Can anyone outline some basics of what I need to make this work? I want clients usings cisco vpn software to connect to the network. I am looking for what type of acl's, routes, what protocols I need to allow, etc. Thanks I really appreciate the help!
I can not recommend that setup senario at all. What you should do, is to have the VPN3000 on two DMZ interfaces on your PIX instead. This way you can be sure that it is protected, and it will also keep you logging alot easier, as all loggs will come from the PIX, in regards to your internet access. Also running public IP space on VPN clients are unheard of. It is important that you have both Private and public interface on DMZ, as the VPN3000 will pass traffic from VPNclient destined for the internet, in and out the same public interface of the VPN3000, and hence you will have no control over your VPN clients internet usage.
your ACL must include this for IPSEC: protocol 50 udp/500 udp/4500 tcp/10000 icmp unreachables deny anything else
I do not know about Cisco "recommened" design, But i would never recommend any design, where it's possible to shunt/bypass a firewall. To my knowlegde Cisco's recommadation is to have both interface on a DMZ. Call it unofficial recommend, if you like.
The senario you give will demand 667% (one procent ahead of the devil) control over VPN client PC's, which is proven by history to be impossible. Are you sure, that Cisco didnt meantion SSLVPN/webVPn/SecureDesktop in the same design guide as this setup ?
I would agree. That is why I was trying to put both pub and priv in the DMZ. I would like to have the interfaces available on the pix but that isn't an option. Can I give the priv int a private IP 10.1.100.1 the publiv int an IP of
143.x.x.11 and then setup and acl on the pix something like:
2 of these are ofcourse "onboard" the pix 515/525 This gives you two other DMZ interface in spare - place them in shutdown mode For future needs, always have one spare, as you might end up with a failover setup, which them needs a dedicated interface for statefull information sync
assign the DMZ-1 public a public IP subrange, if possible
assign the DMZ-2 private a rfc1918 IP subrange repeat 1 and 2 for the VPN3000
3 assign a RFC1918 pool of VPN client address according to the max number of connected users. fx 192.168.100.0 (.1-.254) mask 255.255.255.0 or 192.168.100.0 (.100.1-.101.254) mask 255.255.254.0
setup a route statement on the pix to route 192.168.100.0 /24 to the IP given to the private int of the vpn3000
setup ACL for outside interface on pix (allow esp, udp/500, udp/4500 and tcp/10000)
setup ACL for DMZ-1 public interface on pix (This here is important: allow esp, udp/500, udp/4500 and tcp/10000)
setup ACL for DMZ-2 private interface on pix (what the VPN client users are allowed to do, plus management etc to the VPN public interface)
setup nat-excemption for any inside servers needed to "contact" VPN clients (nat inside 0 access-list NAME)
setup ACL for inside interface on pix (incl the nat excemption access aswell, plus whatever traffic from inside to outside)
10 setup a syslog server with log rotation (fx kiwi syslog for win32 - cheap and great tool)
ACL in 7-8-9 should corelate alot !
The syslog will bring you much joy, and a good overview of traffic flows. especially watch the deny logs from the DMZ-1 interface ! This will tell you alot about the vpn-client connecting PC's installed applikations, such as trojans, Skype, P2P etc
NB please keep in mind that the PIX will not do proxy ARP - So dont do any interface route statements on the VPN Allways have any route statement point to a IP.
Good luck - let me know what you think of it when you are done. Regards Martin Bilgrav
got it up and working. the only issue I have now is that I can't get the clients to logon to the domain. but I can manually map all of the resources in a batch file and it works. is there any way to get the domain logon and login script to work over a tunnel?