Solved

Network Reclamation with Cisco 501's

Posted on 2007-03-29
7
289 Views
Last Modified: 2010-04-09
We are doing a network reclamation project and have just gotten access to the routers.  There are 10 sites all using cisco 501 pix over a vpn.  All pix are onlly accessible through ssh.  Right now, vpn users can only remote into their local sites and cannot access all network resources.  So here is my question:

a)  How to I pull cureent configurations of each pix?
b)  How do I go about giving vpn users access to all network resources?

0
Comment
Question by:ekm51
  • 3
  • 2
7 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 18819787
a)  Once you are in an SSH session, issue the command "show run" to display the current running configuration.  Then you can just copy and paste out of your SSH client to save off the configuration to a local file.

b) Are the VPN users accessing the PIX 501 at each site through a remote access VPN tunnel to get to network resources behind that PIX 501?  If so, you will need to post the PIX configuration in order for us to tell you how to do this.  You also need to mention what resources the VPN users currently have access to and which resources they don't have access to.
0
 
LVL 10

Accepted Solution

by:
Sorenson earned 500 total points
ID: 18822871
I would suggest looking at kiwi cat tools http://www.kiwisyslog.com/products.php .  It can be used to automate the retrieval of configurations from various devices (over ssh, telnet, ftp, etc).  I use it to monitor my cisco devices, and e-mail me whenever changes occur.  It is excellent for documentation, and change management, as it can be configured to keep prior versions of configurations.

Giving VPN users access to all resources is not going to be simple with cisco 501s at each location.  The 501s do not support 7.x code, and the 6.3.x code does not support hair pinning (allowing vpn traffic to ingress and egress from the same physical interface), so it is not possible to have a vpn user connect to one pix, and then use that pix's tunnels to see other sites.  There are two solutions for this:
1)  give them a pcf file for each site (with 10 sites this would be very messy and create massive confusion with your average end-user :)  )
2)  configure a single pix or vpn concentrator "inside" the main site (that has vpn connections via its existing pix to the other sites).  Configure pcf and client vpn to this "internal" pix.  Adjust routing inside that site to accomodate it, and then configure the security associations for that sites external pix to allow the new ip pool of the new pix to access each of the other sites.  I know that sounds confusing, but basically you vpn behind the current pix - site-to-site vpn infrastructure, then comeback to use that infrastructure to access the other sites.
0
 
LVL 1

Author Comment

by:ekm51
ID: 18838136
> RE:   2)  configure a single pix or vpn concentrator "inside" the main site (that has vpn connections via its existing pix to the other sites).  Configure pcf and client vpn to this "internal" pix.  Adjust routing inside that site to accomodate it, and then configure the security associations for that sites external pix to allow the new ip pool of the new pix to access each of the other sites.  I know that sounds confusing, but basically you vpn behind the current pix - site-to-site vpn infrastructure, then comeback to use that infrastructure to access the other sites.

~ Would I need another line for this?  Or would it be simpler to upgrade the pix at each site?  If so what model would you suggest?  The web consol (pdm) is also turned off or at we are unable to authenticate to it.  Can we turn it back on or reset the un/pw to it via the ssh consol?  I have no experience with ssh so I'm trying to make it easy to manage.  

Here's a printout of one of the pix from "show run":

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password eSJlU6AhtNMUkGQ4 encrypted
passwd Ty3cEBOi7DCWDHRW encrypted
hostname broadway
domain-name wuyee.org
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip 192.168.83.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list 101 permit ip 192.168.60.0 255.255.255.0 192.168.83.0 255.255.255.0
access-list 101 permit ip 192.168.83.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list 101 permit ip 192.168.33.0 255.255.255.0 192.168.83.0 255.255.255.0
access-list 101 permit ip host 192.168.83.132 192.168.53.0 255.255.255.0
access-list 101 permit ip 192.168.53.0 255.255.255.0 host 192.168.83.132
access-list 101 permit ip host 192.168.83.132 192.168.54.0 255.255.255.0
access-list 101 permit ip 192.168.54.0 255.255.255.0 host 192.168.83.132
access-list 101 permit ip host 192.168.83.119 192.168.54.0 255.255.255.0
access-list 101 permit ip 192.168.54.0 255.255.255.0 host 192.168.83.119
access-list 101 permit ip host 192.168.83.177 192.168.35.0 255.255.255.0
access-list 101 permit ip 192.168.35.0 255.255.255.0 host 192.168.83.177
access-list 101 permit ip 192.168.83.0 255.255.255.0 host 172.20.235.104
access-list 101 permit ip 192.168.83.0 255.255.255.0 host 172.20.235.157
access-list 101 permit ip 192.168.83.0 255.255.255.0 192.168.88.0 255.255.255.0
access-list 101 permit ip 192.168.83.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.83.0 255.255.255.0 192.168.70.0 255.255.255.0
access-list 101 permit ip 192.168.83.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 101 permit ip 192.168.83.0 255.255.255.0 192.168.22.0 255.255.255.0
access-list 101 permit ip 192.168.83.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list 101 permit ip 192.168.83.0 255.255.255.0 host 172.20.235.72
access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list 101 permit ip 192.168.83.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list 101 permit ip 192.168.83.0 255.255.255.0 192.168.62.0 255.255.255.0
access-list 101 permit ip 192.168.62.0 255.255.255.0 192.168.83.0 255.255.255.0
access-list 101 permit ip host 192.168.83.6 192.168.61.0 255.255.255.0
access-list 101 permit ip 192.168.61.0 255.255.255.0 host 192.168.83.6
access-list 101 permit ip host 192.168.83.7 192.168.61.0 255.255.255.0
access-list 101 permit ip 192.168.61.0 255.255.255.0 host 192.168.83.7
access-list ComingIn permit tcp host 68.164.245.197 interface outside eq 3389
access-list ComingIn permit tcp host 68.164.245.33 interface outside eq 3389
access-list ComingIn permit tcp host 64.172.9.154 interface outside eq 3389
access-list ComingIn permit tcp host 66.114.233.34 interface outside eq 3387
access-list ComingIn permit tcp host 63.193.3.210 interface outside eq 3387
access-list ComingIn permit tcp host 63.204.213.130 interface outside eq 3387
access-list ComingIn permit tcp host 64.168.154.11 interface outside eq 3387
access-list ComingIn permit tcp host 216.27.176.127 interface outside eq 3387
access-list ComingIn permit tcp host 216.27.176.127 interface outside eq 3389
access-list ComingIn permit tcp host 66.92.10.131 interface outside eq 3387
access-list ComingIn permit tcp host 66.92.10.131 interface outside eq 3389
access-list ComingIn permit icmp any any
access-list ComingIn permit tcp host 71.139.218.137 interface outside eq 3389
access-list ComingIn permit tcp host 71.139.218.137 interface outside eq 3387
access-list ComingIn permit tcp any interface outside eq 18082
access-list ComingIn permit tcp host 67.103.126.2 interface outside eq 3389
access-list ComingIn permit tcp host 67.103.126.2 interface outside eq 3387
access-list ComingIn permit tcp host 66.253.0.226 any
access-list ComingIn permit tcp host 70.239.197.174 interface outside eq 3389
access-list ComingIn permit tcp host 70.239.197.174 interface outside eq 3387
access-list ComingIn permit tcp host 66.253.0.226 interface outside eq 3387
access-list ComingIn permit tcp host 66.253.0.226 interface outside eq 3389
access-list prislist permit ip 192.168.83.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list prislist permit ip 192.168.33.0 255.255.255.0 192.168.83.0 255.255.255.0
access-list sharonlist permit ip host 192.168.83.132 192.168.53.0 255.255.255.0
access-list sharonlist permit ip 192.168.53.0 255.255.255.0 host 192.168.83.132
access-list CLAY permit ip 192.168.83.0 255.255.255.0 192.168.88.0 255.255.255.0
access-list ashleylist permit ip host 192.168.83.132 192.168.54.0 255.255.255.0
access-list ashleylist permit ip 192.168.54.0 255.255.255.0 host 192.168.83.132
access-list ashleylist permit ip host 192.168.83.119 192.168.54.0 255.255.255.0
access-list ashleylist permit ip 192.168.54.0 255.255.255.0 host 192.168.83.119
access-list vanessalist permit ip host 192.168.83.177 192.168.35.0 255.255.255.0
access-list vanessalist permit ip 192.168.35.0 255.255.255.0 host 192.168.83.177
access-list RTEK permit ip 192.168.83.0 255.255.255.0 host 172.20.235.104
access-list RTEK permit ip 192.168.83.0 255.255.255.0 host 172.20.235.157
access-list RTEK permit tcp 192.168.83.0 255.255.255.0 host 172.20.235.72 eq www
access-list RTEK permit tcp 192.168.83.0 255.255.255.0 host 172.20.235.119 eq https
access-list RTEK permit ip 192.168.83.0 255.255.255.0 host 172.20.235.72
access-list MISS permit ip 192.168.83.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list VELAS permit ip 192.168.83.0 255.255.255.0 192.168.70.0 255.255.255.0
access-list CARE permit ip 192.168.83.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list GG22 permit ip 192.168.83.0 255.255.255.0 192.168.22.0 255.255.255.0
access-list GG17 permit ip 192.168.83.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list MONT permit ip 192.168.83.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list NONAT permit ip 192.168.83.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list johnlist permit ip 192.168.83.0 255.255.255.0 192.168.62.0 255.255.255.0
access-list johnlist permit ip 192.168.62.0 255.255.255.0 192.168.83.0 255.255.255.0
access-list lindalist permit ip host 192.168.83.6 192.168.61.0 255.255.255.0
access-list lindalist permit ip 192.168.61.0 255.255.255.0 host 192.168.83.6
access-list lindalist permit ip host 192.168.83.7 192.168.61.0 255.255.255.0
access-list lindalist permit ip 192.168.61.0 255.255.255.0 host 192.168.83.7
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.2 255.255.255.0
ip address inside 192.168.83.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 192.168.60.1-192.168.60.254
ip local pool prispool 192.168.33.1-192.168.33.10
ip local pool sharonpool 192.168.53.1-192.168.53.10
ip local pool ashleypool 192.168.54.1-192.168.54.10
ip local pool vanessapool 192.168.35.1-192.168.35.10
ip local pool johnpool 192.168.62.1-192.168.62.5
ip local pool lindapool 192.168.61.1-192.168.61.5
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.83.6 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3387 192.168.83.7 3387 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 18082 192.168.83.28 18082 netmask 255.255.255.255 0 0
access-group ComingIn in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.83.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset2 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 1 ipsec-isakmp
crypto map mymap 1 match address RTEK
crypto map mymap 1 set peer 66.253.0.226
crypto map mymap 1 set transform-set myset2
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 26 ipsec-isakmp
crypto map mymap 26 match address MONT
crypto map mymap 26 set peer 67.103.42.233
crypto map mymap 26 set transform-set myset2
crypto map mymap 27 ipsec-isakmp
crypto map mymap 27 match address VELAS
crypto map mymap 27 set peer 67.103.42.230
crypto map mymap 27 set transform-set myset2
crypto map mymap 28 ipsec-isakmp
crypto map mymap 28 match address CLAY
crypto map mymap 28 set peer 67.100.89.125
crypto map mymap 28 set transform-set myset
crypto map mymap 29 ipsec-isakmp
crypto map mymap 29 match address GG22
crypto map mymap 29 set peer 67.100.89.172
crypto map mymap 29 set transform-set myset
crypto map mymap 42 ipsec-isakmp
crypto map mymap 42 match address MISS
crypto map mymap 42 set peer 72.244.53.186
crypto map mymap 42 set transform-set myset
crypto map mymap 44 ipsec-isakmp
crypto map mymap 44 match address CARE
crypto map mymap 44 set peer 63.193.3.210
crypto map mymap 44 set transform-set myset
crypto map mymap 45 ipsec-isakmp
crypto map mymap 45 match address GG22
crypto map mymap 45 set peer 69.104.185.58
crypto map mymap 45 set transform-set myset
crypto map mymap 46 ipsec-isakmp
crypto map mymap 46 match address GG17
crypto map mymap 46 set peer 64.168.154.11
crypto map mymap 46 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 72.244.53.186 netmask 255.255.255.255
isakmp key ******** address 63.193.3.210 netmask 255.255.255.255
isakmp key ******** address 69.104.185.58 netmask 255.255.255.255
isakmp key ******** address 64.168.154.11 netmask 255.255.255.255
isakmp key ******** address 66.253.0.226 netmask 255.255.255.255 no-xauth
isakmp key ******** address 67.103.42.233 netmask 255.255.255.255
isakmp key ******** address 67.103.42.230 netmask 255.255.255.255
isakmp key ******** address 67.100.89.125 netmask 255.255.255.255
isakmp key ******** address 67.100.89.172 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 1
isakmp policy 15 lifetime 1000
vpngroup broawy address-pool bigpool
vpngroup broawy dns-server 192.167.83.7 206.13.28.12
vpngroup broawy split-tunnel 101
vpngroup broawy idle-time 1800
vpngroup broawy password ********
vpngroup priscilla address-pool prispool
vpngroup priscilla dns-server 192.167.83.7 206.13.28.12
vpngroup priscilla split-tunnel prislist
vpngroup priscilla idle-time 1800
vpngroup priscilla password ********
vpngroup sharon address-pool sharonpool
vpngroup sharon dns-server 192.168.83.7 206.13.28.12
vpngroup sharon split-tunnel sharonlist
vpngroup sharon idle-time 1800
vpngroup sharon password ********
vpngroup ashley address-pool ashleypool
vpngroup ashley dns-server 192.168.83.7 206.13.28.12
vpngroup ashley split-tunnel ashleylist
vpngroup ashley idle-time 1800
vpngroup ashley password ********
vpngroup vanessa address-pool vanessapool
vpngroup vanessa dns-server 206.13.31.12 206.13.28.12
vpngroup vanessa split-tunnel vanessalist
vpngroup vanessa idle-time 1800
vpngroup vanessa password ********
vpngroup john address-pool johnpool
vpngroup john dns-server 192.167.83.7 206.13.28.12
vpngroup john split-tunnel johnlist
vpngroup john idle-time 1800
vpngroup john password ********
vpngroup linda address-pool lindapool
vpngroup linda dns-server 192.167.83.7 206.13.28.12
vpngroup linda split-tunnel lindalist
vpngroup linda idle-time 1800
vpngroup linda password ********
telnet timeout 5
ssh 68.164.245.197 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.83.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.83.200-192.168.83.219 inside
dhcpd dns 192.168.83.7 67.100.88.26
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:3e346efeac071eb09fa9f24e3521daeb
: end
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 10

Assisted Solution

by:Sorenson
Sorenson earned 500 total points
ID: 18838283
2)  no you would not need another line, but you would need another pix.

To run the 7.x code and allow the hairpinning, you would need to upgrade at least one pix (the one you are going to have everyone vpn to) to an ASA or a PIX 515E, so that you can run the 7.x code

I would continue to use SSH, the PDM can be messy sometimes.  Download putty.exe and use it to access the hosts, as I don't see any username lines in your config, the username will be:  pix and the password will be your telnet password.

0
 
LVL 1

Author Comment

by:ekm51
ID: 18838509
Do you have a tutorial on how I would set this up step-by-step once the PIX 515E has arrived?  Or would it be possible for a walkthrough?
0
 
LVL 1

Author Comment

by:ekm51
ID: 18846361
we are also thinking about getting a 1800 or 2800.  Would that simplify things?
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
This video discusses moving either the default database or any database to a new volume.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now