Can client vpn from an unprotected pix interface to a protected interface

Answered Question
Jan 21st, 2009
User Badges:

I have a multi-interfaced pix, the interface description is as follows:


Outside -> 10MB to ISP

Inside -> main vlan

dmz -> webservers, etc..

lab1 -> test application servers

lab2 -> test application servers

etc...

guest wireless -> open wireless access (connected to Cisco WAP)


The open wireless has only access to the internet, not any of the trusted networks. This is an untrusted interface (security lvl 1). The outside interface is security lvl 0.


I want to be able to allow vpn access from the wireless into the trusted networks just like vpn from the outside (internet) will be treated.


I guess that the pix sees a vpn connection attempt from one of its interfaces to another one.


The client times out connecting from the wireless to the pix outside interface IP.


The pix merely logs this:

Jan 20 2009 13:38:23: %PIX-7-710005: UDP request discarded from 192.168.20.5/1346 to GuestWireless:yy.yy.yy.yy/500


yy.yy.yy.yy = outside interface IP

the pix is also the dhcp server for the wireless network connections.


Can this even be done? If so, what am I missing?


Thanks,


Dave

To answer:-


The wireless leg of the PIX is security level 1 and the outside interface is security level 0. Would that not mean that vpn is being initiated from a higher security interface to a lower one? yes but the traffic is in the clear - requested to terminate a VPN connection from an interface locally attached to the PIX effectivly in the inside of the device. Pretty sure PIX will refuse the connection it recevies on the outside interface from the guest wireless interface.


Not it's not the same, something like:-


crypto isakmp enable GuestWireless - this tells the PIX to listen and accept ISAKMP/VPN connections made TO the GuestWireless interface from ANY device connected to that interface.


HTH>



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.

AFAIK - you cannot connect from a lower secuity interface connected to the PIX to the outside interface to terminate a VPN connection.


You are better off enabling ISKAMP on the guest wireless interface then terminating the VPN over the Wireless to the PIX, so then the encrypted traffic will decrypt on the interface. Thne just write an acl to allow that traffic to the inside without NAT - in theory it should work!


HTH>

dgeorgeadis Thu, 01/22/2009 - 05:10
User Badges:

Thanks for the response. I'm confused by your answer a little.


The wireless leg of the PIX is security level 1 and the outside interface is security level 0. Would that not mean that vpn is being initiated from a higher security interface to a lower one?


Also, Can you explain a bit further about what you mean by "enabling ISAKMP on the wireless"? Sorry, I'm not really a pix expert :)


IS that the same as this -> crypto map mymap interface GuestWireless




Thanks,


DAve

Correct Answer

To answer:-


The wireless leg of the PIX is security level 1 and the outside interface is security level 0. Would that not mean that vpn is being initiated from a higher security interface to a lower one? yes but the traffic is in the clear - requested to terminate a VPN connection from an interface locally attached to the PIX effectivly in the inside of the device. Pretty sure PIX will refuse the connection it recevies on the outside interface from the guest wireless interface.


Not it's not the same, something like:-


crypto isakmp enable GuestWireless - this tells the PIX to listen and accept ISAKMP/VPN connections made TO the GuestWireless interface from ANY device connected to that interface.


HTH>



dgeorgeadis Thu, 01/22/2009 - 11:10
User Badges:

OK - thanks. I managed to solve the issue.


I had to point the client to the PIX interface IP on the wireless subnet.


I then had to add "authentication-server-group (guestwireless) RADIUS" to the tunnel group attributes.


Thanks for the help!

Actions

This Discussion