Solved

Access to DMZ from Remote VPN Network

Posted on 2007-12-06
10
678 Views
Last Modified: 2012-05-05
I have two Pix 515e firewalls with a VPN allowing access to their respective inside networks.  Both networks are part of the same AD.  On one of my Pix's I have a DMZ port with a web server.  I would like to have my remote site access the DMZ through the tunnel.  My IP structure is as follows:
Pix 1 with DMZ:
Inside Interface: 172.16.0.0/255.255.252.0
DMZ Interface: 172.16.12.0/255.255.252.0

Pix 2:
Inside Interface: 172.16.4.0/255.255.252.0

Pix 1's inside network can access the DMZ just fine with the STATIC command.
How do I tell the inside network of Pix 2 to find the DMZ network?

Thanks in advance.
0
Comment
Question by:Kutyi
  • 5
  • 5
10 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20423255
There are three main things to think about in this situation:

crypto ACL's
NAT
routing

1.  Make sure that source network 172.16.4.0/22 with destination network 172.16.12.0/22 is in the crypto ACL for the L2L VPN tunnel on PIX 2.  Make sure it is also in the crypto ACL on PIX 1, but in reverse order for the source and destination, i.e. source is 172.16.12.0/22 and destination is 172.16.4.0/22.

2.  Make sure that your NAT exemption commands on each PIX cover the above traffic.

3.  Make sure that there are not any conflicting routes that direct traffic from 172.16.4.0/22 destined for 172.16.12.0/22 to some other place other than PIX 2.  Do the same on PIX 1 for traffic from 172.16.12.0/22 going to 172.16.4.0/22.

It would probably help to see both PIX configs, but this should get you started down the path.
0
 
LVL 14

Author Comment

by:Kutyi
ID: 20423554
Here is Pix 1 Config:

: Saved
:
PIX Version 7.2(2)
!
hostname PiX01
domain-name mydomain.local
enable password dbXGu/pAyWxhIUm3 encrypted
names
!
interface Ethernet0
 speed 100
 duplex full
 nameif Outside
 security-level 0
 ip address 142.x.x.x 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.16.0.1 255.255.252.0
!
interface Ethernet2
 nameif DMZ
 security-level 50
 ip address 172.16.12.1 255.255.252.0
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name acs.local
access-list inbound extended permit tcp any any eq https
access-list inbound extended permit tcp any any eq pop3
access-list inbound extended permit tcp any any eq 3390
access-list inbound extended permit tcp any any eq 3399
access-list inbound extended permit tcp any any eq www
access-list inbound extended permit tcp any any eq ssh
access-list inside_20_cryptomap extended permit ip 172.16.0.0 255.255.252.0 172.16.4.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.252.0 172.16.4.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip any 172.12.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.4.0 255.255.252.0 172.16.0.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip any 172.16.8.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 172.16.0.0 255.255.252.0 172.16.4.0 255.255.252.0
access-list Administration_splitTunnelAcl standard permit any
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list Remote_Users_splitTunnelAcl standard permit any
access-list RemoteUsers_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging timestamp
logging emblem
logging trap warnings
logging asdm informational
logging from-address sysmonfw@mydomain.com
logging recipient-address monitor@mydomain.com level errors
logging host inside 172.16.0.10 format emblem
logging permit-hostdown
mtu Outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpnpool 172.12.0.1-172.12.0.199 mask 255.255.252.0
ip local pool VPNPoolUsers 172.16.8.0-172.16.8.254 mask 255.255.252.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,Outside) tcp interface pop3 172.16.0.20 pop3 netmask 255.255.255.255
static (inside,Outside) tcp interface https 172.16.0.20 https netmask 255.255.255.255
static (inside,Outside) tcp interface 3390 172.16.0.10 3390 netmask 255.255.255.255
static (inside,Outside) tcp interface 3399 172.16.2.118 3399 netmask 255.255.255.255
static (inside,Outside) tcp interface www 172.16.0.5 www netmask 255.255.255.255
static (inside,Outside) tcp interface ssh 172.16.0.5 ssh netmask 255.255.255.255
static (inside,DMZ) 172.16.0.0 172.16.0.0 netmask 255.255.248.0
access-group inbound in interface Outside
route Outside 0.0.0.0 0.0.0.0 142.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy RemoteUsers internal
group-policy RemoteUsers attributes
 dns-server value 172.16.0.10 172.16.4.10
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteUsers_splitTunnelAcl
 default-domain value acs.local
username me password g3xotlbp8UluwnJX encrypted privilege 0
username me attributes
 vpn-group-policy RemoteUsers
username admin password wm1QIrSnDfMaU.2q encrypted privilege 15
http server enable
http 172.16.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map Outside_dyn_map 40 set pfs
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 60 set pfs
crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 40 set pfs
crypto dynamic-map inside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set pfs
crypto map Outside_map 20 set peer 142.x.x.x
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable Outside
crypto isakmp enable inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
 address-pool vpnpool
 address-pool VPNPoolUsers
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group 142.x.x.x type ipsec-l2l
tunnel-group 142.x.x.x ipsec-attributes
 pre-shared-key *
tunnel-group RemoteUsers type ipsec-ra
tunnel-group RemoteUsers general-attributes
 address-pool VPNPoolUsers
 default-group-policy RemoteUsers
tunnel-group RemoteUsers ipsec-attributes
 pre-shared-key *
telnet 172.16.0.0 255.255.252.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 7200
!
!
!
smtp-server 172.16.0.20
prompt hostname context
Cryptochecksum:ce08de9d4dfc3f0212bfc325d4d2b116
: end

Here is Pix 2:

: Saved
:
PIX Version 7.2(2)
!
hostname PiX02
domain-name mydomain.local
enable password dbXGu/pAyWxhIUm3 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 142.x.x.x 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.16.4.1 255.255.252.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name mydomain.local
access-list outside_20_cryptomap extended permit ip 172.16.4.0 255.255.252.0 172.16.0.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 172.16.4.0 255.255.252.0 172.16.0.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.252.0 172.16.4.0 255.255.252.0
access-list inbound extended permit tcp any any eq 3940
access-list outside_access_in extended permit tcp any any eq 3940
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 142.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password wm1QIrSnDfMaU.2q encrypted privilege 15
http server enable
http 172.16.4.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 142.x.x.x
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 142.x.x.x type ipsec-l2l
tunnel-group 142.x.x.x ipsec-attributes
 pre-shared-key *
telnet 172.16.4.0 255.255.252.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
prompt hostname context
Cryptochecksum:1c6b558da241b392c5621908e02d1438
: end
[OK]
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 20423626
Add the following statements...

PIX 1:

access-list inside_nat0_outbound extended permit ip 172.16.12.0 255.255.252.0 172.16.4.0 255.255.252.0
access-list Outside_20_cryptomap extended permit ip 172.16.12.0 255.255.252.0 172.16.4.0 255.255.252.0

PIX 2:

access-list inside_nat0_outbound extended permit ip 172.16.4.0 255.255.252.0 172.16.12.0 255.255.252.0
access-list outside_20_cryptomap extended permit ip 172.16.4.0 255.255.252.0 172.16.12.0 255.255.252.0

See if that helps...
0
 
LVL 14

Author Comment

by:Kutyi
ID: 20423656
Thanks Batry Boy!  Works Great!
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20423681
Excellent...glad to help!
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 14

Author Comment

by:Kutyi
ID: 20423704
Does this prevent the DMZ from accessing my remote network?  I can open the question again to give you more points.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20423764
Which network do you mean by remote?
0
 
LVL 14

Author Comment

by:Kutyi
ID: 20423787
172.16.4.0/22, I would prefer to not have the 172.16.12.0/22 network be able to directly access it as it is to be a DMZ on a less secure network.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20423936
Unfortunately, it does allow the DMZ to initiate traffic directly to the remote network.  I understand your concern, however.

You could always modify the PIX 1 outside interface ACL to allow any IP traffic sourced from the PIX 2 PAT address of 142.x.x.x, but the traffic will not be encrypted.  However, it will fix the problem of the DMZ being able to directly access the remote network.

There is another way to do it, by disabling the "sysopt connection permit-vpn" command on PIX1.  By default this command is enabled which allows any VPN traffic to bypass interface ACL checks.  If you turned this off, then your VPN traffic would be subject to the same ACL checks that normal unencrypted traffic is subjected to.  However, this will get a little messy because you will also have to consider your PIX 1 inside network to PIX 2 inside network traffic in this as well.  You could seriously mess up your VPN tunnel traffic if you're not careful.
0
 
LVL 14

Author Comment

by:Kutyi
ID: 20424058
Thanks...I will decide on my path.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now