Solved

Config script for cisco PIX 506E

Posted on 2006-06-22
8
382 Views
Last Modified: 2013-11-16
I have a config script for VPNs through my 506E, which sets up two client VPNs. The first restricts the client from accessing anything else whilst in the VPN, the second should allow the client machine to access external network at the same time. I want to add a third and fourth VPN connection to it which do the same, but have different passwords and put the clients into a different address pool to the first pair. If I post my scripts can someone please check my new script and tell me if it is correct - I have no way of testing it before I put it onto the firewall.

Andy
0
Comment
Question by:AGBrown
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
8 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16959291
If you've already done it once it shouldn't be hard to do again with different parameters.

post a sanitized config and I'll see if I can help out
0
 
LVL 12

Author Comment

by:AGBrown
ID: 16959350
Thank you, the new script has some problems in it I'm sure. I am unsure about the second "nat (inside)" for instance - will it overwrite the first? Also I don't know how to do the "crypto dynamic-map" and "crypto map" sections to allow all 4 VPNs through - so they are definitialy going to be wrong.

The possible complication is that I will be tunneled through the Level2 VPN when i setup the new levels (3 and 4) - is that going to be a problem? If so I could SSH to the outside interface just to set these up.

I've foo-ed the internal address pools onto 192.168.5.0/255.255.255.0 with the inside interface on 192.168.5.0 itself. The Level 3 and 4 VPNs should be limited to (for example) a client coming from an IP address pool of 201.10.50.48/252.

Andy

----------------------------------------------------------------------------------------------------------
ORIGINAL:

: setup both a split tunnel (in Level1) and dedicated tunnel (in Level2)
clear isakmp
isa nat
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 authentication pre-share
isakmp policy 10 group 2
isakmp policy 10 lifetime 18000

access-list inside_outbound_nat0_acl_poolA permit ip 192.168.5.0 255.255.255.0  192.168.5.48 255.255.255.252
access-list outside_cryptomap_dyn_20_poolA permit ip any 192.168.5.48 255.255.255.252
access-list IpPoolA_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0  any

nat (inside) 0 access-list inside_outbound_nat0_acl_poolA

ip local pool IpPoolA 192.168.5.48-192.168.5.51

vpngroup VpnLevel1 password XXXX
vpngroup VpnLevel1 address-pool IpPoolA
vpngroup VpnLevel1 split-tunnel IpPoolA_splitTunnelAcl

vpngroup VpnLevel2 password YYYY
vpngroup VpnLevel2 address-pool IpPoolA

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_poolA
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

sysopt connection permit-ipsec

----------------------------------------------------------------------------------------------------------
NEW:

: setup both a split tunnel (in Level1) and dedicated tunnel (in Level2)
: setup a split tunnel (in Level3) and dedicated tunnel (in Level4) but with different address pool to the first pair
clear isakmp
isa nat
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 authentication pre-share
isakmp policy 10 group 2
isakmp policy 10 lifetime 18000

access-list inside_outbound_nat0_acl_poolA permit ip 192.168.5.0 255.255.255.0  192.168.5.48 255.255.255.252
access-list outside_cryptomap_dyn_20_poolA permit ip any 192.168.5.48 255.255.255.252
access-list IpPoolA_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0  any

access-list inside_outbound_nat0_acl_poolB permit ip 192.168.5.0 255.255.255.0  192.168.5.52 255.255.255.252
:restricted external client IP is something like 201.10.50.48/252
access-list outside_cryptomap_dyn_20_poolB permit ip 210.10.50.48 255.255.255.252 192.168.5.52 255.255.255.252
access-list IpPoolB_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0  any

nat (inside) 0 access-list inside_outbound_nat0_acl_poolA
nat (inside) 0 access-list inside_outbound_nat0_acl_poolB

ip local pool IpPoolA 192.168.5.48-192.168.5.51
ip local pool IpPoolB 192.168.5.52-192.168.5.55

vpngroup VpnLevel1 password XXXX
vpngroup VpnLevel1 address-pool IpPoolA
vpngroup VpnLevel1 split-tunnel IpPoolA_splitTunnelAcl

vpngroup VpnLevel2 password YYYY
vpngroup VpnLevel2 address-pool IpPoolA

vpngroup VpnLevel3 password ZZZZ
vpngroup VpnLevel3 address-pool IpPoolB
vpngroup VpnLevel3 split-tunnel IpPoolB_splitTunnelAcl

vpngroup VpnLevel4 password QQQQ
vpngroup VpnLevel4 address-pool IpPoolB

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_poolA
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_poolB
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

sysopt connection permit-ipsec
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16959423
first of all, for Remote Access VPNs with pix's you should never use part of the internal subnet for your ip pool (just asking for problems). Of course if its working don't change it

nat (inside) 0 access-list inside_outbound_nat0_acl_poolA
nat (inside) 0 access-list inside_outbound_nat0_acl_poolB
can't do that, but can do this

no nat (inside) 0 access-list inside_outbound_nat0_acl_poolA
no access-list inside_outbound_nat0_acl_poolA permit ip 192.168.5.0 255.255.255.0  192.168.5.48 255.255.255.252
no access-list inside_outbound_nat0_acl_poolB permit ip 192.168.5.0 255.255.255.0  192.168.5.52 255.255.255.252
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0  192.168.5.48 255.255.255.252
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0  192.168.5.52 255.255.255.252
nat (inside) 0 access-list inside_outbound_nat0_acl

change
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_poolB
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
to
crypto dynamic-map outside_dyn_map 30 match address outside_cryptomap_dyn_20_poolB
crypto dynamic-map outside_dyn_map 30 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 30 set security-association lifetime seconds 28800 kilobytes 4608000

that number is just a priority number, determines the order in which the pix evaluates cryptos to find a match.  also reapply the crypto map after you add these entries to make sure they're applied

other than that I believe it should be good.  if it does screw something up, then just type "reload" and confirm and it'll be back to its old config in about a minute.  if it does work, then do "write mem" to save the changes
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 12

Author Comment

by:AGBrown
ID: 16959582
cyclops,

Thank you for looking over that, I've got to pop out for an hour, but I'll take a proper look as soon as I get back. You mentioned that I shouldn't use the internal subnet as my IP pool - can I ask why, and what I should be doing instead? I appreciate the help.

Thanks again,

Andy
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 16959615
it has to do with the way pix's do routing.  They are a security device,not a router.  Thus this functionality is not always reliable when trying to place RA clients on the local lan.  The recommended way is to give each pool its own subnet like this
ip local pool IpPoolA 192.168.6.1-192.168.6.254 mask 255.255.255.0
ip local pool IpPoolB 192.168.7.1-192.168.7.254 mask 255.255.255.0
Then change the acls accordingly of course
0
 
LVL 12

Author Comment

by:AGBrown
ID: 17031510
Cyclops,

I've had to put my security hat in the wash and wear my development hat for the last week - i'll go through all of this tomorrow and get back to you. Sorry for the wait, and thanks for your help.

Andy
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question