need help with Cisoc vpn 3015

OK, internet2600 routerDMZ switchPIX6509internal net | | 3015 VPN(pub and Priv into DMZ)

vpn pub = 140.x.x.11 vpn priv = 140.x.x.12 vpn pool = 10.1.100.x pix outside = 140.x.x.5 pix inside = 192.168.1.2

6509 = 192.188.x.1

Can anyone outline some basics of what I need to make this work? I want clients usings cisco vpn software to connect to the network. I am looking for what type of acl's, routes, what protocols I need to allow, etc. Thanks I really appreciate the help!

Reply to
mcpaytas
Loading thread data ...

I can not recommend that setup senario at all. What you should do, is to have the VPN3000 on two DMZ interfaces on your PIX instead. This way you can be sure that it is protected, and it will also keep you logging alot easier, as all loggs will come from the PIX, in regards to your internet access. Also running public IP space on VPN clients are unheard of. It is important that you have both Private and public interface on DMZ, as the VPN3000 will pass traffic from VPNclient destined for the internet, in and out the same public interface of the VPN3000, and hence you will have no control over your VPN clients internet usage.

your ACL must include this for IPSEC: protocol 50 udp/500 udp/4500 tcp/10000 icmp unreachables deny anything else

HTH Martin Bilgrav

>
Reply to
Martin Bilgrav

What if I leave the Pub interface in the DMZ and place the Priv into the 6509? That is actually the way the Cisco documents read. I do not have an extra interface on the Pix 515e for the VPN.

Reply to
mcpaytas

I do not know about Cisco "recommened" design, But i would never recommend any design, where it's possible to shunt/bypass a firewall. To my knowlegde Cisco's recommadation is to have both interface on a DMZ. Call it unofficial recommend, if you like.

The senario you give will demand 667% (one procent ahead of the devil) control over VPN client PC's, which is proven by history to be impossible. Are you sure, that Cisco didnt meantion SSLVPN/webVPn/SecureDesktop in the same design guide as this setup ?

HTH Martin Bilgrav

Reply to
Martin Bilgrav

I would agree. That is why I was trying to put both pub and priv in the DMZ. I would like to have the interfaces available on the pix but that isn't an option. Can I give the priv int a private IP 10.1.100.1 the publiv int an IP of

143.x.x.11 and then setup and acl on the pix something like:

route outside 10.1.100.0 255.255.255.0 10.1.100.1 1

object-group network VPN network-object 10.1.100.0 255.255.255.0

access-list outside_fw permit tcp object-group VPN object-group INSIDE_NET access-list outside_fw permit ip object-group VPN object-group INSIDE_NET access-list outside_fw permit udp object-group VPN object-group INSIDE_NET access-list outside_fw permit esp object-group VPN object-group INSIDE_NET

What do you think?

Reply to
mcpaytas

Why ? Are you allready using 6 inertfaces ?

Just get an UR license, and some interface card, if your are in short.

Not sure what you mean...

At present, the above doesnt make sense to me

We been there allready, havent we ?

8)

Regards Martin

>
Reply to
Martin Bilgrav

Ok, I placed an order for a new 4 port interface card. I already have a UR license. Once it comes in I will need to:

*interfaces (inside, outside, VPN)
  1. assign the vpn 3015 public int to the DMZ a public IP (143.x.x.11)
  2. assign the vpn 3015 private int to the pix a private IP (10.1.100.1)
  3. setup a route statement on the pix to route all 10.1.100.x network traffic to the vpn 3015 private int.
  4. setup an ACL to allow VPN traffic from the vpn 3015 to the inside int.
  5. setup an ACL to deny VPN traffic to the outside int.

Does it look like I have it covered? If anyone has any examples of what I actually need, please feel free to enlighten me. :) Thanks for everyones input and help. I greatly appreciate it!

Reply to
mcpaytas

You need theses interface:

  1. inside
  2. DMZ-2 private
  3. DMZ-1 public
  4. outside

2 of these are ofcourse "onboard" the pix 515/525 This gives you two other DMZ interface in spare - place them in shutdown mode For future needs, always have one spare, as you might end up with a failover setup, which them needs a dedicated interface for statefull information sync

  1. assign the DMZ-1 public a public IP subrange, if possible
  2. assign the DMZ-2 private a rfc1918 IP subrange repeat 1 and 2 for the VPN3000
3 assign a RFC1918 pool of VPN client address according to the max number of connected users. fx 192.168.100.0 (.1-.254) mask 255.255.255.0 or 192.168.100.0 (.100.1-.101.254) mask 255.255.254.0
  1. setup a route statement on the pix to route 192.168.100.0 /24 to the IP given to the private int of the vpn3000
  2. setup ACL for outside interface on pix (allow esp, udp/500, udp/4500 and tcp/10000)
  3. setup ACL for DMZ-1 public interface on pix (This here is important: allow esp, udp/500, udp/4500 and tcp/10000)
  4. setup ACL for DMZ-2 private interface on pix (what the VPN client users are allowed to do, plus management etc to the VPN public interface)
  5. setup nat-excemption for any inside servers needed to "contact" VPN clients (nat inside 0 access-list NAME)
  6. setup ACL for inside interface on pix (incl the nat excemption access aswell, plus whatever traffic from inside to outside)
10 setup a syslog server with log rotation (fx kiwi syslog for win32 - cheap and great tool)

ACL in 7-8-9 should corelate alot !

The syslog will bring you much joy, and a good overview of traffic flows. especially watch the deny logs from the DMZ-1 interface ! This will tell you alot about the vpn-client connecting PC's installed applikations, such as trojans, Skype, P2P etc

NB please keep in mind that the PIX will not do proxy ARP - So dont do any interface route statements on the VPN Allways have any route statement point to a IP.

Good luck - let me know what you think of it when you are done. Regards Martin Bilgrav

Reply to
Martin Bilgrav

I should have the part in next week. I will set everything up and let you know the results. Thanks for the help!

Reply to
mcpaytas

when I try to assign DMZ-1pub a public IP I get the error that you can't assign an IP from the same range as int 0. So I guess this means I need to subnet my class c 140.x.x.x range?

also, should the DHCP VPN pool be a different tfc1918 subnet range from the VPN DMZ-2private IP? (i.e. VPN private int ip=10.1.100.2 and the DHCP should be 192.168.100.0)?

ethernet int3 (public) should have a lower security than ethernet 4 private? (i.e. pub = 50 and private = 75)?

Reply to
mcpaytas

got it up and working. the only issue I have now is that I can't get the clients to logon to the domain. but I can manually map all of the resources in a batch file and it works. is there any way to get the domain logon and login script to work over a tunnel?

Reply to
mcpaytas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.