Solved

Config script for cisco PIX 506E

Posted on 2006-06-22
8
368 Views
Last Modified: 2013-11-16
I have a config script for VPNs through my 506E, which sets up two client VPNs. The first restricts the client from accessing anything else whilst in the VPN, the second should allow the client machine to access external network at the same time. I want to add a third and fourth VPN connection to it which do the same, but have different passwords and put the clients into a different address pool to the first pair. If I post my scripts can someone please check my new script and tell me if it is correct - I have no way of testing it before I put it onto the firewall.

Andy
0
Comment
Question by:AGBrown
  • 3
  • 3
8 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
If you've already done it once it shouldn't be hard to do again with different parameters.

post a sanitized config and I'll see if I can help out
0
 
LVL 12

Author Comment

by:AGBrown
Comment Utility
Thank you, the new script has some problems in it I'm sure. I am unsure about the second "nat (inside)" for instance - will it overwrite the first? Also I don't know how to do the "crypto dynamic-map" and "crypto map" sections to allow all 4 VPNs through - so they are definitialy going to be wrong.

The possible complication is that I will be tunneled through the Level2 VPN when i setup the new levels (3 and 4) - is that going to be a problem? If so I could SSH to the outside interface just to set these up.

I've foo-ed the internal address pools onto 192.168.5.0/255.255.255.0 with the inside interface on 192.168.5.0 itself. The Level 3 and 4 VPNs should be limited to (for example) a client coming from an IP address pool of 201.10.50.48/252.

Andy

----------------------------------------------------------------------------------------------------------
ORIGINAL:

: setup both a split tunnel (in Level1) and dedicated tunnel (in Level2)
clear isakmp
isa nat
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 authentication pre-share
isakmp policy 10 group 2
isakmp policy 10 lifetime 18000

access-list inside_outbound_nat0_acl_poolA permit ip 192.168.5.0 255.255.255.0  192.168.5.48 255.255.255.252
access-list outside_cryptomap_dyn_20_poolA permit ip any 192.168.5.48 255.255.255.252
access-list IpPoolA_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0  any

nat (inside) 0 access-list inside_outbound_nat0_acl_poolA

ip local pool IpPoolA 192.168.5.48-192.168.5.51

vpngroup VpnLevel1 password XXXX
vpngroup VpnLevel1 address-pool IpPoolA
vpngroup VpnLevel1 split-tunnel IpPoolA_splitTunnelAcl

vpngroup VpnLevel2 password YYYY
vpngroup VpnLevel2 address-pool IpPoolA

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_poolA
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

sysopt connection permit-ipsec

----------------------------------------------------------------------------------------------------------
NEW:

: setup both a split tunnel (in Level1) and dedicated tunnel (in Level2)
: setup a split tunnel (in Level3) and dedicated tunnel (in Level4) but with different address pool to the first pair
clear isakmp
isa nat
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 authentication pre-share
isakmp policy 10 group 2
isakmp policy 10 lifetime 18000

access-list inside_outbound_nat0_acl_poolA permit ip 192.168.5.0 255.255.255.0  192.168.5.48 255.255.255.252
access-list outside_cryptomap_dyn_20_poolA permit ip any 192.168.5.48 255.255.255.252
access-list IpPoolA_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0  any

access-list inside_outbound_nat0_acl_poolB permit ip 192.168.5.0 255.255.255.0  192.168.5.52 255.255.255.252
:restricted external client IP is something like 201.10.50.48/252
access-list outside_cryptomap_dyn_20_poolB permit ip 210.10.50.48 255.255.255.252 192.168.5.52 255.255.255.252
access-list IpPoolB_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0  any

nat (inside) 0 access-list inside_outbound_nat0_acl_poolA
nat (inside) 0 access-list inside_outbound_nat0_acl_poolB

ip local pool IpPoolA 192.168.5.48-192.168.5.51
ip local pool IpPoolB 192.168.5.52-192.168.5.55

vpngroup VpnLevel1 password XXXX
vpngroup VpnLevel1 address-pool IpPoolA
vpngroup VpnLevel1 split-tunnel IpPoolA_splitTunnelAcl

vpngroup VpnLevel2 password YYYY
vpngroup VpnLevel2 address-pool IpPoolA

vpngroup VpnLevel3 password ZZZZ
vpngroup VpnLevel3 address-pool IpPoolB
vpngroup VpnLevel3 split-tunnel IpPoolB_splitTunnelAcl

vpngroup VpnLevel4 password QQQQ
vpngroup VpnLevel4 address-pool IpPoolB

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_poolA
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_poolB
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

sysopt connection permit-ipsec
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
first of all, for Remote Access VPNs with pix's you should never use part of the internal subnet for your ip pool (just asking for problems). Of course if its working don't change it

nat (inside) 0 access-list inside_outbound_nat0_acl_poolA
nat (inside) 0 access-list inside_outbound_nat0_acl_poolB
can't do that, but can do this

no nat (inside) 0 access-list inside_outbound_nat0_acl_poolA
no access-list inside_outbound_nat0_acl_poolA permit ip 192.168.5.0 255.255.255.0  192.168.5.48 255.255.255.252
no access-list inside_outbound_nat0_acl_poolB permit ip 192.168.5.0 255.255.255.0  192.168.5.52 255.255.255.252
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0  192.168.5.48 255.255.255.252
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0  192.168.5.52 255.255.255.252
nat (inside) 0 access-list inside_outbound_nat0_acl

change
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20_poolB
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
to
crypto dynamic-map outside_dyn_map 30 match address outside_cryptomap_dyn_20_poolB
crypto dynamic-map outside_dyn_map 30 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 30 set security-association lifetime seconds 28800 kilobytes 4608000

that number is just a priority number, determines the order in which the pix evaluates cryptos to find a match.  also reapply the crypto map after you add these entries to make sure they're applied

other than that I believe it should be good.  if it does screw something up, then just type "reload" and confirm and it'll be back to its old config in about a minute.  if it does work, then do "write mem" to save the changes
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 12

Author Comment

by:AGBrown
Comment Utility
cyclops,

Thank you for looking over that, I've got to pop out for an hour, but I'll take a proper look as soon as I get back. You mentioned that I shouldn't use the internal subnet as my IP pool - can I ask why, and what I should be doing instead? I appreciate the help.

Thanks again,

Andy
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
Comment Utility
it has to do with the way pix's do routing.  They are a security device,not a router.  Thus this functionality is not always reliable when trying to place RA clients on the local lan.  The recommended way is to give each pool its own subnet like this
ip local pool IpPoolA 192.168.6.1-192.168.6.254 mask 255.255.255.0
ip local pool IpPoolB 192.168.7.1-192.168.7.254 mask 255.255.255.0
Then change the acls accordingly of course
0
 
LVL 12

Author Comment

by:AGBrown
Comment Utility
Cyclops,

I've had to put my security hat in the wash and wear my development hat for the last week - i'll go through all of this tomorrow and get back to you. Sorry for the wait, and thanks for your help.

Andy
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now