kjorviss
asked on
PIX 515e site to site and Cisco vpn client configuration.
Hi Guys
I have two PIX515e's in a datacentre (active/failover configuration. I have to configure the units for two seperate site to site vpn's and for the Cisco software client. The two sites also have PIX's one is a 515 and one is a 525. The Cisco software client I have is 4.0.5 and 4.6 (any recommendations on which is the less problematic would be good).
I will need the Cisco clients to be able to authenticate against a Windows 2003 AD server, which will be through IAS. Here is the config I have pulled together for the VPN client (which is probably very wrong, but there you go):
access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list 101 permit ip 192.168.40.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list 101 permit ip 192.168.40.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.50.0 255.255.255.0
ip local pool VPNpool 192.168.40.1-192.168.40.40
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 access-list 101
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 192.168.12.5 timeout 10
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set esp esp-des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication AuthInbound
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup xxxxxxxx address-pool VPNpool
vpngroup xxxxxxxxdns-server 192.168.12.5
vpngroup xxxxxxxx wins-server 192.168.12.5
vpngroup xxxxxxxx default-domain xxxxxxxx.local
vpngroup xxxxxxxx split-tunnel 101
vpngroup xxxxxxxxidle-time 1800
vpngroup xxxxxxxx password ********
Am I on the right track??? From what I understand you can only have one crypto map per interface so how would I configure the central PIX to add the two tunnels from the other two sites and what config needs to be on them??
I have not done this before and am getting a bit confused....
Any help will be much appreciated.
Thanks
Kevin
I have two PIX515e's in a datacentre (active/failover configuration. I have to configure the units for two seperate site to site vpn's and for the Cisco software client. The two sites also have PIX's one is a 515 and one is a 525. The Cisco software client I have is 4.0.5 and 4.6 (any recommendations on which is the less problematic would be good).
I will need the Cisco clients to be able to authenticate against a Windows 2003 AD server, which will be through IAS. Here is the config I have pulled together for the VPN client (which is probably very wrong, but there you go):
access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list 101 permit ip 192.168.40.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list 101 permit ip 192.168.40.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 101 permit ip 192.168.12.0 255.255.255.0 192.168.50.0 255.255.255.0
ip local pool VPNpool 192.168.40.1-192.168.40.40
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 access-list 101
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 192.168.12.5 timeout 10
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set esp esp-des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication AuthInbound
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup xxxxxxxx address-pool VPNpool
vpngroup xxxxxxxxdns-server 192.168.12.5
vpngroup xxxxxxxx wins-server 192.168.12.5
vpngroup xxxxxxxx default-domain xxxxxxxx.local
vpngroup xxxxxxxx split-tunnel 101
vpngroup xxxxxxxxidle-time 1800
vpngroup xxxxxxxx password ********
Am I on the right track??? From what I understand you can only have one crypto map per interface so how would I configure the central PIX to add the two tunnels from the other two sites and what config needs to be on them??
I have not done this before and am getting a bit confused....
Any help will be much appreciated.
Thanks
Kevin
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi calvinetter,
Thanks for the quick reply...
This client has had the 525 for a couple of years, and they have only ever had one site, but had travelling users using the Cisco Client, that PIX came with the 4.01 client!
Now I am moving them into a data centre and then the two remote sites. I have just purchased the three 515's and set the two up in the datacentre already, and am setting up the third 515 next week (hence the question). These 515's have come with a VPN client disk that has 4.0.5 and 4.6 on it. Where can I download 4.8?? I have looked through the Cisco site and everytime I think I have found where to download it from the site wants a CCO login, which I don't have! Is there a place on the Cisco site for upgrades within the 90 day support period?
So following the example in the URL, PIX1 would be my failover pair in the datacentre, and PIX2 and PIX3 would be my two remote sites. I have not come across the concept of split tunneling before, would you mine explaining that a bit? I configured a site to site VPN on their existing 525 to a Linksys BEFSX41 I have here for support and did not use split tunneling.
I had seen the Cisco article, but dismissed it (shows how much I know) as both the outside interfaces on the PIX's were on the same subnet and thought it did not apply to my situation!
I cannot try this until mid next week, but I will keep you informed...
Thanks
Kevin
Thanks for the quick reply...
This client has had the 525 for a couple of years, and they have only ever had one site, but had travelling users using the Cisco Client, that PIX came with the 4.01 client!
Now I am moving them into a data centre and then the two remote sites. I have just purchased the three 515's and set the two up in the datacentre already, and am setting up the third 515 next week (hence the question). These 515's have come with a VPN client disk that has 4.0.5 and 4.6 on it. Where can I download 4.8?? I have looked through the Cisco site and everytime I think I have found where to download it from the site wants a CCO login, which I don't have! Is there a place on the Cisco site for upgrades within the 90 day support period?
So following the example in the URL, PIX1 would be my failover pair in the datacentre, and PIX2 and PIX3 would be my two remote sites. I have not come across the concept of split tunneling before, would you mine explaining that a bit? I configured a site to site VPN on their existing 525 to a Linksys BEFSX41 I have here for support and did not use split tunneling.
I had seen the Cisco article, but dismissed it (shows how much I know) as both the outside interfaces on the PIX's were on the same subnet and thought it did not apply to my situation!
I cannot try this until mid next week, but I will keep you informed...
Thanks
Kevin
>Where can I download 4.8?
http://www.cisco.com/cgi-bin/tablebuild.pl/windows And yes, unfortunately you can only download it with a CCO account. Didn't you purchase SmartNet for your PIXes? If so, then you can get a CCO login after registering your PIXes. I strongly urge you to purchase SmartNet for them - this is normally yearly support, which completely covers the PIX - hardware & software, allows you to download new PIX OS software, as well as the VPN client app, plus you get free phone tech support.
>I have not come across the concept of split tunneling before
Well, split tunneling allows your VPN client PC to access both the VPN resources via the encrypted IPSec tunnel, while simultaneously allowing the PC to also access the Internet normally. Because of this, split tunneling is less secure, since normal unencrypted Internet access is allowed while you're tunneling through the PIX to the critical internal subnets; if the PC is compromised, there's the potential for remote control from the Internet, allowing an intruder or malware app to have full access to whatever internal network resources you're allowing your VPN clients to reach.
With split tunneling disabled (the default), when the VPN client PC established a VPN tunnel to the PIX, the PC is cut off from accessing the Internet & vice versa, & from the local LAN as well, so that the only network resources it can access are those at the other end of the encrypted tunnel.
The decision to enable or disable split tunneling is up to you, your company security policy, & what you're willing to risk.
The article in the URL can certainly be misleading regarding the IPs on the outside interfaces - I wish Cisco hadn't created their example that way. Not to worry, the IPs on the outside interfaces don't matter - virtually 100% of the time they're on 2 totally different subnets.
cheers
http://www.cisco.com/cgi-bin/tablebuild.pl/windows And yes, unfortunately you can only download it with a CCO account. Didn't you purchase SmartNet for your PIXes? If so, then you can get a CCO login after registering your PIXes. I strongly urge you to purchase SmartNet for them - this is normally yearly support, which completely covers the PIX - hardware & software, allows you to download new PIX OS software, as well as the VPN client app, plus you get free phone tech support.
>I have not come across the concept of split tunneling before
Well, split tunneling allows your VPN client PC to access both the VPN resources via the encrypted IPSec tunnel, while simultaneously allowing the PC to also access the Internet normally. Because of this, split tunneling is less secure, since normal unencrypted Internet access is allowed while you're tunneling through the PIX to the critical internal subnets; if the PC is compromised, there's the potential for remote control from the Internet, allowing an intruder or malware app to have full access to whatever internal network resources you're allowing your VPN clients to reach.
With split tunneling disabled (the default), when the VPN client PC established a VPN tunnel to the PIX, the PC is cut off from accessing the Internet & vice versa, & from the local LAN as well, so that the only network resources it can access are those at the other end of the encrypted tunnel.
The decision to enable or disable split tunneling is up to you, your company security policy, & what you're willing to risk.
The article in the URL can certainly be misleading regarding the IPs on the outside interfaces - I wish Cisco hadn't created their example that way. Not to worry, the IPs on the outside interfaces don't matter - virtually 100% of the time they're on 2 totally different subnets.
cheers
ASKER