allow vpn pass thru on PIX 525 (ASA 7.2)

Unanswered Question

I do have pix firewalls deployed across my network. a sample site is attached in diagram. since i am new to pix world, with less knowledge, please advice me how to allow my users behind 10.2.0.0 subnet to connect to their own corporate vpns. some of them need to connect to MS vpn - domain abc(pptp) and someone need to connect to a cisco pix vpn - domain xyz(ipsec) remote access vpn. what should be my concerns :

1. IP address allocation from other side?

2. security concerns?

how can i allow requests to multiple, multi-protocol VPNs thru my firewall?

anyone who did this similar setup, please advise me. I do have the authority to make whatever changes required in PIX, this box is still in test phase.

Awaiting your feed-back

Regards

MIC

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Mon, 02/19/2007 - 17:30

Hello MIC,

These are the standard ports used for IPSEC/PPTP etc:

IPSEC: please open the following on the PIX:

UDP 4500 & UDP 500 - ISAKMP/NAT-T

AH / ESP IP access

TCP 443 - SSL VPN (if any)

you can also add the sysopt commands for IPSEC on your firewall.

PPTP:

TCP/UDP 1723

Are there any ACL defined on the inside of the firewall? IF yes, you need to add the above, or it really doesnt matter. But the best practice anyway is to add ACl on the inside interface too !!

Also, enable split tunneling on the vpn concentrator if possible and tunnel ONLY the traffic that is required to go on the IPSEC tunnel... if you tunnel everything (which is ON by default), there are chances that any rogue packet flooding on your VPN network.. You can allocate a seperate IP pool for IPSEC VPN users and give the required permission on the VPN concentrator. This is always preferred over giving the IP pool from the same LAN network on the destination.

Hope this helps..Try this and let us know... rate replies if found useful..

Raj

daviddtran Mon, 02/19/2007 - 20:23

You need to do this on the Pix:

isakmp nat-traversal 10

allow outbound access on the pix:

isakmp (udp 500)

NAT-T (udp 4500)

ESP (proto 50)

GRE

PPTP (tcp 1723)

The GRE and PPTP is for Microsoft VPN remote

access VPN. You do NOT need AH because

you have NAT device in between. AH will NOT

work anyway. It is not needed. You tried

this in the CCIE security lab and you will

fail.

David

CCIE Security

daviddtran Mon, 02/19/2007 - 20:25

One more thing, if you are running pix 6.x code,

you will need to do this:

fixup protocol pptp 1723

or microsoft VPN will not through the pix.

David

Raj,

is there any step-by-step config guide i can work on my firewall. BTW, i do not have any support from the other side vpn (both MS pptp and cisco Ipsec), so 0 chance to modify on others network.

i am just investigating the chance modifying commands on my firewall allow my inside users (10.2.0.0 subnet) to access their corporate vpn. I got a general idea from your e-mail, but stuck the actual config.

Please let me inf you can assist me with a sample config or URL

MIC

Actions

This Discussion