We are using a Cisco PIX 506e here in London and have a PIX-PIX VPN connection to our HQ in another country. The VPN exists so that HQ staff can RDP into our servers in the event that any IT staff here are unavailable.
Their ISP has changed their IP addresses, so we need to change the IP that the VPN uses.
Here is our existing config
x, y, and z represent different external IP addresses
Building configuration... : Saved : PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ***** encrypted passwd ***** encrypted hostname fwlon domain-name domain.co.uk fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names name y.241 mail_outside name 192.168.1.9 srvroom name 192.168.1.8 inbound_SMTP name x.242 HQPIX name 18.104.22.168 HQ name y.240 LondonPIX name 192.168.1.11 DC name 192.168.1.1 mailserv name 192.168.1.3 notes name 192.168.1.4 fileserv name z.174 Supplier1 name 192.168.10.0 VPN_Pool10 object-group service DNS tcp-udp description DNS port-object eq domain object-group service LANGlobal tcp group-object DNS port-object eq ftp port-object eq pop3 port-object eq domain port-object eq www port-object eq https object-group service test udp group-object DNS port-object eq dnsix port-object eq nameserver port-object eq domain access-list outside_access_in remark Allow Mail to SMTP Gateway access-list outside_access_in remark access-list outside_access_in permit tcp any host mail_outside eq smtp access-list outside_access_in remark Allow IPsec Traffic - isakmp access-list outside_access_in permit udp host HQPIX host y.243 eq isakmp access-list outside_access_in remark Allow IPsec Traffic - ah access-list outside_access_in permit ah host HQPIX host y.243 access-list outside_access_in remark Allow IPsec Traffic - esp access-list outside_access_in permit esp host HQPIX host y.243 access-list outside_access_in remark LANGlobal Service Group Inbound Access access-list outside_access_in permit tcp any object-group LANGlobal y.0255.255.255.0 object-group LANGlobal access-list outside_access_in remark Web Access access-list outside_access_in permit tcp any host y.242 eq www access-list outside_access_in remark Deny Port 1434 access-list outside_access_in remark access-list outside_access_in deny udp any eq 1434 any access-list outside_access_in remark Allow ICMP access-list outside_access_in remark access-list outside_access_in permit icmp any any access-list outside_access_in remark Deny everything else access-list outside_access_in deny tcp any any access-list outside_access_in remark Block everything to come in. access-list inside_access_in remark Allow IP traffic access-list inside_access_in permit ip any any access-list inside_access_in remark Deny UDP Port 1434 Out access-list inside_access_in deny udp any eq 1434 any access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 HQ 255.255.252.0 access-list inside_outbound_nat0_acl remark NO NAT PPTP access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 VPN_Pool10 255.255.255.0 access-list outside_cryptomap_20 remark HQ VPN access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 HQ 255.255.252.0 pager lines 24 logging on logging timestamp logging trap informational logging host inside 192.168.1.7 icmp permit any outside mtu outside 1500 mtu inside 1500 ip address outside y.243 255.255.255.240 ip address inside 192.168.1.5 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VPN_Pool10 192.168.10.1-192.168.10.5 pdm location mail_outside 255.255.255.255 outside pdm location 192.168.1.192 255.255.255.224 outside pdm location srvroom 255.255.255.255 inside pdm location inbound_SMTP 255.255.255.255 inside pdm location notes 255.255.255.255 inside pdm location HQ 255.255.252.0 outside pdm location LondonPIX 255.255.255.255 outside pdm location HQPIX 255.255.255.255 outside pdm location LondonPIX 255.255.255.255 inside pdm location HQ 255.255.0.0 outside pdm location mailserv 255.255.255.255 inside pdm location DC 255.255.255.255 inside pdm location fileserv 255.255.255.255 inside pdm location 192.168.1.2 255.255.255.255 inside pdm location 192.168.1.7 255.255.255.255 inside pdm location Supplier1 255.255.255.255 outside pdm location VPN_Pool10 255.255.255.0 outside pdm location 192.168.1.14 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) mail_outside inbound_SMTP netmask 255.255.255.255 0 0 static (inside,outside) y.242 192.168.1.14 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 y.254 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http srvroom 255.255.255.255 inside http notes 255.255.255.255 inside http mailserv 255.255.255.255 inside http DC 255.255.255.255 inside http fileserv 255.255.255.255 inside http 192.168.1.7 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer HQPIX crypto map outside_map 20 set transform-set ESP-DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address HQPIX netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet srvroom 255.255.255.255 inside telnet mailserv 255.255.255.255 inside telnet fileserv 255.255.255.255 inside telnet 192.168.1.7 255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 10 vpdn group VPN2 accept dialin pptp vpdn group VPN2 ppp authentication mschap vpdn group VPN2 ppp encryption mppe 128 required vpdn group VPN2 client configuration address local VPN_Pool10 vpdn group VPN2 client configuration dns fileserv DC vpdn group VPN2 client configuration wins mailserv vpdn group VPN2 pptp echo 60 vpdn group VPN2 client authentication local vpdn username HQ_User1 password ********* vpdn username London_User1 password ********* vpdn username London_User2 password ********* vpdn enable outside dhcprelay server DC inside dhcprelay enable outside dhcprelay setroute outside username User3 password ** encrypted privilege 15 username User4 password ** encrypted privilege 15 username User5 password ** encrypted privilege 15 terminal width 80 banner exec Authorised access only banner exec This system is the property of MyCompany banner exec Disconnect IMMEDIATELY if you are not an authorised user ! banner exec Contact *** for help. banner exec User Access Verification banner login Welcome Cryptochecksum:f739ffe940683c93b8db43026b426496 : end [OK]
No one here is by any means an expert on PIX when it comes to such things. We were thinking of doing this via the PDM - can we just change the existing Name statements( in this case adding a new Name), Peer IP address, Pre-shared keys, and the relevant ACL's to reflect the new IP address they will be using, or do we have to delete the existing entries for anything VPN related and re-add them with the new address? Or can someone recommend the new lines we should put in via CLI?
Also, we have the following line in our config
access-list outside_access_in permit tcp any object-group LANGlobal y.0255.255.255.0 object-group LANGlobal
Our CIDR block is y.240/28, therefore I do not see any reason why this should be y.0 255.255.255.0 Surely, it should be?
access-list outside_access_in permit tcp any object-group LANGlobal y.240 255.255.255.240 object-group LANGlobal Thanks in advance.