Use PIX VPN to control access

Answered Question
May 15th, 2007
User Badges:

I have a situation. I want to use Cisco PIX to create 2 VPN tunnels: one called "admingroup"(subnet 192.168.10.X) for full access and the other called "vendorgroup"(subnet 192.168.11.X) for limited access(only www access to 192.168.1.100). Both admin and vendor will use Cisco vpn clients for XP. But for some reasons, both admin and vendor get same access. I think I may need to remove "sysopt" command, currently I use admingroup to login PIX remotely,

1. Can I remove "sysopt" command remotely while I vpn into PIX?

2. Why both admin and vendor have the same access?


Here are the PIX config in short version:


access-list nat_acl permit ip 192.168.1.0 255.255.255.0 any


access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0


access-list out_acl permit tcp 192.168.11.0 255.255.255.0 host 192.168.1.100 eq www

access-list out_acl permit ip 192.168.10.0 255.255.255.0 any



ip address outside pppoe setroute

ip address inside 192.168.7.253 255.255.255.0


ip verify reverse-path interface outside

ip verify reverse-path interface inside


ip local pool adminpool 192.168.10.1-192.168.10.7

ip local pool vendorpool 192.168.11.1-192.168.11.7


global (outside) 1 60.1.1.10

nat (inside) 0 access-list 101

nat (inside) 1 access-list nat_acl 0 0


access-group out_acl in interface outside


route inside 192.168.1.0 255.255.255.0 192.168.7.254 1


sysopt connection permit-ipsec


crypto ipsec transform-set myset esp-aes esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside


isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400


vpngroup admingroup address-pool adminpool

vpngroup admingroup dns-server 192.168.1.3

vpngroup admingroup default-domain test.com

vpngroup admingroup split-tunnel 101

vpngroup admingroup idle-time 1800

vpngroup admingroup password ********


vpngroup vendorgroup address-pool vendorpool

vpngroup vendorgroup dns-server 192.168.1.3

vpngroup vendorgroup default-domain test.com

vpngroup vendorgroup split-tunnel 101

vpngroup vendorgroup idle-time 1800

vpngroup vendorgroup password ********


vpdn group pppoex request dialout pppoe

Correct Answer by acomiskey about 10 years 1 week ago

Any luck?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
acomiskey Tue, 05/15/2007 - 11:55
User Badges:
  • Green, 3000 points or more

1. I wouldn't unless you first add the appropriate ports in your outside acl to allow you to establish the vpn after you remove the sysopt.


2. They have the same access because there is nothing to prevent either from going anywhere. The sysopt conn permit-ipsec statement is in place and they both have the same split tunnel acl. I would simply create a new split tunnel acl for vendorgroup which is limited to the specific server. If you want to restrict to only www on that server then you will need to remove sysopt and write the access in the acl.


These commands are doing nothing right now because sysopt conn permit-ipsec allows ipsec traffic to bypass interface acls.


access-list out_acl permit tcp 192.168.11.0 255.255.255.0 host 192.168.1.100 eq www

access-list out_acl permit ip 192.168.10.0 255.255.255.0 any

access-group out_acl in interface outside


This should do it...


access-list out_acl extended permit udp any interface outside eq isakmp

access-list out_acl extended permit udp any interface outside eq 4500

access-list out_acl extended permit esp any interface outside

access-list out_acl permit tcp 192.168.11.0 255.255.255.0 host 192.168.1.100 eq www

access-list out_acl permit ip 192.168.10.0 255.255.255.0 any

access-group out_acl in interface outside


no sysopt connection permit-ipsec


access-list 102 permit ip host 192.168.1.100 192.168.11.0 255.255.255.0


vpngroup vendorgroup split-tunnel 102


You could also get rid of these two lines...


access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0


Then you would need as well...


nat (inside) 0 access-list 102


I think that's all :-), please rate if it helps.

donlin123 Tue, 05/15/2007 - 12:33
User Badges:

Do I keep the following commends?

nat(inside) 0 access-list 101


access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0


I'll try your commands tonight and let you know the result. Thanks




acomiskey Tue, 05/15/2007 - 12:41
User Badges:
  • Green, 3000 points or more

Yes, you need to keep 101 as that is your nat exemption and split tunnel acl for your admin group. So acl 101 will be nat exemption/split tunnel for admingroup and acl 102 will be nat exemption/split tunnel for vendors.


Let me know how it goes. Good luck.


acomiskey Tue, 05/15/2007 - 13:21
User Badges:
  • Green, 3000 points or more

Slipped into asa mode there a sec, should be


access-list out_acl permit udp any interface outside eq isakmp

access-list out_acl permit udp any interface outside eq 4500

access-list out_acl permit esp any interface outside

access-list out_acl permit tcp 192.168.11.0 255.255.255.0 host 192.168.1.100 eq www

access-list out_acl permit ip 192.168.10.0 255.255.255.0 any

access-group out_acl in interface outside


Correct Answer
acomiskey Wed, 05/16/2007 - 15:15
User Badges:
  • Green, 3000 points or more

Any luck?

donlin123 Fri, 05/18/2007 - 12:04
User Badges:

You are correct. PIX 6.35 doesn't support extended access-list commands.

Also, I can't do both of these commands at the same time.

nat (inside) 0 access-list 101

nat (inside) 0 access-list 102


So I use access-list 101 for both.


access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0


access-list 101 permit ip host 192.168.1.100 192.168.11.0 255.255.255.0



acomiskey Fri, 05/18/2007 - 12:08
User Badges:
  • Green, 3000 points or more

Correct, no problem there, my mistake. So is it fixed? I guess so, good deal. enjoy

Actions

This Discussion