Solved

Config script for cisco PIX 506E

Posted on 2006-06-22
8
388 Views
Last Modified: 2013-11-16
I have a config script for VPNs through my 506E, which sets up two client VPNs. The first restricts the client from accessing anything else whilst in the VPN, the second should allow the client machine to access external network at the same time. I want to add a third and fourth VPN connection to it which do the same, but have different passwords and put the clients into a different address pool to the first pair. If I post my scripts can someone please check my new script and tell me if it is correct - I have no way of testing it before I put it onto the firewall.

Andy
0
Comment
Question by:AGBrown
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
8 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16959291
If you've already done it once it shouldn't be hard to do again with different parameters.

post a sanitized config and I'll see if I can help out
0
 
LVL 12

Author Comment

by:AGBrown
ID: 16959350
Thank you, the new script has some problems in it I'm sure. I am unsure about the second "nat (inside)" for instance - will it overwrite the first? Also I don't know how to do the "crypto dynamic-map" and "crypto map" sections to allow all 4 VPNs through - so they are definitialy going to be wrong.

The possible complication is that I will be tunneled through the Level2 VPN when i setup the new levels (3 and 4) - is that going to be a problem? If so I could SSH to the outside interface just to set these up.

I've foo-ed the internal address pools onto 192.168.5.0/255.255.255.0 with the inside interface on 192.168.5.0 itself. The Level 3 and 4 VPNs should be limited to (for example) a client coming from an IP address pool of 201.10.50.48/252.

Andy

----------------------------------------------------------------------------------------------------------
ORIGINAL:

: setup both a split tunnel (in Level1) and dedicated tunnel (in Level2)
clear isakmp
isa nat
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 authentication pre-share
isakmp policy 10 group 2
isakmp policy 10 lifetime 18000

access-list inside_outbound_nat0_acl_poolA permit ip 192.168.5.0 255.255.255.0  192.168.5.48 255.255.255.252
access-list outside_cryptomap_dyn_20_poolA permit ip any 192.168.5.48 255.255.255.252
access-list IpPoolA_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0  any

nat (inside) 0 access-list inside_outbound_nat0_acl_poolA

ip local pool IpPoolA 192.168.5.48-192.168.5.51

vpngroup VpnLevel1 password XXXX
vpngroup VpnLevel1 address-pool IpPoolA
vpngroup VpnLevel1 split-tunnel IpPoolA_splitTunnelAcl

vpngroup VpnLevel2 password YYYY
vpngroup VpnLevel2 address-pool IpPoolA

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_poolA
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

sysopt connection permit-ipsec

----------------------------------------------------------------------------------------------------------
NEW:

: setup both a split tunnel (in Level1) and dedicated tunnel (in Level2)
: setup a split tunnel (in Level3) and dedicated tunnel (in Level4) but with different address pool to the first pair
clear isakmp
isa nat
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 authentication pre-share
isakmp policy 10 group 2
isakmp policy 10 lifetime 18000

access-list inside_outbound_nat0_acl_poolA permit ip 192.168.5.0 255.255.255.0  192.168.5.48 255.255.255.252
access-list outside_cryptomap_dyn_20_poolA permit ip any 192.168.5.48 255.255.255.252
access-list IpPoolA_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0  any

access-list inside_outbound_nat0_acl_poolB permit ip 192.168.5.0 255.255.255.0  192.168.5.52 255.255.255.252
:restricted external client IP is something like 201.10.50.48/252
access-list outside_cryptomap_dyn_20_poolB permit ip 210.10.50.48 255.255.255.252 192.168.5.52 255.255.255.252
access-list IpPoolB_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0  any

nat (inside) 0 access-list inside_outbound_nat0_acl_poolA
nat (inside) 0 access-list inside_outbound_nat0_acl_poolB

ip local pool IpPoolA 192.168.5.48-192.168.5.51
ip local pool IpPoolB 192.168.5.52-192.168.5.55

vpngroup VpnLevel1 password XXXX
vpngroup VpnLevel1 address-pool IpPoolA
vpngroup VpnLevel1 split-tunnel IpPoolA_splitTunnelAcl

vpngroup VpnLevel2 password YYYY
vpngroup VpnLevel2 address-pool IpPoolA

vpngroup VpnLevel3 password ZZZZ
vpngroup VpnLevel3 address-pool IpPoolB
vpngroup VpnLevel3 split-tunnel IpPoolB_splitTunnelAcl

vpngroup VpnLevel4 password QQQQ
vpngroup VpnLevel4 address-pool IpPoolB

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_poolA
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_poolB
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

sysopt connection permit-ipsec
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16959423
first of all, for Remote Access VPNs with pix's you should never use part of the internal subnet for your ip pool (just asking for problems). Of course if its working don't change it

nat (inside) 0 access-list inside_outbound_nat0_acl_poolA
nat (inside) 0 access-list inside_outbound_nat0_acl_poolB
can't do that, but can do this

no nat (inside) 0 access-list inside_outbound_nat0_acl_poolA
no access-list inside_outbound_nat0_acl_poolA permit ip 192.168.5.0 255.255.255.0  192.168.5.48 255.255.255.252
no access-list inside_outbound_nat0_acl_poolB permit ip 192.168.5.0 255.255.255.0  192.168.5.52 255.255.255.252
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0  192.168.5.48 255.255.255.252
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0  192.168.5.52 255.255.255.252
nat (inside) 0 access-list inside_outbound_nat0_acl

change
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_poolB
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
to
crypto dynamic-map outside_dyn_map 30 match address outside_cryptomap_dyn_20_poolB
crypto dynamic-map outside_dyn_map 30 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 30 set security-association lifetime seconds 28800 kilobytes 4608000

that number is just a priority number, determines the order in which the pix evaluates cryptos to find a match.  also reapply the crypto map after you add these entries to make sure they're applied

other than that I believe it should be good.  if it does screw something up, then just type "reload" and confirm and it'll be back to its old config in about a minute.  if it does work, then do "write mem" to save the changes
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 12

Author Comment

by:AGBrown
ID: 16959582
cyclops,

Thank you for looking over that, I've got to pop out for an hour, but I'll take a proper look as soon as I get back. You mentioned that I shouldn't use the internal subnet as my IP pool - can I ask why, and what I should be doing instead? I appreciate the help.

Thanks again,

Andy
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 16959615
it has to do with the way pix's do routing.  They are a security device,not a router.  Thus this functionality is not always reliable when trying to place RA clients on the local lan.  The recommended way is to give each pool its own subnet like this
ip local pool IpPoolA 192.168.6.1-192.168.6.254 mask 255.255.255.0
ip local pool IpPoolB 192.168.7.1-192.168.7.254 mask 255.255.255.0
Then change the acls accordingly of course
0
 
LVL 12

Author Comment

by:AGBrown
ID: 17031510
Cyclops,

I've had to put my security hat in the wash and wear my development hat for the last week - i'll go through all of this tomorrow and get back to you. Sorry for the wait, and thanks for your help.

Andy
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question