Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1016
  • Last Modified:

PIX515E VPN Setup

I want to setup a VPN to my internal network using a PIX515E and I need some clarification on some things.  I should also mention that I have 2821 router with the advanced security feature set which has VPN capabilities just incase there is a better solution that would utilize both it and the pix together.  Currently I am just going with the pix.  Below is my running configuration for the pix.  Because this is my first VPN I thought I would use the wizard.  The first question it asked was what VPN tunnel interface to use.  I’m guessing this should be the outside interface.  The next question was whether to use a pre-shared key or certificate.  I’m guessing pre-shared but what do I put for a key?  Just whatever I want?  Next was how I wanted to authenticate users.  Since it will mostly be me in the beginning I think I will just use the local database.  If I want to have more users I will use AAA using a Radius server right?  Next is the address pool.  Here are my biggest questions. I have:

global (outside) 1 x6x.xxx.xxx.41-x6x.xxx.xxx.239 netmask 255.255.255.0
global (outside) 1 x6x.xxx.xxx.240
global (dmz) 1 interface
nat (inside) 1 172.27.0.0 255.255.254.0
nat (dmz) 1 10.10.10.0 255.255.255.0

I know I have to create a pool for VPN but what do I use.  Do I use my outside range of x6x.xxx.xxx.xxx.  For instance if I use .241 thru .250 will I only have only have 10 addresses available for users or is there a way to PAT like it did with .240?  Just wanted to know my options for the pool.  After that it asked about encryption.  Should I just leave this at 3DES and SHA and the DH group of 2?  Next is address translation, I think I will leave it set to the defaults to access all servers but do I need to check split tunneling?  Thanks a ton!!!  Also if you spot anything wrong with my conf let me know what I could do to make it better.

asdm image flash:/asdm-512.bin
asdm location 172.27.0.17 255.255.255.255 inside
asdm location 172.27.1.17 255.255.255.255 inside
asdm location 172.27.0.25 255.255.255.255 inside
asdm location 172.27.0.9 255.255.255.255 dmz
asdm group dmz_http_real dmz
asdm group dmz_https_real dmz
asdm group dmz_8901_real dmz
asdm group dmz_ssh_real dmz
asdm group dmz_http outside reference dmz_http_real
asdm group dmz_https outside reference dmz_https_real
asdm group dmz_8901 outside reference dmz_8901_real
asdm group dmz_3389 outside reference dmz_https_real
asdm group dmz_ssh outside reference dmz_ssh_real
asdm history enable
: Saved
:
PIX Version 7.1(2)
!
hostname xyz
domain-name xyz.com
enable password xxxxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0
 speed 100
 nameif inside
 security-level 100
 ip address 172.27.1.254 255.255.254.0
!
interface Ethernet1
 speed 100
 nameif outside
 security-level 0
 ip address x6x.xxx.xxx.252 255.255.255.0
!
interface Ethernet2
 speed 100
 nameif dmz
 security-level 40
 ip address 10.10.10.254 255.255.255.0
!
passwd xxxxxxxxxxxx encrypted
boot system flash:/pix712.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
 name-server 172.27.0.1
 name-server 172.27.0.3
 name-server xxx.xxx.xx.1
 name-server xxx.xxx.xx.2
 domain-name xyz.com
object-group network dmzhosts
 network-object host x6x.xxx.xxx.5
 network-object host x6x.xxx.xxx.9
 network-object host x6x.xxx.xxx.15
 network-object host x6x.xxx.xxx.17
 network-object host x6x.xxx.xxx.16
object-group service tcphighrisk tcp
 port-object eq 135
 port-object eq 137
 port-object eq 138
 port-object eq netbios-ssn
 port-object eq 445
 port-object eq sqlnet
 port-object eq 1214
 port-object eq 3408
 port-object eq 3531
object-group service udphighrisk udp
 port-object eq bootps
 port-object eq bootpc
 port-object eq tftp
 port-object eq 135
 port-object eq netbios-ns
 port-object eq netbios-dgm
 port-object eq 139
 port-object eq 445
 port-object eq snmp
 port-object eq 462
object-group network dmz_http
 network-object host x6x.xxx.xxx.5
 network-object host x6x.xxx.xxx.9
 network-object host x6x.xxx.xxx.15
 network-object host x6x.xxx.xxx.17
 network-object host x6x.xxx.xxx.16
object-group network dmz_https
 network-object host x6x.xxx.xxx.5
 network-object host x6x.xxx.xxx.9
object-group network dmz_8901
 network-object host x6x.xxx.xxx.9
object-group network dmz_3389
 network-object host x6x.xxx.xxx.5
 network-object host x6x.xxx.xxx.9
object-group network dmz_ssh
 network-object host x6x.xxx.xxx.15
 network-object host x6x.xxx.xxx.17
 network-object host x6x.xxx.xxx.16
object-group network dmz_http_real
 network-object 10.10.10.5 255.255.255.255
 network-object 10.10.10.9 255.255.255.255
 network-object 10.10.10.15 255.255.255.255
 network-object 10.10.10.17 255.255.255.255
 network-object 10.10.10.16 255.255.255.255
object-group network dmz_https_real
 network-object 10.10.10.5 255.255.255.255
 network-object 10.10.10.9 255.255.255.255
object-group network dmz_8901_real
 network-object 10.10.10.9 255.255.255.255
object-group network dmz_ssh_real
 network-object 10.10.10.15 255.255.255.255
 network-object 10.10.10.17 255.255.255.255
 network-object 10.10.10.16 255.255.255.255
access-list dmz_in extended permit tcp any object-group dmz_http eq www
access-list dmz_in extended permit tcp any object-group dmz_https eq https
access-list dmz_in extended permit tcp any object-group dmz_8901 eq 8901
access-list dmz_in extended permit tcp any object-group dmz_3389 eq 3389
access-list dmz_in extended permit tcp any object-group dmz_ssh eq ssh
access-list dmz_in extended permit tcp any host x6x.xxx.xxx.16 eq ftp  
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
asdm image flash:/asdm-512.bin
asdm history enable
arp timeout 14400
global (outside) 1 x6x.xxx.xxx.41-x6x.xxx.xxx.239 netmask 255.255.255.0
global (outside) 1 x6x.xxx.xxx.240
global (dmz) 1 interface
nat (inside) 1 172.27.0.0 255.255.254.0
nat (dmz) 1 10.10.10.0 255.255.255.0
static (dmz,outside) x6x.xxx.xxx.15 10.10.10.15 netmask 255.255.255.255
static (inside,outside) x6x.xxx.xxx.1 172.27.0.1 netmask 255.255.255.255
static (inside,outside) x6x.xxx.xxx.3 172.27.0.3 netmask 255.255.255.255
static (inside,outside) x6x.xxx.xxx.7 172.27.0.7 netmask 255.255.255.255
static (inside,outside) x6x.xxx.xxx.11 172.27.0.11 netmask 255.255.255.255
static (dmz,outside) x6x.xxx.xxx.17 10.10.10.17 netmask 255.255.255.255
static (dmz,outside) x6x.xxx.xxx.5 10.10.10.5 netmask 255.255.255.255
static (dmz,outside) x6x.xxx.xxx.9 10.10.10.9 netmask 255.255.255.255  
static (dmz,outside) x6x.xxx.xxx.16 10.10.10.16 netmask 255.255.255.255  
access-group dmz_in in interface outside
route outside 0.0.0.0 0.0.0.0 x6x.xxx.xxx.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.27.0.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
telnet timeout 5
ssh 172.27.0.0 255.255.254.0 inside
ssh timeout 5
console timeout 0
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

0
rpsne
Asked:
rpsne
  • 3
  • 2
  • 2
2 Solutions
 
Rick HobbsRETIREDCommented:
It is really easy using the PDM.

The first question it asked was what VPN tunnel interface to use.  I’m guessing this should be the outside interface. CORRECT
The next question was whether to use a pre-shared key or certificate.  I’m guessing pre-shared but what do I put for a key?  Just whatever I want? CORRECT - use letters, numbers and characters (123... abc... #$%...)
Next was how I wanted to authenticate users.  Since it will mostly be me in the beginning I think I will just use the local database.  If I want to have more users I will use AAA using a Radius server right? CORRECT (or SecurID or similar)

Next is the address pool.  Here are my biggest questions. I have:

global (outside) 1 x6x.xxx.xxx.41-x6x.xxx.xxx.239 netmask 255.255.255.0
global (outside) 1 x6x.xxx.xxx.240
global (dmz) 1 interface
nat (inside) 1 172.27.0.0 255.255.254.0
nat (dmz) 1 10.10.10.0 255.255.255.0

I know I have to create a pool for VPN but what do I use.  Do I use my outside range of x6x.xxx.xxx.xxx.  For instance if I use .241 thru .250 will I only have only have 10 addresses available for users or is there a way to PAT like it did with .240? They automatically share the pool.  Number of users only limited by license. I have used 5 addresses for a fairly largen number of users with no problem.

After that it asked about encryption.  Should I just leave this at 3DES and SHA and the DH group of 2? CORRECT - 3DES is high level encryption.

Next is address translation, I think I will leave it set to the defaults to access all servers but do I need to check split tunneling? NO - Split tunneling is not required.

Also if you spot anything wrong with my conf let me know what I could do to make it better. Looks good to me, but I have only been working on Cisco products and Pix firewalls like FOREVER!

Have fun.  I don't know what your change management procedures are, but:
1. try to make changes during times of low usage
2. make a backup of the current config to fall back to.

0
 
rpsneAuthor Commented:
When I completed the VPN Setup all were listed as OK except this one:

[INFO] nat (inside) 0 access-list inside_nat0_outbound
       Outside address overlap with static NAT configuration

Is this going to be a problem?
0
 
plemieux72Commented:
For your VPN Clients pool, use an unused subnet you have available that is not used anywhere else in your enterprise.  Use a private RFC 1918 nework unless you own another public range you want to use.  Again, the network you choose must NOT overlap with any existing ones.  This PIX automatically knows to route between this pool and your internal network.

Use split tunneling if you also need access to the Internet while being connected to the internal network.

0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
plemieux72Commented:
While I was typing my above post, you posted about encountering exactly what I was expecting to happen...

Just change your pool and update the nat0 access list with the new pool and you'll be fine.
0
 
rpsneAuthor Commented:
Ok I think I know what your saying but I don't know exactly how to go about it.  When you say use and unused subnet would that mean use say 172.27.2.0/23 or 172.27.4.0/23 since my current is 172.27.0.1-172.27.1.254 or do you mean I should create a whole new one such as a 192.168.1.0/24?  If this is right, then I would change my pool to the whole new range 172.27.2.1-172.27.3.254 or 192.168.1.1-192.168.1.254 or would I use maybe just 10 address out of one of thoes ranges?  And how would I update my nat0 access list.  Could you give an example what it might look like in my config.  Thanks!!!
0
 
plemieux72Commented:
If 172.27.2.0/23 or 172.27.4.0/23 are not used anywhere else in your enterprise, then yes, you can use those.  However, they each contain 1022 hosts, that's a lot of VPN clients...  So, you can reserve them for that but only assign a range of 10 out of those in your ip pool.  For example:

ip local pool VPN_POOL 172.27.2.1-172.27.2.10

If you choose a smaller subnet, use something like 192.168.32.0/27 which would give you 30 hosts (192.168.32.33-192.168.32.62) for example.  Avoid 192.168.1.x since that's used in most homes and may conflict with the pool.

Finally, the nat 0 ACL is to prevent NATting the VPN clients traffic since it's internal.  This is why it's important to change it...

So, here is the command:
no access-list inside_nat0_outbound
access-list inside_nat0_outbound permit ip 172.27.0.0 255.255.254.0 192.168.32.0 255.255.255.224

This will prevent NAT on traffic between the two listed subnets.
0
 
Rick HobbsRETIREDCommented:
Good catch.  I totally missed on the vpn pool address.  I guess that is what happens when you spend all day looking at configs.
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now