PIX 6.3.4 - I have question on a VPN setup & ICMP

Hello,

I have questions on a VPN setup & ICMP

Let me show you this line,

isakmp key ******** address 195.238.208.162 netmask 255.255.255.255 no-xauth no-config-mode

no-xauth no-config-mode, what does it mean? when do I have to use it?

The inside networks being hide-nated to get to the internet need to be able to ping the whole internet. But, doing it, the external IP of the firewall is pingable as well. In my particular case, how do I restrict the firewall to be pinged while allowing the networks behind to get the request and the replies to echo? I know there is an URL on cisco.con explaining how to handle ICMP but I do not understand it! and it does not work either!

Let me show you those lines:

crypto map vpn-map 1 ipsec-isakmp crypto map vpn-map 1 match address r55 crypto map vpn-map 1 set peer 195.238.208.162 crypto map vpn-map 1 set peer 195.238.108.163 crypto map vpn-map 1 set transform-set trans-r55

We've got two peers in there! Could you tell me when we can use it and why? How does PIX know the first is dead?

Thank you!

PS: IP in there are fake.

/ralph

pix(config)# sh conf : Saved : Written by enable_15 at 08:26:03.431 UTC Fri Aug 26 2005 PIX Version 6.3(4) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 external security0 nameif ethernet1 inside security100 enable password ... encrypted passwd ... encrypted hostname pix domain-name brussels.lan fixup protocol dns maximum-length 512 ..... fixup protocol tftp 69 names access-list to_wild_outside permit udp any any eq domain access-list to_wild_outside permit tcp any any eq ssh access-list to_wild_outside permit tcp any any eq www access-list to_wild_outside permit tcp any any eq https access-list to_wild_outside permit tcp any any eq ftp access-list to_wild_outside permit icmp any any access-list to_wild_outside permit tcp any host 195.238.90.8 eq 5223 access-list to_wild_outside permit tcp any host 195.238.90.9 eq 706 access-list to_wild_outside remark ------------------------ access-list remote-syslog permit ip interface external host 195.218.198.163 access-list nat0 remark

---------------------------------------------------------- access-list nat0 permit ip 10.140.20.0 255.255.255.0 192.168.19.0

255.255.255.240 access-list nat0 permit ip 10.140.20.0 255.255.255.0 192.168.18.128 255.255.255.224 access-list nat0 permit ip 10.140.20.0 255.255.255.0 192.168.15.0 255.255.255.0 access-list nat0 permit ip 10.140.20.0 255.255.255.0 192.168.16.0 255.255.255.0 access-list nat0 permit ip 10.140.20.0 255.255.255.0 192.168.17.0 255.255.255.0 access-list nat0 permit ip 10.140.20.0 255.255.255.0 192.168.21.0 255.255.255.0 access-list nat0 permit ip 192.168.19.0 255.255.255.240 10.140.20.0 255.255.255.0 access-list nat0 permit ip 192.168.18.128 255.255.255.224 10.140.20.0 255.255.255.0 access-list nat0 permit ip 192.168.15.0 255.255.255.0 10.140.20.0 255.255.255.0 access-list nat0 permit ip 192.168.16.0 255.255.255.0 10.140.20.0 255.255.255.0 access-list nat0 permit ip 192.168.17.0 255.255.255.0 10.140.20.0 255.255.255.0 access-list nat0 permit ip 192.168.21.0 255.255.255.0 10.140.20.0 255.255.255.0 access-list nat0 remark

---------------------------------------------------------- access-list r55 remark

---------------------------------------------------------- access-list r55 permit ip 192.168.19.0 255.255.255.240 10.140.20.0

255.255.255.0 access-list r55 permit ip 192.168.18.128 255.255.255.224 10.140.20.0 255.255.255.0 access-list r55 permit ip 192.168.15.0 255.255.255.0 10.140.20.0 255.255.255.0 access-list r55 permit ip 192.168.16.0 255.255.255.0 10.140.20.0 255.255.255.0 access-list r55 permit ip 192.168.17.0 255.255.255.0 10.140.20.0 255.255.255.0 access-list r55 permit ip 192.168.21.0 255.255.255.0 10.140.20.0 255.255.255.0 access-list r55 remark

---------------------------------------------------------- access-list external_if permit icmp any host 212.217.18.76 no pager logging on logging timestamp logging buffered informational logging trap informational logging host external 195.218.198.163 icmp permit any echo-reply external icmp permit host 195.218.198.163 external icmp permit host 195.238.208.162 external icmp permit host 195.238.108.163 external icmp permit any echo-reply inside mtu external 1500 mtu inside 1500 ip address external 212.217.18.76 255.255.255.252 ip address inside 192.168.19.3 255.255.255.240 ip audit info action alarm ip audit attack action alarm pdm location 195.238.19.8.40 255.255.255.255 external pdm location 195.238.19.8.41 255.255.255.255 external pdm location 212.68.250.173 255.255.255.255 external pdm history enable arp timeout 14400 global (external) 1 interface nat (inside) 0 access-list nat0 nat (inside) 1 access-list to_wild_outside 0 0 access-group external_if in interface external route external 0.0.0.0 0.0.0.0 57.67.28.125 1 route inside 10.150.79.0 255.255.255.224 192.168.19.1 1 route inside 10.150.103.240 255.255.255.248 192.168.19.1 1 route inside 10.150.140.0 255.255.255.224 192.168.19.1 1 route inside 10.5.64.0 255.255.255.0 192.168.19.1 1 route inside 10.43.233.0 255.255.255.128 192.168.19.1 1 route inside 10.53.39.144 255.255.255.252 192.168.19.1 1 route inside 10.35.115.144 255.255.255.240 192.168.19.1 1 route inside 192.168.15.0 255.255.255.0 192.168.19.1 1 route inside 192.168.16.0 255.255.255.0 192.168.19.1 1 route inside 192.168.17.0 255.255.255.0 192.168.19.1 1 route inside 192.168.18.128 255.255.255.224 192.168.19.1 1 route inside 192.168.21.0 255.255.255.0 192.168.19.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local ntp server 195.238.87.3.167 source external http server enable http 195.238.19.8.40 255.255.255.255 external http 195.238.19.8.41 255.255.255.255 external http 212.68.250.173 255.255.255.255 external snmp-server host external 195.238.87.3.10 poll snmp-server host external 195.238.87.3.11 poll no snmp-server location no snmp-server contact snmp-server community ......... no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set trans-aes-md5 esp-aes esp-md5-hmac crypto ipsec transform-set trans-3des-sha esp-3des esp-sha-hmac crypto ipsec transform-set trans-r55 esp-3des esp-md5-hmac crypto ipsec transform-set trans-aes-sha esp-aes esp-sha-hmac crypto map vpn-map 1 ipsec-isakmp crypto map vpn-map 1 match address r55 crypto map vpn-map 1 set peer 195.238.208.162 crypto map vpn-map 1 set peer 195.238.108.163 crypto map vpn-map 1 set transform-set trans-r55 crypto map vpn-map 2 ipsec-isakmp crypto map vpn-map 2 match address remote-syslog crypto map vpn-map 2 set peer 195.218.198.163 crypto map vpn-map 2 set transform-set trans-aes-sha crypto map vpn-map interface external isakmp enable external isakmp key ******** address 195.238.208.162 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 195.238.108.163 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 195.218.198.163 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption aes-256 isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 isakmp policy 2 authentication pre-share isakmp policy 2 encryption 3des isakmp policy 2 hash sha isakmp policy 2 group 2 isakmp policy 2 lifetime 86400 isakmp policy 3 authentication pre-share isakmp policy 3 encryption 3des isakmp policy 3 hash sha isakmp policy 3 group 2 isakmp policy 3 lifetime 36000 isakmp policy 4 authentication pre-share isakmp policy 4 encryption 3des isakmp policy 4 hash md5 isakmp policy 4 group 2 isakmp policy 4 lifetime 36000 telnet timeout 5 .... ssh timeout 60 console timeout 0 terminal width 80 Cryptochecksum:............... pix(config)#

In article , Ralph (c) wrote: :1. Let me show you this line,

:isakmp key ******** address 195.238.208.162 netmask 255.255.255.255 no-xauth no-config-mode

:no-xauth no-config-mode, what does it mean? when do I have to use it?

formatting link

Both the Xauth and IKE Mode Configuration features are specifically designed for remote VPN clients. The Xauth feature allows the PIX Firewall to challenge the peer for a username and password during IKE negotiation. The IKE Mode Configuration enables the PIX Firewall to download an IP address to the peer for dynamic IP address assignment. Most security gateways do not support the Xauth and IKE Mode Configuration features.

:2. The inside networks being hide-nated to get to the internet need to :be able to ping the whole internet. But, doing it, the external IP of :the firewall is pingable as well.

icmp traffic -to- the PIX is controlled by the 'icmp' command, not by access-lists. If you do not configure an 'icmp' command then the default is to permit all icmp.

:3. Let me show you those lines:

:crypto map vpn-map 1 ipsec-isakmp :crypto map vpn-map 1 match address r55 :crypto map vpn-map 1 set peer 195.238.208.162 :crypto map vpn-map 1 set peer 195.238.108.163 :crypto map vpn-map 1 set transform-set trans-r55

:We've got two peers in there! Could you tell me when we can use it and :why?

formatting link

For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the PIX Firewall received either traffic or a negotiation request from for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list.

:How does PIX know the first is dead?

isakmp keep-alives stop being received, and isakmp probes go unanswered within a reasonable timeout.