Pix 515 (external) & ASA 5520 (internal) Firewall Combination Setup

Using a Pix 515 for external and ASA 5520's (failover) for internal, with a DMZ coming off the Pix. Where should I configure Remote VPN (authenticates to AD via IAS/Radius Server on internal network)? What about the routing between the Firewalls?
flexxtxAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Alan Huseyin KayahanConnect With a Mentor Commented:
Your vpnpool is in a range of 10.10.0.0 which is routed to inside. Use a different pool as following

ip local pool vpn_pool 192.168.90.161-192.168.90.190 mask 255.255.255.224

assign it to tunnel-group

tunnel-group vpn3000 general-attributes
no address-pool vpnpool
address-pool vpnpool

   Do not use any statements in ACLs which are subject to classify networks

no access-list vpn3000_splitTunnelAcl extended permit ip 10.0.0.0 255.0.0.0 any
access-list vpn3000_splitTunnelAcl extended permit ip 10.10.0.0 255.255.0.0 192.168.90.160 255.255.255.224
access-list vpn3000_splitTunnelAcl extended permit ip 10.34.0.0 255.255.248.0 255.255.0.0 192.168.90.160 255.255.255.224
access-list vpn3000_splitTunnelAcl extended permit ip 10.21.8.0 255.255.248.0 192.168.90.160 255.255.255.224

Correct your exempt nat entries
no access-list inside_nat0_outbound extended permit ip any 10.10.249.192 255.255.25
5.192
access-list dmz_nat0_outbound extended permit ip 10.10.241.0 255.255.255.0 192.168.90.160 255.255.255.224

access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.90.160 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.34.0.0 255.255.248.0 192.168.90.160 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.21.8.0 255.255.248.0 192.168.90.160 255.255.255.224

and most important, you forgot to bind the above NAT statement to interface. Issue the following command
nat (inside) 0 access-list inside_nat0_outbound
nat (dmz) 0 access-list dmz_nat0_outbound
one last thing, add a reverse route for VPN pool in 10.34.1.1 router or L3 switch
ip route 192.168.90.160 255.255.255.224 10.34.1.254

You are routng the dmz subnet to an inside router/switch with following command
route inside 10.10.0.0 255.255.0.0 10.34.1.1 1 . You should use a different subnet for dmz, which is not covered by 10.10.0.0/16 statement, or add routes specifically

0
 
Alan Huseyin KayahanCommented:
   Hi flexxtx
         You can not setup different devices and different configurations as failover. I always suggest terminating VPN connections at the outermost device which s PIX in your case. But VPN peer availabilty in licenses will have an impact over choosing between these two. If you terminate VPN connections at PIX, all you have to do is adding routes for inside network to the outside int of ASA, and reverse route in ASA for VPN pool to inside interface of PIX.

Regards
0
 
flexxtxAuthor Commented:
Sorry that I didn't make it clear, but I have 2 ASA's for failover. The Pix is the external firewall. Do I use a different or same IP for the outside address on both firewalls?
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
Alan Huseyin KayahanCommented:
  In your case, I wouldnt recommend assigning a core role to a device which does not have a failover. (PIX) Otherwise the failover of the device behind it will mean nothing if PIX is the external, in case of failure. If it is possible for you to make a change in architecture, I would suggest removing the PIX completely (may be used for other purposes too) and set ASA twins the core device, your external. And terminate VPNs at here, so in case of a failure in one device, failover will take place and your VPNs will still go on. If you terminate VPN at PIX, all VPN connectivity will go down in case of a failure .
0
 
flexxtxAuthor Commented:
Please disregard. I'm using the ASA 5520's instead/only. I get no receive packets when connected to VPN. using local authentication due to domain trust issues (splitting from former company). Also, I'm unable to ssh into ASA...

interface GigabitEthernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 67.133.191.129 255.255.255.240 standby 67.133.191.130
!
interface GigabitEthernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.34.1.254 255.255.255.0 standby 10.34.1.252
!
interface GigabitEthernet0/2
 description LAN/STATE Failover Interface
 speed 100
 duplex full
!
interface GigabitEthernet0/3
 description to AHM DMZ
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address 10.10.241.4 255.255.255.0 standby 10.10.241.5
!
!
access-list acl_dmz extended permit icmp any 10.10.0.0 255.255.0.0 echo-reply
access-list acl_dmz extended permit icmp any 10.10.0.0 255.255.0.0 unreachable
access-list acl_dmz extended permit icmp any 10.10.0.0 255.255.0.0 time-exceeded
access-list acl_dmz extended permit icmp any any
access-list acl_dmz extended permit tcp 10.10.241.0 255.255.255.0 any eq www
access-list acl_dmz extended permit tcp 10.10.241.0 255.255.255.0 any eq https
access-list acl_dmz extended permit tcp 10.10.241.0 255.255.255.0 any eq domain
access-list acl_dmz extended permit udp 10.10.241.0 255.255.255.0 any eq domain
access-list acl_dmz extended deny ip any any
access-list inside_nat0_outbound extended permit ip any 10.10.249.192 255.255.25
5.192
access-list vpn3000_splitTunnelAcl extended permit ip 10.0.0.0 255.0.0.0 any
ip local pool vpnpool 10.10.249.200-10.10.249.240 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/2
failover key *****
failover link failover GigabitEthernet0/2
failover interface ip failover 10.2.0.1 255.255.255.0 standby 10.2.0.2
icmp permit 10.10.0.0 255.255.0.0 inside
icmp permit 10.34.0.0 255.255.0.0 inside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 67.133.191.135
global (DMZ) 1 10.10.241.125 netmask 255.255.255.0
nat (inside) 1 10.34.0.0 255.255.248.0
nat (inside) 1 10.10.0.0 255.255.0.0
nat (management) 1 0.0.0.0 0.0.0.0
static (inside,outside) 67.133.191.130 10.10.204.35 netmask 255.255.255.255
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 67.133.191.145 1
route inside 10.34.0.0 255.255.248.0 10.34.1.1 1
route inside 10.10.0.0 255.255.0.0 10.34.1.1 1
route inside 10.21.8.0 255.255.248.0 10.34.1.1 1
timeout xlate 3:00:00
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy vpn3000 internal
group-policy vpn3000 attributes
  vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn3000_splitTunnelAcl
 default-domain value americanhm.com
 webvpn
username ppandya password 0JKF6CYtt0rzwQXr encrypted privilege 0
username ppandya attributes
 vpn-group-policy vpn3000
 webvpn
username tdavis password yhxvoe29x/TmSBDo encrypted privilege 0
username tdavis attributes
 vpn-group-policy vpn3000
 webvpn
aaa authentication ssh console LOCAL
fragment chain 1 outside
fragment chain 1 inside
fragment chain 1 DMZ
fragment chain 1 management
service resetinbound
service resetoutside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 ESP-3DES-SH
A ESP-AES-128-SHA ESP-AES-128-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal  20
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (outside) LOCAL
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
 address-pool vpnpool
 authentication-server-group (outside) LOCAL
 default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key *
tunnel-group ahmvpn type ipsec-ra
tunnel-group ahmvpn general-attributes
 address-pool vpnpool
0
 
Alan Huseyin KayahanCommented:
correction

tunnel-group vpn3000 general-attributes
no address-pool vpnpool
address-pool vpn_pool
0
 
flexxtxAuthor Commented:
This is the pertinent part of my config. I have aythetication set up on a radius server, but should I authenticate a simpler way before? I keep getting error 413...

interface GigabitEthernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 67.133.191.129 255.255.255.240 standby 67.133.191.130
!
interface GigabitEthernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.34.1.254 255.255.255.0 standby 10.34.1.252  
!
object-group network Irving2_Users
  network-object 10.5.25.0 255.255.255.0
!
access-list vpn3000_splitTunnelAcl extended permit ip 10.0.0.0 255.0.0.0 10.5.25.0 255.255.255.0
access-list vpn3000_splitTunnelAcl extended permit ip 10.10.0.0 255.255.0.0 10.5.25.0 255.255.255.0
access-list vpn3000_splitTunnelAcl extended permit ip 10.21.8.0 255.255.248.0 10.5.25.0 255.255.255.0
access-list vpn3000_splitTunnelAcl extended permit ip 10.34.0.0 255.255.248.0 10.5.25.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 10.10.241.0 255.255.255.0 10.5.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.5.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.34.0.0 255.255.248.0 10.5.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.21.8.0 255.255.248.0 10.5.25.0 255.255.255.0
access-list no-nat-vpn extended permit ip 10.5.25.0 255.255.255.0 10.0.0.0 255.0.0.0
ip local pool vpn_pool 10.5.25.1-10.5.25.254 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
 global (outside) 1 67.133.191.135
global (DMZ) 1 10.10.241.125 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.34.0.0 255.255.248.0
nat (inside) 1 10.10.0.0 255.255.0.0
nat (DMZ) 0 access-list dmz_nat0_outbound
nat (management) 1 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 67.133.191.145 1
route inside 10.65.248.0 255.255.248.0 10.34.1.1 1
route inside 10.34.0.0 255.255.248.0 10.34.1.1 1
route inside 10.10.0.0 255.255.0.0 10.34.1.1 1
route inside 10.21.8.0 255.255.248.0 10.34.1.1 1
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server vpn3000 protocol radius
group-policy vpn3000 internal
group-policy vpn3000 attributes
 wins-server value 10.10.203.112 10.10.250.16
 dns-server value 10.10.203.112 10.10.250.16
 vpn-idle-timeout 20
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn3000_splitTunnelAcl
 default-domain value amexxxxxx.com
 webvpn
username netadm password O0KIySpDZGVAYuqX encrypted
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
service resetinbound
service resetoutside
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
 address-pool vpn_pool
 authentication-server-group vpn3000
 default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key *
no vpn-addr-assign dhcp
vpn-sessiondb max-session-limit 50
0
 
flexxtxAuthor Commented:
Completely wiped out configuration and configured via ASDM. A few issues were related to a combination of multiple domains & company turnover. VPN working fine now
0
 
Alan Huseyin KayahanCommented:
1) Please read your original questions, and read the post where the question ended up
2) You obviously missed the nat0 statements in your config which is corrected in my above suggestion, and for sure you are running in your current config.

Please revise your question close decision
Regards

0
 
Vee_ModCommented:
Force accepted.
Vee_Mod
Community Support Moderator
0
All Courses

From novice to tech pro — start learning today.