bigtimeslacker
asked on
VPN Setup for PIX Firewall
I am going to outline a situation similar(with IP's changed) to my own and hopefully, someone can give me detailed directions in how I can solve my problem. The relevant networking components are as follows: (external IP 65.0.0.1)CISCO PIX 515E Firewall(internal IP 192.168.10.1) -> Backup Domain Controller (internal IP 192.168.10.2). I need to somehow establish a VPN system (using Windows VPN option) where users can set up a network connection offsite to connect to a network at our workplace and then establish a link to our backup domain controller(or our network in general) so that they will have access to our network and all its systems. I am extremely inexperienced at this, if my description does not already prove that already, and therefore I need extremely detailed instructions as to how to set this up between the CISCO PIX 515E Firewall and the server we are using, which is running Server 2003. Any help would be greatly appreciated and hopefully it will come in the form of what to do via ASDM as I am pretty clumsy when it comes to command line programming! If you need any other information regarding any pieces of our network or the equipment listed above, just let me know
(Disregard Server 2008 being listed in the zones below, I picked that instead of 2003 by mistake and cannot figure out how to change it!!)
(Disregard Server 2008 being listed in the zones below, I picked that instead of 2003 by mistake and cannot figure out how to change it!!)
ASKER
wow awesome response, i will try some of these solutions and get back to you as to whether I need any more help! Thanks for the quick response and great help!
ASKER
sorry if i seem stupid but going by the information that i provided in the question, entering in the following information should allow me to access Microsoft PPTP VPN
access-list acl-out permit gre host 192.168.10.2 host 192.168.10.1
access-list acl-out permit tcp host 192.168.10.2 host 192.168.10.1 eq 1723
static (inside,outside) 192.168.10.1 65.0.0.1 netmask 255.255.255.255 0 0
access-group acl-out in interface outside
or do I have some of the IP's mixed up...?
access-list acl-out permit gre host 192.168.10.2 host 192.168.10.1
access-list acl-out permit tcp host 192.168.10.2 host 192.168.10.1 eq 1723
static (inside,outside) 192.168.10.1 65.0.0.1 netmask 255.255.255.255 0 0
access-group acl-out in interface outside
or do I have some of the IP's mixed up...?
The IPs look incorrect.
If 192.168.10.1 is the static for the internal host, then the ACL's should look like
"access-list acl-out permit gre any host 192.168.10.1"
"access-list acl-out permit tcp any host 192.168.10.1 eq 1723"
This would allow any external IP to hit the internal box at 65.0.0.1
You are certain that the external IP is 192.168.10.1 and that IP is not the same IP assigned to the ASA's external interface?
If 192.168.10.1 is the static for the internal host, then the ACL's should look like
"access-list acl-out permit gre any host 192.168.10.1"
"access-list acl-out permit tcp any host 192.168.10.1 eq 1723"
This would allow any external IP to hit the internal box at 65.0.0.1
You are certain that the external IP is 192.168.10.1 and that IP is not the same IP assigned to the ASA's external interface?
ASKER
The internal IP of our firewall is the 192.168.10.1 and the external IP of the firewall is 65.0.0.1. The vpn server only has an internal IP of 192.168.10.1. Does the vpn server 'need' to have an external IP address? I was hoping that after setting up the rules within the firewall, it would not need to have an external IP address. But based on this information what should my commands look like from my previous posting. Sorry for the confusion...i am sooo inexperienced with this vpn/firewall stuff!
ASKER
Sorry, the internal IP of the vpn server is 192.168.10.2, not 1 as stated in my above post. Sorry again for the confusion!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
From the client, you can connect via VPN clients to the Firewall. This gives you the potential to access the entire LAN behind the firewall. The setup should be straightforward for this scenario. Here is the example:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
Another option is to use an all Microsoft PPTP VPN solution where the client would connect the VPN to the server, not the firewall. In this case, you would need to configure the firewall to pass PPTP traffic to the internal host. Then setup the server to accept the incoming PPTP traffic as well.
HEre's the cisco HOW TO: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml
Then the MS How to:
http://pigtail.net/nicholas/pptp/
and
http://support.microsoft.com/kb/314076