Solved

Config script for cisco PIX 506E

Posted on 2006-06-22
8
369 Views
Last Modified: 2013-11-16
I have a config script for VPNs through my 506E, which sets up two client VPNs. The first restricts the client from accessing anything else whilst in the VPN, the second should allow the client machine to access external network at the same time. I want to add a third and fourth VPN connection to it which do the same, but have different passwords and put the clients into a different address pool to the first pair. If I post my scripts can someone please check my new script and tell me if it is correct - I have no way of testing it before I put it onto the firewall.

Andy
0
Comment
Question by:AGBrown
  • 3
  • 3
8 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16959291
If you've already done it once it shouldn't be hard to do again with different parameters.

post a sanitized config and I'll see if I can help out
0
 
LVL 12

Author Comment

by:AGBrown
ID: 16959350
Thank you, the new script has some problems in it I'm sure. I am unsure about the second "nat (inside)" for instance - will it overwrite the first? Also I don't know how to do the "crypto dynamic-map" and "crypto map" sections to allow all 4 VPNs through - so they are definitialy going to be wrong.

The possible complication is that I will be tunneled through the Level2 VPN when i setup the new levels (3 and 4) - is that going to be a problem? If so I could SSH to the outside interface just to set these up.

I've foo-ed the internal address pools onto 192.168.5.0/255.255.255.0 with the inside interface on 192.168.5.0 itself. The Level 3 and 4 VPNs should be limited to (for example) a client coming from an IP address pool of 201.10.50.48/252.

Andy

----------------------------------------------------------------------------------------------------------
ORIGINAL:

: setup both a split tunnel (in Level1) and dedicated tunnel (in Level2)
clear isakmp
isa nat
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 authentication pre-share
isakmp policy 10 group 2
isakmp policy 10 lifetime 18000

access-list inside_outbound_nat0_acl_poolA permit ip 192.168.5.0 255.255.255.0  192.168.5.48 255.255.255.252
access-list outside_cryptomap_dyn_20_poolA permit ip any 192.168.5.48 255.255.255.252
access-list IpPoolA_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0  any

nat (inside) 0 access-list inside_outbound_nat0_acl_poolA

ip local pool IpPoolA 192.168.5.48-192.168.5.51

vpngroup VpnLevel1 password XXXX
vpngroup VpnLevel1 address-pool IpPoolA
vpngroup VpnLevel1 split-tunnel IpPoolA_splitTunnelAcl

vpngroup VpnLevel2 password YYYY
vpngroup VpnLevel2 address-pool IpPoolA

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_poolA
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

sysopt connection permit-ipsec

----------------------------------------------------------------------------------------------------------
NEW:

: setup both a split tunnel (in Level1) and dedicated tunnel (in Level2)
: setup a split tunnel (in Level3) and dedicated tunnel (in Level4) but with different address pool to the first pair
clear isakmp
isa nat
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 authentication pre-share
isakmp policy 10 group 2
isakmp policy 10 lifetime 18000

access-list inside_outbound_nat0_acl_poolA permit ip 192.168.5.0 255.255.255.0  192.168.5.48 255.255.255.252
access-list outside_cryptomap_dyn_20_poolA permit ip any 192.168.5.48 255.255.255.252
access-list IpPoolA_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0  any

access-list inside_outbound_nat0_acl_poolB permit ip 192.168.5.0 255.255.255.0  192.168.5.52 255.255.255.252
:restricted external client IP is something like 201.10.50.48/252
access-list outside_cryptomap_dyn_20_poolB permit ip 210.10.50.48 255.255.255.252 192.168.5.52 255.255.255.252
access-list IpPoolB_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0  any

nat (inside) 0 access-list inside_outbound_nat0_acl_poolA
nat (inside) 0 access-list inside_outbound_nat0_acl_poolB

ip local pool IpPoolA 192.168.5.48-192.168.5.51
ip local pool IpPoolB 192.168.5.52-192.168.5.55

vpngroup VpnLevel1 password XXXX
vpngroup VpnLevel1 address-pool IpPoolA
vpngroup VpnLevel1 split-tunnel IpPoolA_splitTunnelAcl

vpngroup VpnLevel2 password YYYY
vpngroup VpnLevel2 address-pool IpPoolA

vpngroup VpnLevel3 password ZZZZ
vpngroup VpnLevel3 address-pool IpPoolB
vpngroup VpnLevel3 split-tunnel IpPoolB_splitTunnelAcl

vpngroup VpnLevel4 password QQQQ
vpngroup VpnLevel4 address-pool IpPoolB

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_poolA
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_poolB
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

sysopt connection permit-ipsec
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16959423
first of all, for Remote Access VPNs with pix's you should never use part of the internal subnet for your ip pool (just asking for problems). Of course if its working don't change it

nat (inside) 0 access-list inside_outbound_nat0_acl_poolA
nat (inside) 0 access-list inside_outbound_nat0_acl_poolB
can't do that, but can do this

no nat (inside) 0 access-list inside_outbound_nat0_acl_poolA
no access-list inside_outbound_nat0_acl_poolA permit ip 192.168.5.0 255.255.255.0  192.168.5.48 255.255.255.252
no access-list inside_outbound_nat0_acl_poolB permit ip 192.168.5.0 255.255.255.0  192.168.5.52 255.255.255.252
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0  192.168.5.48 255.255.255.252
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0  192.168.5.52 255.255.255.252
nat (inside) 0 access-list inside_outbound_nat0_acl

change
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_poolB
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
to
crypto dynamic-map outside_dyn_map 30 match address outside_cryptomap_dyn_20_poolB
crypto dynamic-map outside_dyn_map 30 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 30 set security-association lifetime seconds 28800 kilobytes 4608000

that number is just a priority number, determines the order in which the pix evaluates cryptos to find a match.  also reapply the crypto map after you add these entries to make sure they're applied

other than that I believe it should be good.  if it does screw something up, then just type "reload" and confirm and it'll be back to its old config in about a minute.  if it does work, then do "write mem" to save the changes
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 12

Author Comment

by:AGBrown
ID: 16959582
cyclops,

Thank you for looking over that, I've got to pop out for an hour, but I'll take a proper look as soon as I get back. You mentioned that I shouldn't use the internal subnet as my IP pool - can I ask why, and what I should be doing instead? I appreciate the help.

Thanks again,

Andy
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 16959615
it has to do with the way pix's do routing.  They are a security device,not a router.  Thus this functionality is not always reliable when trying to place RA clients on the local lan.  The recommended way is to give each pool its own subnet like this
ip local pool IpPoolA 192.168.6.1-192.168.6.254 mask 255.255.255.0
ip local pool IpPoolB 192.168.7.1-192.168.7.254 mask 255.255.255.0
Then change the acls accordingly of course
0
 
LVL 12

Author Comment

by:AGBrown
ID: 17031510
Cyclops,

I've had to put my security hat in the wash and wear my development hat for the last week - i'll go through all of this tomorrow and get back to you. Sorry for the wait, and thanks for your help.

Andy
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now