Cisco PIX pass through VPN

Hi there

I desparetly need your advice.

I am tring to allow an external software administartor access our internal company software UNIX server. My current setup is a static ip address from my ISP of which I have an adsl router (192.168.1.1/ 24) that uses static internal IP addresses (192.168.0.0 /24 range), this router then has a connection to my PIX 501's outside interface with an IP of 192.168.1.2 / 24. I then have this firewalls inside interface (10.0.0.50/ 8) is connected to a network which has the server at

10.0.0.200/ 8. I need to set a secure external connection to the administrator. At the moment there is talk of a VPN or SSH RSH can you advise if my configuration will permit me to do this, any suggestions will be greatly welcomed.

Also will I be best to have port forwarding on my router or shall i keep the static addresses, either way will my NAT config be ok?

Enable

Config t Enable Password 1234564778978779 level 15 encrypted Enable Password 1234564564564564 level 15 encrypted Enable Password 1564189189185418 level 2 encrypted Passwd 8278581582785815 encrypted username home3home password 87451245787512 ENCRYPTED username mickeymouse password 54418918156189 ENCRYPTED username pluto password 1241454878787878 ENCRYPTED Hostname my office Domain-name my office.co.uk No dhcpd enable outside No dhcpd enable inside Ip address outside 192.168.1.2 255.255.255.0 Ip address inside 10.0.0.50 255.255.255.0 Telnet 10.0.0.30 255.255.255.255 inside telnet timeout 15 http server enable http 10.0.0.30 255.255.255.255 inside interface e0 auto interface e1 100full Banner login # Welcome to ASH. This system is solely for the use of authorised personnel, your IP, GATEWAY and DNS addresses will be logged for the purposes of auditing and monitoring. Use of this system is an express consent to such monitoring, if upon examination any unlawful activities or actions have been undertaken on this system your IP addresses and details will be passed to the appropriate officials, where, if necessary, prosecution will be sought. Banner motd # Please beware that all actions are logged and unauthorised IP's are recorded for the purposes of accounting

Names Nameif e0 outside sec0 Nameif e1 inside sec100 Name 10.0.0.200 internalunixserver Name 10.0.0.30 admin Name 10.0.0.50 inside Name 192.168.1.2 outside Name 192.168.1.1 adsl Name 313.45.62.22 qtec Name 12.12.12.12 qtecwb Name 12.12.12.13 qtecwb2

Nat Exemption based on policies nat 1 access-list outbound route outside 12.12.12.12 255.255.255.255 192.168.1.1 1 route outside 12.12.12.13 255.255.255.255 192.168.1.1 1 route outside 313.45.62.22 255.255.255.255 192.168.1.1 1 route inside 10.0.0.200 255.255.255.255 10.0.0.50 1

static (inside, outside) 192.168.1.11 access-list outbound

nat (inside) 1 10.0.0.200 255.255.255.255 static (inside, outside) 192.168.1.2 10.0.0.200 Global (outside) 1 192.168.12.-192.168.1.40 netmask 255.255.255.0 route outside 0 0 192.168.1.1 1

Rip Outside Passive version 2 pdm location 10.0.0.30 255.0.0.0 inside fixup protocol ftp 20 fixup protocol ftp 21 fixup protocol http 80 fixup protocol esp 50 fixup protocol http 443 fixup protocol rsh 22 fixup protocol rsh 514 Fixup protocol ppp 1701 no fixup protocol http 8080 no fixup protocol http 8888 no fixup protocol sqlnet 1521 no fixup protocol rtsp 554 no fixup protocol smtp 25 no fixup protocol tftp 69 no fixup protocol sip 5060 no fixup protocol sip udp 5060 no fixup protocol skinny 2000 no fixup protocol h323 h225 1720 no fixup protocol h323 ras 1718-1719 no pager lines 24 mtu outside 1500 mtu inside 1500 floodguard enable ssh (external admin ip) 255.255.255.255 outside ssh timeout 5 console timeout 20 terminal width 80 ip audit attack action alarm ip verify reverse-path interface outside ip verify reverse-path interface inside management-access inside access-list inbound permit icmp host 313.45.62.22 Host 10.0.0.200 echo-reply access-list inbound permit icmp host 313.45.62.22 Host 10.0.0.200 time-exceeded access-list inbound permit tcp host 313.45.62.22 host 10.0.0.200 eq 80 access-list inbound permit tcp host 313.45.62.22 host 10.0.0.200 eq 21 access-list inbound permit tcp host 313.45.62.22 host 10.0.0.200 eq 20 access-list inbound permit tcp host 313.45.62.22 host 10.0.0.200 eq 22 access-list inbound permit tcp host 313.45.62.22 host 10.0.0.200 eq 443 access-list inbound permit tcp host 313.45.62.22 host 10.0.0.200 eq 514 access-list inbound permit tcp host 313.45.62.22 host 10.0.0.200 eq

1521 access-list inbound permit tcp host 12.12.12.12 host 10.0.0.200 eq 80 access-list inbound permit tcp host 12.12.12.12 host 10.0.0.200 eq 21 access-list inbound permit tcp host 12.12.12.12 host 10.0.0.200 eq 20 access-list inbound permit tcp host 12.12.12.12 host 10.0.0.200 eq 22 access-list inbound permit tcp host 12.12.12.12 host 10.0.0.200 eq 443 access-list inbound permit tcp host 12.12.12.12 host 10.0.0.200 eq 514 access-list inbound permit tcp host 12.12.12.12 host 10.0.0.200 eq 1521 access-list inbound permit tcp host 12.12.12.13 host 10.0.0.200 eq 80 access-list inbound permit tcp host 12.12.12.13 host 10.0.0.200 eq 443 access-list inbound deny ip any any access-group inbound in interface outside access-list outbound permit icmp host 10.0.0.200 any echo-reply access-list outbound permit icmp host 10.0.0.200 any time-exceeded access-list outbound permit tcp host 10.0.0.200 host 313.45.62.22 eq 80 access-list outbound permit tcp host 10.0.0.200 host 313.45.62.22 eq 21 access-list outbound permit tcp host 10.0.0.200 host 313.45.62.22 eq 20 access-list outbound permit tcp host 10.0.0.200 host 313.45.62.22 eq 22 access-list outbound permit tcp host 10.0.0.200 host 313.45.62.22 eq 443 access-list outbound permit tcp host 10.0.0.200 host 313.45.62.22 eq 514 access-list outbound permit tcp host 10.0.0.200 host 313.45.62.22 eq 1521 access-list outbound permit tcp host 10.0.0.200 host 12.12.12.12 eq 80 access-list outbound permit tcp host 10.0.0.200 host 12.12.12.12 eq 21 access-list outbound permit tcp host 10.0.0.200 host 12.12.12.12 eq 20 access-list outbound permit tcp host 10.0.0.200 host 12.12.12.12 eq 22 access-list outbound permit tcp host 10.0.0.200 host 12.12.12.12 eq 443 access-list outbound permit tcp host 10.0.0.200 host 12.12.12.12 eq 514 access-list outbound permit tcp host 10.0.0.200 host 12.12.12.12 eq 1521 access-list outbound permit tcp host 10.0.0.200 host 12.12.12.13 eq 80 access-list outbound permit tcp host 10.0.0.200 host 12.12.12.13 eq 443 access-list outbound deny ip any any access-group outbound in interface inside

access-list VPNpermit permit tcp host 192.168.1.30 host 313.45.62.22 access-list VPNpermit permit tcp host 313.45.62.22 host 192.168.1.30 access-list VPNpermit permit tcp host 10.0.0.200 host 313.45.62.22 access-list VPNpermit permit tcp host 313.45.62.22 host 10.0.0.200

or

access-list VPNpermit permit tcp host 192.168.1.30 host 313.45.62.22 eq

80 access-list VPNpermit permit tcp host 192.168.1.30 host 313.45.62.22 eq 21 access-list VPNpermit permit tcp host 192.168.1.30 host 313.45.62.22 eq 20 access-list VPNpermit permit tcp host 192.168.1.30 host 313.45.62.22 eq 22 access-list VPNpermit permit tcp host 192.168.1.30 host 313.45.62.22 eq 443 access-list VPNpermit permit tcp host 192.168.1.30 host 313.45.62.22 eq 514 access-list VPNpermit permit tcp host 192.168.1.30 host 313.45.62.22 eq 1521 access-list VPNpermit permit tcp host 313.45.62.22 host 192.168.1.30 eq 80 access-list VPNpermit permit tcp host 313.45.62.22 host 192.168.1.30 eq 21 access-list VPNpermit permit tcp host 313.45.62.22 host 192.168.1.30 eq 20 access-list VPNpermit permit tcp host 313.45.62.22 host 192.168.1.30 eq 22 access-list VPNpermit permit tcp host 313.45.62.22 host 192.168.1.30 eq 443 access-list VPNpermit permit tcp host 313.45.62.22 host 192.168.1.30 eq 514 access-list VPNpermit permit tcp host 313.45.62.22 host 192.168.1.30 eq 1521 access-list VPNpermit permit tcp host 10.0.0.200 host 313.45.62.22 eq 80 access-list VPNpermit permit tcp host 10.0.0.200 host 313.45.62.22 eq 21 access-list VPNpermit permit tcp host 10.0.0.200 host 313.45.62.22 eq 20 access-list VPNpermit permit tcp host 10.0.0.200 host 313.45.62.22 eq 22 access-list VPNpermit permit tcp host 10.0.0.200 host 313.45.62.22 eq 443 access-list VPNpermit permit tcp host 10.0.0.200 host 313.45.62.22 eq 514 access-list VPNpermit permit tcp host 10.0.0.200 host 313.45.62.22 eq 1521 access-list VPNpermit permit tcp host 313.45.62.22 host 10.0.0.200 eq 80 access-list VPNpermit permit tcp host 313.45.62.22 host 10.0.0.200 eq 21 access-list VPNpermit permit tcp host 313.45.62.22 host 10.0.0.200 eq 20 access-list VPNpermit permit tcp host 313.45.62.22 host 10.0.0.200 eq 22 access-list VPNpermit permit tcp host 313.45.62.22 host 10.0.0.200 eq 443 access-list VPNpermit permit tcp host 313.45.62.22 host 10.0.0.200 eq 514 access-list VPNpermit permit tcp host 313.45.62.22 host 10.0.0.200 eq 1521

access-list VPNpermit permit tcp host 10.0.0.200 host 12.12.12.12 eq 80

access-list VPNpermit permit tcp host 10.0.0.200 host 12.12.12.12 eq 21 access-list VPNpermit permit tcp host 10.0.0.200 host 12.12.12.12 eq 20 access-list VPNpermit permit tcp host 10.0.0.200 host 12.12.12.12 eq 22 access-list VPNpermit permit tcp host 10.0.0.200 host 12.12.12.12 eq

443 access-list VPNpermit permit tcp host 10.0.0.200 host 12.12.12.12 eq 514 access-list VPNpermit permit tcp host 10.0.0.200 host 12.12.12.12 eq 1521 access-list VPNpermit permit tcp host 10.0.0.200 host 12.12.12.13 eq 80

access-list VPNpermit permit tcp host 10.0.0.200 host 12.12.12.13 eq 21 access-list VPNpermit permit tcp host 10.0.0.200 host 12.12.12.13 eq 20 access-list VPNpermit permit tcp host 10.0.0.200 host 12.12.12.13 eq 22 access-list VPNpermit permit tcp host 10.0.0.200 host 12.12.12.13 eq

443 access-list VPNpermit permit tcp host 10.0.0.200 host 12.12.12.13 eq 514 access-list VPNpermit permit tcp host 10.0.0.200 host 12.12.12.13 eq 1521 access-list VPNpermit permit icmp host 313.45.62.22 10.0.0.200 echo-reply access-list VPNpermit permit icmp host 313.45.62.22 10.0.0.200 time-exceeded access-list VPNpermit permit icmp host 313.45.62.22 192.168.1.30 echo-reply access-list VPNpermit permit icmp host 313.45.62.22 192.168.1.30 time-exceeded access-list VPNpermit permit icmp host 192.168.1.30 host 10.0.0.200 echo-reply access-list VPNpermit permit icmp host 192.168.1.30 host 10.0.0.200 time-exceeded access-list VPNpermit deny ip any any No isakmp enable inside Isakmp policy 10 authentication pre-share Isakmp policy 10 encryption 3des Isakmp policy 10 Group 2 Isakmp policy 10 hash sha isakmp policy 1 lifetime 86400 Isakmp enable outside isakmp identity address isakmp key 819f2cdf65ae7Nat 0 access-list VPNpermit crypto ipsec transform-set strong esp-3des esp-md5-hmac Crypto map qtec 10 ipsec-isakmp Crypto map qtec 10 match address VPNpermit Crypto map qtec 10 set transform-set strong Crypto map qtec 10 set peer 313.45.62.22 crypto ipsec security-association lifetime seconds 9000 Crypto map qtec interface outside ipsec-isakmp Crypto map qtec 10 set security-association lifetime sec 10800 Crypto map qtec 10 set pfs group1 Crypto map qtec interface outside sysopt connection permit-ipsec filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ip audit name IDS-INFO info action alarm ip audit name IDS-ATTACK attack action alarm drop reset ip audit interface outside IDS-INFO ip audit interface outside IDS-ATTACK ip audit interface inside IDS-INFO ip audit interface inside IDS-ATTACK ip audit info action alarm ip audit attack action alarm

Regards

James