[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VPN Setup for PIX Firewall

Posted on 2010-01-04
7
Medium Priority
?
186 Views
Last Modified: 2012-05-08
I am going to outline a situation similar(with IP's changed) to my own and hopefully, someone can give me detailed directions in how I can solve my problem. The relevant networking components are as follows: (external IP 65.0.0.1)CISCO PIX 515E Firewall(internal IP 192.168.10.1) -> Backup Domain Controller (internal IP 192.168.10.2). I need to somehow establish a VPN system (using Windows VPN option) where users can set up a network connection offsite to connect to a network at our workplace and then establish a link to our backup domain controller(or our network in general) so that they will have access to our network and all its systems. I am extremely inexperienced at this, if my description does not already prove that already, and therefore I need extremely detailed instructions as to how to set this up between the CISCO PIX 515E Firewall and the server we are using, which is running Server 2003. Any help would be greatly appreciated and hopefully it will come in the form of what to do via ASDM as I am pretty clumsy when it comes to command line programming! If you need any other information regarding any pieces of our network or the equipment listed above, just let me know

(Disregard Server 2008 being listed in the zones below, I picked that instead of 2003 by mistake and cannot figure out how to change it!!)
0
Comment
Question by:bigtimeslacker
  • 4
  • 3
7 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 26171850
Cisco gives you some good options depending on the licensing of the firewall.  

From the client, you can connect via VPN clients to the Firewall.   This gives you the potential to access the entire LAN behind the firewall.   The setup should be straightforward for this scenario.  Here is the example:  
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml


Another option is to use an all Microsoft PPTP VPN solution where the client would connect the VPN to the server, not the firewall.   In this case, you would need to configure the firewall to pass PPTP traffic to the internal host.   Then setup the server to accept the incoming PPTP traffic as well.

HEre's the cisco HOW TO: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Then the MS How to:
http://pigtail.net/nicholas/pptp/
and
http://support.microsoft.com/kb/314076


0
 

Author Comment

by:bigtimeslacker
ID: 26171956
wow awesome response, i will try some of these solutions and get back to you as to whether I need any more help! Thanks for the quick response and great help!
0
 

Author Comment

by:bigtimeslacker
ID: 26173245
sorry if i seem stupid but going by the information that i provided in the question, entering in the following information should allow me to access Microsoft PPTP VPN

    access-list acl-out permit gre host 192.168.10.2 host 192.168.10.1
    access-list acl-out permit tcp host 192.168.10.2 host 192.168.10.1  eq 1723
    static (inside,outside) 192.168.10.1 65.0.0.1 netmask 255.255.255.255 0 0
    access-group acl-out in interface outside

or do I have some of the IP's mixed up...?

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 33

Expert Comment

by:MikeKane
ID: 26173726
The IPs look incorrect.  

If 192.168.10.1 is the static for the internal host, then the ACL's should look like
"access-list acl-out permit gre any host 192.168.10.1"
"access-list acl-out permit tcp any host 192.168.10.1 eq 1723"

This would allow any external IP to hit the internal box at 65.0.0.1

You are certain that the external IP is 192.168.10.1 and that IP is not the same IP assigned to the ASA's external interface?  

0
 

Author Comment

by:bigtimeslacker
ID: 26174455
The internal IP of our firewall is the 192.168.10.1 and the external IP of the firewall is 65.0.0.1. The vpn server only has an internal IP of 192.168.10.1. Does the vpn server 'need' to have an external IP address? I was hoping that after setting up the rules within the firewall, it would not need to have an external IP address. But based on this information what should my commands look like from my previous posting. Sorry for the confusion...i am sooo inexperienced with this vpn/firewall stuff!
0
 

Author Comment

by:bigtimeslacker
ID: 26174465
Sorry, the internal IP of the vpn server is 192.168.10.2, not 1 as stated in my above post. Sorry again for the confusion!
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 26175063
You will need 1 other IP to create the STATIC 1 to 1 translation.   The GRE you need to forward PPTP can not be PAT'd.    

If you can get additional IPs in an IP block, then you could use the following:

access-list acl-out permit gre any host 65.0.0.2
access-list acl-out permit tcp any host 65.0.0.2 eq 1723
static (inside,outside) 65.0.0.2 192.168.10.2 netmask 255.255.255.255 0 0
access-group acl-out in interface outside
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question