esp any any
access-list ftp extended permit tcp any eq ftp any
access-list ftp extended permit tcp any eq ftp-data any
access-list ftp extended permit tcp any any eq ftp-data
access-list ftp extended permit tcp any any eq ftp
access-list http extended permit tcp any eq www any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool poolname 192.168.100.1-192.168.100.
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image flash:/asdm-501.bin
asdm location 192.168.100.0 255.255.255.0 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonatinside
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 193.193.193.193 100.100.100.4 netmask 255.255.255.255
access-group outside-in1 in interface outside
route outside 0.0.0.0 0.0.0.0 194.194.194.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host 100.100.100.254
timeout 5
key xxxxxx
aaa-server AuthIn protocol radius
aaa-server AuthIn host 100.100.100.254
timeout 30
key xxxxxx
group-policy pol1 internal
group-policy pol1 attributes
wins-server value 100.100.100.1 100.100.100.254
dns-server value 100.100.100.254
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient
default-domain value xxxxxx
username wnppix password xxxxxxxxxxxxxxxxxxxx encrypted privilege 15
http server enable
http 100.100.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map localdynmap 200 set transform-set myset
crypto map localmap 10 match address sitetraffic
crypto map localmap 10 set peer 193.193.193.193
crypto map localmap 10 set transform-set myset
crypto map localmap 200 ipsec-isakmp dynamic localdynmap
crypto map localmap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 192.192.192.192 type ipsec-l2l
tunnel-group 192.192.192.192 ipsec-attributes
pre-shared-key oy51orgr964oeh
tunnel-group pol1 type ipsec-ra
tunnel-group pol1 general-attributes
address-pool localpool
authentication-server-grou
default-group-policy pol1
tunnel-group pol1 ipsec-attributes
pre-shared-key access
tunnel-group fred type ipsec-ra
tunnel-group fred general-attributes
address-pool localpool
tunnel-group fred ipsec-attributes
pre-shared-key fred
tunnel-group 193.193.193.193 type ipsec-l2l
tunnel-group 193.193.193.193 ipsec-attributes
pre-shared-key xxxxxxx
telnet 100.100.0.0 255.255.0.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.128 outside
ssh x.x.x.x 255.255.255.128 outside
ssh timeout 5
console timeout 0
!
class-map http
match access-list http
class-map ftp
match access-list ftp
class-map vpn
match access-list vpn
class-map default-class
match default-inspection-traffic
!
!
policy-map qos
class http
priority
class vpn
police 1024000 256000
class ftp
police 512000 128000
class default-class
inspect sqlnet
inspect h323 ras
inspect xdmcp
inspect tftp
inspect icmp error
inspect rtsp
inspect sunrpc
inspect mgcp
inspect esmtp
inspect sip
inspect netbios
inspect pptp
inspect ctiqbe
inspect snmp
inspect icmp
inspect rsh
inspect ils
inspect h323 h225
inspect dns
inspect skinny
!
priority-queue outside
tx-ring-limit 128
Cryptochecksum:b0803a294e3
: end
--------------------------
OK I Need to add another Site to Site VPN from this PIX to another Firewall (A Symantec SEF but I can sort that end out)
This is what I would normally Add at the PIX to connect to the other site.
access-list 101 permit ip 10.254.254.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 102 permit ip 10.254.254.0 255.255.255.0 10.1.0.0 255.255.0.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
crypto ipsec transform-set USEME esp-3des esp-sha-hmac
crypto map work 10 ipsec-isakmp
crypto map work 10 match address 102
crypto map work 10 set pfs group2
crypto map work 10 set peer 190.190.190.190
crypto map work 10 set transform-set USEME
crypto map work interface outside
isakmp enable outside
isakmp key 12345678901234567890 address 190.190.190.190 netmask 255.255.255.225
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Questions:
1. However the exiting PIX has a policy 10 (can I have a different policy (20) and use both)?
2. My memory is hazy - I seen to remember you can only have one cryptomap applied is this correct?
3. What command need adding to the PIX to acheive the same as I would normally do?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for you input - Its appreciated
OK I can have two sets of policy - but The second wont match the
crypto ipsec transform-set myset esp-3des esp-md5-hmac
can I declare 2
ie
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set USEME esp-3des esp-sha-hmac
I seem to remember you can declaire up to three transform sets in a command - but can you have more than one command?
OK I can have two sets of policy - but The second wont match the
crypto ipsec transform-set myset esp-3des esp-md5-hmac
can I declare 2
ie
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set USEME esp-3des esp-sha-hmac
I seem to remember you can declaire up to three transform sets in a command - but can you have more than one command?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Brilliant :)
The only new problems I can now see is Symatec requires the following
crypto map work 10 set pfs group2
As we can only have one crypto map applied will adding that to the existing cryptpmap break the existing VPNs on the Pix?
And if so I need to add the new Peer can a crytomap have multiple peers?
This "crypto map localmap 10 set peer 193.193.193.193" Allready Exists
I need to add a new Peer for the new VPN
crypto map localmap 10 set peer 190.190.190.190
Is this feasable?
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----
Also I usually add
sysopt connection permit-ipsec
To allow VPN traffic back in without filtering - is that command still valid, and if so will it effect the exiting VPNs?
The only new problems I can now see is Symatec requires the following
crypto map work 10 set pfs group2
As we can only have one crypto map applied will adding that to the existing cryptpmap break the existing VPNs on the Pix?
And if so I need to add the new Peer can a crytomap have multiple peers?
This "crypto map localmap 10 set peer 193.193.193.193" Allready Exists
I need to add a new Peer for the new VPN
crypto map localmap 10 set peer 190.190.190.190
Is this feasable?
--------------------------
Also I usually add
sysopt connection permit-ipsec
To allow VPN traffic back in without filtering - is that command still valid, and if so will it effect the exiting VPNs?
ASKER
right multiple peers are ok apparently
Quote----------"crypto map mymap 10 set peer 192.168.1.100
The security association will be set up with the peer having an IP address of 192.168.1.100. Specify multiple peers by repeating this command."
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a0080106f66.html
so
Can pfs be added?
and will the sysopt connection permit-ipsec command be ok?
Quote----------"crypto map mymap 10 set peer 192.168.1.100
The security association will be set up with the peer having an IP address of 192.168.1.100. Specify multiple peers by repeating this command."
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a0080106f66.html
so
Can pfs be added?
and will the sysopt connection permit-ipsec command be ok?
ASKER
Hi Keith - This issue is not closed though there has been no response for a while - I will close it out
Pete
Pete
Morning Pete.
Thanks
Regards
keith
Thanks
Regards
keith
ASKER