Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Add VLAN to PIX515E

Posted on 2006-06-04
11
Medium Priority
?
632 Views
Last Modified: 2010-04-08
Here is my existing PIX config:

global (outside) 1 x6x.xxx.xxx.41-x6x.xxx.xxx.239 netmask 255.255.255.0
global (outside) 1 x6x.xxx.xxx.240
global (dmz) 1 interface
nat (inside) 1 172.27.0.0 255.255.254.0
nat (dmz) 1 10.10.10.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 x6x.xxx.xxx.254 1

PIX has 3 interfaces.  Outside, DMZ, Inside and running 7.1(2)

Ok, what I am wanting to do is create VLAN's on my inside interface.  Currently all clients use the range 172.27.0.1-172.27.1.254.  I want to make this vlan1 and have vlan2 172.27.2.1-172.27.3.254 and vlan3 172.27.4.1-172.27.5.254 and so on.  Does the statement nat (inside) 1 172.27.0.0 255.255.254.0 take care of this or do I have to put in the start for each vlan such as nat (inside) 1 172.27.2.0 255.255.254.0 and nat (inside) 1 172.27.4.0 255.255.254.0?  Once this is taken care of, I will have to configure the inside interface with sub-interfaces for each vlan right?  My goal is to have my MS 2003 DHCP server hand out addresses to each subnet but I don't know if the pix will forward the requests or if I will have to configure something on the router also?  I hope this makes sense.  One last question that is kind of related to this is I want to configure a VPN pool to use.  Do I need to use a completely different private address scheme such as 192.168 or can I use an un-used 172.27.6.0.  How would I go about creating that?  Any examples as to what I would type to both of these questions would be a huge help.  Thanks a ton.

0
Comment
Question by:rpsne
  • 5
  • 5
11 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 16827081
Whenever you create logical vlans you will create virtual interfaces and apply nat to them, i.e.
interface ethernet 1 vlan2 logical
interface ethernet 1 vlan3 logical
interface ethernet 1 vlan4 logical
nameif vlan2 intf2 security 40
nameif vlan3 intf3 security 50
nameif vlan4 intf4 security 60
ip address vlan2 172.27.2.1 255.255.254.0
ip address vlan3 172.27.4.1 255.255.254.0
nat (vlan2) 1 172.27.2.0 255.255.254.0
nat (vlan3) 1 172.27.4.0 255.255.254.0
<etc>

\\-- yes, always create pools for VPN users in a different IP subnet that is not being used anywhere else on the network
ip local pool MYPOOL 192.168.169.1-192.168.169.254

You have to enable DHCP proxy on the PIX and point to the Windows DHCP server
Else you can enable DHCP on the PIX itself to handle some or all of the vlans.
0
 

Author Comment

by:rpsne
ID: 16828657
So if I use 192.168.169.1-192.168.169.254 for my pool.  Will the pix automatically know how to route it to my inside address range?
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16828667
Ok here is a link to a document on cisco. It explains how you configure VLAN on PIX.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113437

Here is the link to docuemt which explains how to configure PIX for hosting VPN. This will let remote clients to connect to PIX using VPN and access your local network.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172787.html
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
LVL 79

Expert Comment

by:lrmoore
ID: 16829062
>Will the pix automatically know how to route it to my inside address range?
Yes.
0
 

Author Comment

by:rpsne
ID: 16829311
Ok, now I get this:

[INFO] nat (inside) 0 access-list inside_nat0_outbound
       Outside address overlap with static NAT configuration

What do I need to do to resolve this?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16829373
Can you post your complete config? Mask only the public IP address first couple of octects
0
 

Author Comment

by:rpsne
ID: 16829427
asdm image flash:/asdm-512.bin
asdm location 172.27.0.17 255.255.255.255 inside
asdm location 172.27.1.17 255.255.255.255 inside
asdm location 172.27.0.25 255.255.255.255 inside
asdm location 172.27.0.9 255.255.255.255 dmz
asdm group dmz_http_real dmz
asdm group dmz_https_real dmz
asdm group dmz_8901_real dmz
asdm group dmz_ssh_real dmz
asdm group dmz_http outside reference dmz_http_real
asdm group dmz_https outside reference dmz_https_real
asdm group dmz_8901 outside reference dmz_8901_real
asdm group dmz_3389 outside reference dmz_https_real
asdm group dmz_ssh outside reference dmz_ssh_real
asdm history enable
: Saved
:
PIX Version 7.1(2)
!
hostname hostname
domain-name xyz.com
enable password xxxxxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0
 speed 100
 nameif inside
 security-level 100
 ip address 172.27.1.254 255.255.254.0
!
interface Ethernet1
 speed 100
 nameif outside
 security-level 0
 ip address xxx.xxx.106.252 255.255.255.0
!
interface Ethernet2
 speed 100
 nameif dmz
 security-level 40
 ip address 10.10.10.254 255.255.255.0
!
passwd xxxxxxxxxxxxxxx encrypted
boot system flash:/pix712.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
 name-server 172.27.0.1
 name-server 172.27.0.3
 name-server xxx.xxx.17.1
 name-server xxx.xxx.17.2
 domain-name xyz.com
object-group network dmzhosts
 network-object host xxx.xxx.106.5
 network-object host xxx.xxx.106.9
 network-object host xxx.xxx.106.15
 network-object host xxx.xxx.106.17
 network-object host xxx.xxx.106.16
object-group service tcphighrisk tcp
 port-object eq 135
 port-object eq 137
 port-object eq 138
 port-object eq netbios-ssn
 port-object eq 445
 port-object eq sqlnet
 port-object eq 1214
 port-object eq 3408
 port-object eq 3531
object-group service udphighrisk udp
 port-object eq bootps
 port-object eq bootpc
 port-object eq tftp
 port-object eq 135
 port-object eq netbios-ns
 port-object eq netbios-dgm
 port-object eq 139
 port-object eq 445
 port-object eq snmp
 port-object eq 462
object-group network dmz_http
 network-object host xxx.xxx.106.5
 network-object host xxx.xxx.106.9
 network-object host xxx.xxx.106.15
 network-object host xxx.xxx.106.17
 network-object host xxx.xxx.106.16
object-group network dmz_https
 network-object host xxx.xxx.106.5
 network-object host xxx.xxx.106.9
object-group network dmz_8901
 network-object host xxx.xxx.106.9
object-group network dmz_3389
 network-object host xxx.xxx.106.5
 network-object host xxx.xxx.106.9
object-group network dmz_ssh
 network-object host xxx.xxx.106.15
 network-object host xxx.xxx.106.17
 network-object host xxx.xxx.106.16
object-group network dmz_http_real
 network-object 10.10.10.5 255.255.255.255
 network-object 10.10.10.9 255.255.255.255
 network-object 10.10.10.15 255.255.255.255
 network-object 10.10.10.17 255.255.255.255
 network-object 10.10.10.16 255.255.255.255
object-group network dmz_https_real
 network-object 10.10.10.5 255.255.255.255
 network-object 10.10.10.9 255.255.255.255
object-group network dmz_8901_real
 network-object 10.10.10.9 255.255.255.255
object-group network dmz_ssh_real
 network-object 10.10.10.15 255.255.255.255
 network-object 10.10.10.17 255.255.255.255
 network-object 10.10.10.16 255.255.255.255
access-list dmz_in extended permit tcp any object-group dmz_http eq www
access-list dmz_in extended permit tcp any object-group dmz_https eq https
access-list dmz_in extended permit tcp any object-group dmz_8901 eq 8901
access-list dmz_in extended permit tcp any object-group dmz_3389 eq 3389
access-list dmz_in extended permit tcp any object-group dmz_ssh eq ssh
access-list dmz_in extended permit tcp any host xxx.xxx.106.20 eq 88
access-list dmz_in extended permit tcp any host xxx.xxx.106.16 eq ftp
access-list dmz_in extended permit tcp any host xxx.xxx.106.18 eq smtp
access-list dmz_in extended permit tcp any host xxx.xxx.106.18 eq www
access-list dmz_in extended permit tcp any host xxx.xxx.106.18 eq https
access-list dmz_in extended permit tcp any host xxx.xxx.106.18 eq 3389
access-list inside_nat0_outbound extended permit ip any 192.168.169.0 255.255.255.0
access-list XXXXXX_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool XXXXXXVPN 192.168.169.1-192.168.169.254 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
asdm image flash:/asdm-512.bin
asdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.106.41-xxx.xxx.106.239 netmask 255.255.255.0
global (outside) 1 xxx.xxx.106.240
global (dmz) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.27.0.0 255.255.254.0
nat (dmz) 1 10.10.10.0 255.255.255.0
static (dmz,outside) xxx.xxx.106.15 10.10.10.15 netmask 255.255.255.255
static (inside,outside) xxx.xxx.106.1 172.27.0.1 netmask 255.255.255.255
static (inside,outside) xxx.xxx.106.3 172.27.0.3 netmask 255.255.255.255
static (inside,outside) xxx.xxx.106.7 172.27.0.7 netmask 255.255.255.255
static (inside,outside) xxx.xxx.106.11 172.27.0.11 netmask 255.255.255.255
static (dmz,outside) xxx.xxx.106.17 10.10.10.17 netmask 255.255.255.255
static (dmz,outside) xxx.xxx.106.5 10.10.10.5 netmask 255.255.255.255
static (dmz,outside) xxx.xxx.106.9 10.10.10.9 netmask 255.255.255.255
static (inside,outside) xxx.xxx.106.20 172.27.0.20 netmask 255.255.255.255
static (dmz,outside) xxx.xxx.106.16 10.10.10.16 netmask 255.255.255.255
static (inside,outside) xxx.xxx.106.18 172.27.0.18 netmask 255.255.255.255
access-group dmz_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.106.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy XXXXXX internal
group-policy XXXXXX attributes
 dns-server value 172.27.0.1 172.27.0.3
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value XXXXXX_splitTunnelAcl
 default-domain value xyz.com.local
username local.user password xxxxxxxxxxxxx encrypted privilege 0
username local.user attributes
 vpn-group-policy XXXXXX
http server enable
http 172.27.0.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group XXXXXX type ipsec-ra
tunnel-group XXXXXX general-attributes
 address-pool XXXXXXVPN
 default-group-policy XXXXXX
tunnel-group XXXXXX ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 172.27.0.0 255.255.254.0 inside
ssh timeout 5
console timeout 0
Cryptochecksum:082ca0ce86b7783ed0812aa79b909513
: end

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16829516
>access-list inside_nat0_outbound extended permit ip any 192.168.169.0 255.255.255.0

You should not use "any" in the nat0 acl
Try:
 no access-list inside_nat0_outbound extended permit ip any 192.168.169.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
clear xlate  
 access-list inside_nat0_outbound extended permit ip 172.27.0.0 255.255.0.0 192.168.169.0 255.255.255.0
 nat (inside) 0 access-list inside_nat0_outbound

0
 

Author Comment

by:rpsne
ID: 16829693
Ok, I will give that a shot.  What do I need to allow thru my router to the pix for my vpn clients.  The 192.168.169.0/24 range?
0
 

Author Comment

by:rpsne
ID: 16830228
I got it working but even though I have split tunneling enabled I can not get to the internet.  Not a big deal as I am going to disable this anyway for security.  Also maybe I should have been more clear on the router.  What type of traffic do I need to allow through my firewall on the router to get to the pix.  Right now I am allowing all traffic to the PIX ip.  Is this where I would choose IPSec over TCP and choose a random port number on the client and then allow that TCP port through the firewall on the router?  Thanks for your help in getting this working!!!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16831525
You need to allow UDP 500 for the ISAKMP and ESP protocol 50 and UDP 4500 for nat traversal
If you choose to use TCP then yes, you can choose a high random port, or use the default 10000
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month13 days, 11 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question