[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PIX VPN changes

Posted on 2006-05-31
10
Medium Priority
?
1,904 Views
Last Modified: 2013-11-16
I have a client who has a Two sites both sites have a PIX - and a VPN runs between them.
I need to add a VPN to one of the sites heres the config (as usuall names changed to protect the innocent)

---------------------------------------------------------------------------------------
: Saved
: Written by enable_15 at 02:40:47.806 UTC Sat Feb 27 1993
!
PIX Version 7.0(4)
!
hostname xxxxxxxxxxx
domain-name xxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxxxxxxxx
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 194.194.194.194 255.255.255.248
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 100.100.100.250 255.255.0.0
!
passwd xxxxxxxxxxxxxxxxxxxxxxx
boot system flash:/pix704.bin
ftp mode passive
object-group service FTP tcp
 description Ftp Ports
 port-object eq ftp-data
 port-object eq ftp
access-list vpnclient standard permit 100.100.0.0 255.255.0.0
access-list nonatinside extended permit ip 100.100.0.0 255.255.0.0 192.168.100.0 255.255.255.0
access-list nonatinside extended permit ip 100.100.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list sitetraffic extended permit ip 100.100.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list sitetraffic extended permit ip 192.168.100.0 255.255.255.0 30.30.30.0 255.255.255.0
access-list split standard permit 100.100.0.0 255.255.0.0
access-list split standard permit 192.168.2.0 255.255.255.0
access-list outside-in1 extended permit icmp any any
access-list outside-in1 extended permit tcp host x.x.x.x host 193.193.193.193 eq smtp
access-list outside_access_in extended permit tcp any eq www any
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit tcp any object-group FTP any
access-list vpn extended permit esp any any
access-list outside_mpc_in extended permit esp any any
access-list ftp extended permit tcp any eq ftp any
access-list ftp extended permit tcp any eq ftp-data any
access-list ftp extended permit tcp any any eq ftp-data
access-list ftp extended permit tcp any any eq ftp
access-list http extended permit tcp any eq www any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool poolname 192.168.100.1-192.168.100.200
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image flash:/asdm-501.bin
asdm location 192.168.100.0 255.255.255.0 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonatinside
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 193.193.193.193 100.100.100.4 netmask 255.255.255.255
access-group outside-in1 in interface outside
route outside 0.0.0.0 0.0.0.0 194.194.194.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host 100.100.100.254
 timeout 5
 key xxxxxx
aaa-server AuthIn protocol radius
aaa-server AuthIn host 100.100.100.254
 timeout 30
 key xxxxxx
group-policy pol1 internal
group-policy pol1 attributes
 wins-server value 100.100.100.1 100.100.100.254
 dns-server value 100.100.100.254
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpnclient
 default-domain value xxxxxx
username wnppix password xxxxxxxxxxxxxxxxxxxx encrypted privilege 15
http server enable
http 100.100.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map localdynmap 200 set transform-set myset
crypto map localmap 10 match address sitetraffic
crypto map localmap 10 set peer 193.193.193.193
crypto map localmap 10 set transform-set myset
crypto map localmap 200 ipsec-isakmp dynamic localdynmap
crypto map localmap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 192.192.192.192 type ipsec-l2l
tunnel-group 192.192.192.192 ipsec-attributes
 pre-shared-key oy51orgr964oeh
tunnel-group pol1 type ipsec-ra
tunnel-group pol1 general-attributes
 address-pool localpool
 authentication-server-group (outside) RADIUS
 default-group-policy pol1
tunnel-group pol1 ipsec-attributes
 pre-shared-key access
tunnel-group fred type ipsec-ra
tunnel-group fred general-attributes
 address-pool localpool
tunnel-group fred ipsec-attributes
 pre-shared-key fred
tunnel-group 193.193.193.193 type ipsec-l2l
tunnel-group 193.193.193.193 ipsec-attributes
 pre-shared-key xxxxxxx
telnet 100.100.0.0 255.255.0.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.128 outside
ssh x.x.x.x 255.255.255.128 outside
ssh timeout 5
console timeout 0
!
class-map http
 match access-list http
class-map ftp
 match access-list ftp
class-map vpn
 match access-list vpn
class-map default-class
 match default-inspection-traffic
!
!
policy-map qos
 class http
  priority
 class vpn
  police 1024000 256000
 class ftp
  police 512000 128000
 class default-class
  inspect sqlnet
  inspect h323 ras
  inspect xdmcp
  inspect tftp
  inspect icmp error
  inspect rtsp
  inspect sunrpc
  inspect mgcp
  inspect esmtp
  inspect sip
  inspect netbios
  inspect pptp
  inspect ctiqbe
  inspect snmp
  inspect icmp
  inspect rsh
  inspect ils
  inspect h323 h225
  inspect dns
  inspect skinny
!
priority-queue outside
  tx-ring-limit 128
Cryptochecksum:b0803a294e39bda33cb3425cf5707921
: end
------------------------------------------------------------------------------------

OK - now Questions

1. I usually add

sysopt connection permit-ipsec

will this break the existing VPNs?

2. I also need to add (the other end of the VPN requires this)

crypto map work 10 set pfs group2

will this break the existing VPN's
0
Comment
Question by:Pete Long
  • 5
  • 4
10 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16797174
Whats going on Pete? You normally answer the questions; not ask them!
0
 
LVL 57

Author Comment

by:Pete Long
ID: 16797211
:) ah yeah but

all my pix experience is on v6 - and Im getting rusty these days - My firm only put in Symantec Firewalls and gateways (despite my protestations)

Pete
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16797693
Hey, Pete!
>sysopt connection permit-ipsec
>will this break the existing VPNs?
Syopt not required in V7

>crypto map work 10 set pfs group2
>will this break the existing VPN's
Absolutely!

You need to create a crypto map work 20 for the 2nd L2L
My advice - use the VPN Wizard in the ASDM GUI

>tunnel-group 192.192.192.192 type ipsec-l2l
Else add (given this extra L2L tunnel-group already set up):

access-list site_2_traffic permit ip 192.168.100.0 255.255.255.0 <site2 subnet> <mask>
crypto map localmap 20 match address site_2_traffic
crypto map localmap 20 set peer 192.192.192.192
crypto map localmap 20 set transform-set myset
crypto map localmap 20 set pfs group2
crypto map localmap interface outside

! Done

0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
LVL 57

Author Comment

by:Pete Long
ID: 16797770
>>Syopt not required in V7

Cool thanks :)

As for point 2 - - see my earlier Q for some background http://www.experts-exchange.com/Security/Firewalls/Q_21837640.html

Basically I want to get a site to site to this client from my firms SEF (I can do the SEF config)

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16798156
Looks like you have everything you need... just set up another set "20" for the crypto map for the L2L to you. Your SEF is the peer,  your LAN = site2 subnet
Let me know if you have any problems with it.
0
 
LVL 57

Author Comment

by:Pete Long
ID: 16798586
OK how does this look?................................

access-list coniston permit ip 100.100.0.0 255.255.0.0 10.1.0.0 255.255.0.0
nat (inside) 0 access-list coniston
crypto ipsec transform-set coniston esp-3des esp-sha-hmac
crypto map localmap 20 match address coniston
crypto map localmap 20 set peer 217.X.X.X
crypto map localmap 20 set transform-set coniston
crypto map localmap 20 set pfs group2
crypto map localmap interface outside
isakmp enable outside
isakmp key 12345678901234567890 address 217.X.X.X netmask 255.255.255.225
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

Whats this

>>>tunnel-group 192.192.192.192 type ipsec-l2l

Thats a new one on me -  do I still need to add that as well?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 16799873
V7 is a whole new animal (and it bites!)

NO (OLD):
>isakmp key 12345678901234567890 address 217.X.X.X netmask 255.255.255.225

YES (NEW):
tunnel-group 217.X.X.X type ipsec-l2l
 pre-shared-key xxxxxxx


The rest of it looks good...

0
 
LVL 57

Author Comment

by:Pete Long
ID: 16802035
>>V7 is a whole new animal (and it bites!)

bah typical LOL

ThanQ M8 im guessing lookin at the way you have typed that, that the first command will change the prompt and it will then accept the second command (like an object-group command - if they still exist <grin>)

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16804363
Yep....
0
 
LVL 57

Author Comment

by:Pete Long
ID: 16805337
Great - It may be a while before I can test it at the clients site - but I will close this down

Many Thanks

Pete
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question