From dmz connected another PIX and iam trying to estabalish VPN

mkkeyan · ‎06-17-2008

hi

Internet terminiated in router->ASA,inside and outside interfaces configured its working well, here my objective is froam ASA DMZ interface i would like add another PIX firwall from this PIX i need to estabalish a vpn.is it possible, pl help, this client requirement, they dont want share the ASA.

Farrukh Haroon · ‎06-17-2008

Yes AFAIK this is possible. Just need to punch holes in the Router and ASA outside interfaces.

Regards

Farrukh

mkkeyan · ‎06-18-2008

Thanks Farrukh,

For DMZ i asigend a IP address form the same subnet (but different IP)what i assigned for outside, ASA clearly indiacting conflicting with outside interface .Then i dicide to assign a LAN IP for DMZ and mapped with Internet IP , in DMZ i juct connect my pix506e firewall.For mapped IP i just opened a tcp, udp,esp. ipsec ports.

here Router nothing do to with my scenerio.because of my router have only static route to ISP and DNS server name.

pl help, i think you can take it me next stage.

thanks

karthik

Farrukh Haroon · ‎06-18-2008

Yes karthik, you cannot have two interfaces of the firewall in the same subnet. The approach you followed is correct. What kind of VPN are you going to terminate on the PIX? If its IPSEC you only need to enable UDP 500 and IP Protocol 50 (ESP). If its a LAN-2-LAN VPN you can even be specific about the source IP address. You don't need to permit TCP,UDP generic ports as those will be encapsulated inside the ESP or UDP (if NAT-T etc. are used).

Regards

Farrukh

mkkeyan · ‎06-19-2008

thanks, now i got confident.

site to site Ipsec vpn from dmz pix (506e)

here my static NAT

static (dmz1,outside) xx.xx.99.220 10.12.20.1 netmask 255.255.255.255

DMZip 10.12.20.1

access-list

access-list from-outside extended permit ip any host xx.xx.99.220 or shall i use nat-control.

is this ok or need to to modify,

then in PIX506e which is in dmz what ip address i should assign outside interface of pix506e.pl advise

thanks

Karthik

Farrukh Haroon · ‎06-19-2008

this will be assigned on the PIX's outside:

10.12.20.1

The ACL can be made more specific if you wish:

access-list from-outside extended permit esp any host xx.xx.99.220

access-list from-outside extended permit udp any host xx.xx.99.220 eq isakmp

If users are behind NAT, enable nat-traversal and add following line also:

access-list from-outside extended permit udp any host xx.xx.99.220 eq 4500

Regards

Farrukh

nomair_83 · ‎06-19-2008

After enabling nat-t or acl with 4500 u can skip esp acl as well.

I like your scnario:) I'll config it with ma own equipment.

Regards,

mkkeyan · ‎06-24-2008

In ASA

interface Ethernet3

nameif dmz1

security-level 0

no ip address

access-list from-outside extended permit ip any host **.**.99.220

static (dmz1,outside) ***.**.99.220 10.12.20.1 netmask 255.255.255.255

access-group from-outside in interface outside

In PIX 506e

for outside interface 10.12.20.1 255.255.255.0 ip has been assigned.

security level 0

insside 10.24.10.1 255.255.255.0

route ouside 0.0.0.0 0.0.0.0 10.12.20.1

from pix 506e unable to reach global internet IP , pl advise

thanks

karthik

Farrukh Haroon · ‎06-25-2008

Assign the DMZ a higher security-level (50 or something).

Regards

Farrukh

mkkeyan · ‎06-30-2008

i have changed security-level 60 even though i am unable to reach internet.

thanks

karthik

kaachary · ‎06-30-2008

Shouldnt your default route point to next-hop instead of the interface ip address itslef ?

Farrukh Haroon · ‎07-01-2008

on the DMZ you need to put an IP address. 10.12.20.2 or something.

Also the default gateway should be something like this:

route ouside 0.0.0.0 0.0.0.0 ***.**.99.ABC

Where ***.**.99.ABC is your ISP Router.

Also you need to check the PIX settings.

Regards

Farrukh