Compuz
asked on
Need to create a dmz and "sandwiching VPN device?"
Ok, so I was on "another site" and they were talking way above me. I am technical inclined, but not a Cisco expert by any means.
I have a computer that sits behind a Pix 506 and Netopia router set on clearsailing with nat enabled on both. The computer inside all this has a route set in it so if I connect to a certain website it will redirect to an internal router that will then attempt to ping 1 of 4 predefined IP addresses on the web. If the router gets replies from the ping, it will then start a VPN to the "other side" and the information exchange to this website begins. If there is no response from the ping, the router goes into dial backup and communication is slooooow.
Here is a basic setup
PC - 192.168.131.15
|
Supplied Cisco Router - 192.168.131.3 - I have no access to configure/change this device
|
Pix inside - 192.168.131.2
|
Pix outside - 10.10.10.1
|
Netopia Inside - 10.10.10.2
|
Netopia Ouside - 68.21.10.15
I have been able to configure the PIX so my pings are getting a response and I stay out of dial backup. However, the PIX is blocking IPSec (or so I'm told) traffic so no data is moving back and forth.
From my understanding, I need to create a DMZ, an access list, and such, but I do not know how to do that. And as I search, I think I'm just confusing myself further.
If there is someone that could help me out. The commands for the PIX would be ideal
Thanks in advance for any help.
I have a computer that sits behind a Pix 506 and Netopia router set on clearsailing with nat enabled on both. The computer inside all this has a route set in it so if I connect to a certain website it will redirect to an internal router that will then attempt to ping 1 of 4 predefined IP addresses on the web. If the router gets replies from the ping, it will then start a VPN to the "other side" and the information exchange to this website begins. If there is no response from the ping, the router goes into dial backup and communication is slooooow.
Here is a basic setup
PC - 192.168.131.15
|
Supplied Cisco Router - 192.168.131.3 - I have no access to configure/change this device
|
Pix inside - 192.168.131.2
|
Pix outside - 10.10.10.1
|
Netopia Inside - 10.10.10.2
|
Netopia Ouside - 68.21.10.15
I have been able to configure the PIX so my pings are getting a response and I stay out of dial backup. However, the PIX is blocking IPSec (or so I'm told) traffic so no data is moving back and forth.
From my understanding, I need to create a DMZ, an access list, and such, but I do not know how to do that. And as I search, I think I'm just confusing myself further.
If there is someone that could help me out. The commands for the PIX would be ideal
Thanks in advance for any help.
To confirm, is it the 192.168.131.3 device that is terminating the VPN? Could you post the config of your pix?
ASKER
The 192.168.131.3 device is the one that will start the ping, then if successful, start the VPN. So long story short, yes it is the local end of the VPN. The Pix has nothing to do with the VPN other then pass traffic.
Current Config from the PIX
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password pzo99KnjigybDpoA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 206.16.233.211 Fed-Ping-2
name 12.129.203.103 Fed-Ping-3
name 63.240.132.1
name 63.241.249.213 Fed-Ping-4
object-group service WebBrowse tcp
port-object eq https
port-object eq www
port-object eq hostname
port-object eq pop3
port-object eq pop2
object-group network Fed-Ping
description Address Fed router needs to ping
network-object Fed-Ping-3 255.255.255.255
network-object Fed-ping-1 255.255.255.255
network-object Fed-Ping-4 255.255.255.255
network-object Fed-Ping-2 255.255.255.255
access-list inside_access_in permit ip host Autosig any
access-list inside_access_in permit ip host MichelleBrunger any
access-list inside_access_in permit ip host Fedline-PC any
access-list inside_access_in permit ip host PCS_VPN_Backup any
access-list inside_access_in deny ip any any
access-list allow_ping permit icmp any any sourc
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
pager lines 24
logging on
logging timestamp
logging trap informational
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.1 255.255.255.0
ip address inside 192.168.131.2 255.255.255.0
ip audit name Drop attack action alarm drop
ip audit interface outside Drop
ip audit interface inside Drop
ip audit info action alarm
ip audit attack action alarm drop
pdm location Family-Network 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location Fed-Ping-3 255.255.255.255 outside
pdm location Fed-ping-1 255.255.255.255 outside
pdm location Fed-Ping-4 255.255.255.255 outside
pdm location Fed-Ping-2 255.255.255.255 outside
pdm group Fed-Ping outside
pdm logging emergencies 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group allow_ping in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.131.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http Family-Network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
username backup password uaGWJbWctUTmT2Ux encrypted privilege 15
username mikeadmin password JnFUdG0EtWWG4v5E encrypted privilege 3
username family015 password 8PywcgXtcU7NvIoo encrypted privilege 3
username mena password W3jAFswBn342jFgr encrypted privilege 3
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username amc01 password MqoqBeUU1juVFHeM
username jeffc password LzFxEvZvUJa213xc encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:028a44c1955 bab8109fc2 6c271956b9 5
: end
Current Config from the PIX
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password pzo99KnjigybDpoA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 206.16.233.211 Fed-Ping-2
name 12.129.203.103 Fed-Ping-3
name 63.240.132.1
name 63.241.249.213 Fed-Ping-4
object-group service WebBrowse tcp
port-object eq https
port-object eq www
port-object eq hostname
port-object eq pop3
port-object eq pop2
object-group network Fed-Ping
description Address Fed router needs to ping
network-object Fed-Ping-3 255.255.255.255
network-object Fed-ping-1 255.255.255.255
network-object Fed-Ping-4 255.255.255.255
network-object Fed-Ping-2 255.255.255.255
access-list inside_access_in permit ip host Autosig any
access-list inside_access_in permit ip host MichelleBrunger any
access-list inside_access_in permit ip host Fedline-PC any
access-list inside_access_in permit ip host PCS_VPN_Backup any
access-list inside_access_in deny ip any any
access-list allow_ping permit icmp any any sourc
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
pager lines 24
logging on
logging timestamp
logging trap informational
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.1 255.255.255.0
ip address inside 192.168.131.2 255.255.255.0
ip audit name Drop attack action alarm drop
ip audit interface outside Drop
ip audit interface inside Drop
ip audit info action alarm
ip audit attack action alarm drop
pdm location Family-Network 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location Fed-Ping-3 255.255.255.255 outside
pdm location Fed-ping-1 255.255.255.255 outside
pdm location Fed-Ping-4 255.255.255.255 outside
pdm location Fed-Ping-2 255.255.255.255 outside
pdm group Fed-Ping outside
pdm logging emergencies 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group allow_ping in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.131.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http Family-Network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
username backup password uaGWJbWctUTmT2Ux encrypted privilege 15
username mikeadmin password JnFUdG0EtWWG4v5E encrypted privilege 3
username family015 password 8PywcgXtcU7NvIoo encrypted privilege 3
username mena password W3jAFswBn342jFgr encrypted privilege 3
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username amc01 password MqoqBeUU1juVFHeM
username jeffc password LzFxEvZvUJa213xc encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:028a44c1955
: end
ok, so to allow vpn traffic in. First you will need a static nat that will allow your VPN endpoint to be accessible from the internet:-
static (inside, outside) udp 10.10.10.1 4500 192.168.131.3 4500
static (inside, outside) udp 10.10.10.1 500 192.168.131.3 500
static (inside, outside) esp 10.10.10.1 192.168.131.3
This will translate 10.10.10.1 (or whatever IP in your range you assign to this router) to the internal address for the ports required for an IPSEC vpn.
Next, modify the access list on the outside interface:-
access-list allow_ping permit icmp any any sourc
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
access-list allow_ping permit udp 500 any host 10.10.10.1
access-list allow_ping permit udp 4500 any host 10.10.10.1
access-list allow_ping permit esp any host 10.10.10.1
Thsi will allow anyone on the internet to connect to the vpn, so you may want to lock it down to the speciffic host that tries to connect.
Bear in mind your netopia router will also need to be configured to forward the VPN traffic, and the VPN will need to support NAT Traversal (NAT-T)
static (inside, outside) udp 10.10.10.1 4500 192.168.131.3 4500
static (inside, outside) udp 10.10.10.1 500 192.168.131.3 500
static (inside, outside) esp 10.10.10.1 192.168.131.3
This will translate 10.10.10.1 (or whatever IP in your range you assign to this router) to the internal address for the ports required for an IPSEC vpn.
Next, modify the access list on the outside interface:-
access-list allow_ping permit icmp any any sourc
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
access-list allow_ping permit udp 500 any host 10.10.10.1
access-list allow_ping permit udp 4500 any host 10.10.10.1
access-list allow_ping permit esp any host 10.10.10.1
Thsi will allow anyone on the internet to connect to the vpn, so you may want to lock it down to the speciffic host that tries to connect.
Bear in mind your netopia router will also need to be configured to forward the VPN traffic, and the VPN will need to support NAT Traversal (NAT-T)
ASKER
As I understood it, if I set the Netopia on clearsailing it would not block anything, that is from Motorola tech. Is that not correct?
Thank you for the Pix info, I started entering it and on the command: static (inside, outside) esp 10.10.10.1 192.168.131.3 when I entered it, the pix returned: Invalid Global IP address esp. Is it missing something?
Thank you again for your help
Thank you for the Pix info, I started entering it and on the command: static (inside, outside) esp 10.10.10.1 192.168.131.3 when I entered it, the pix returned: Invalid Global IP address esp. Is it missing something?
Thank you again for your help
ASKER
Another question, will any of this effect the normal web traffic from the rest of the 192.168.131.x network? If I make a static route on my outside interface ( 10.10.10.1) and point it to 192.168.131.3, does that point all inbound traffic (i.e. my VPN and normal web traffic) to the 192.168.131.3 device. I ask this as when I entered the first few lines, I seem to have lost "normal" web browsing from other machines on the 192.168.131.0 segment.
Not sure about the Moto tech, but it is my understanding that clearsailing (vs SilentRunning, LANLocked) are 3 diff levels of the routers firewall config. SilentRunning is the default setting which opens the usual ports (80, 110, 25, 23, etc) & all others (incl VPN/1723) are closed. I would manually open the port in the Netopia - of which the config may be based on your ISP & what type of IP they are providing your acct...
Are you recieving a dynamic or a single static ip from the ISP? Also, who is your ISP?
P2E
Are you recieving a dynamic or a single static ip from the ISP? Also, who is your ISP?
P2E
ASKER
We have 5 static IP from AT&T. I found out that the clearsailing is "wide open. I plan on opeing up the netopia while working on the PIx to make sure all works or limit complications. Then once everything is working, I can close the Netopia around the VPN.
As a side note, I had to reset the PIX after I added the lines above. Once put in, no one else could see the internet. I am guessing this is why another person I was talking to mentioned a DMZ? Anyone have an idea?
As a side note, I had to reset the PIX after I added the lines above. Once put in, no one else could see the internet. I am guessing this is why another person I was talking to mentioned a DMZ? Anyone have an idea?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Press2Esc's solution with the netopia box sounds like a very good plan as it will simplify the pixes config somewhat.
By the way, I realised you can't statically nat esp traffic, but I don't think you would need to, the udp ports should be enough.
If you do manage to get the netopia talking pppoe to the pix, you'll still need static nats, but you can do a direct ip to ip nat from one of the IPs in your range to the cisco router instead of doing port based translation.
By the way, I realised you can't statically nat esp traffic, but I don't think you would need to, the udp ports should be enough.
If you do manage to get the netopia talking pppoe to the pix, you'll still need static nats, but you can do a direct ip to ip nat from one of the IPs in your range to the cisco router instead of doing port based translation.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry I've been out of the loop, Company temp pulled me on this. I am going onsite on 6-10 and will reconfigure as above. I'll let you know what happens.
Thanks for the input
Thanks for the input
Compuz, did you get trapped in the DMZ??? Shall we send out the posse'
;)
;)