02-19-2007 12:09 PM - edited 03-11-2019 02:35 AM
I do have pix firewalls deployed across my network. a sample site is attached in diagram. since i am new to pix world, with less knowledge, please advice me how to allow my users behind 10.2.0.0 subnet to connect to their own corporate vpns. some of them need to connect to MS vpn - domain abc(pptp) and someone need to connect to a cisco pix vpn - domain xyz(ipsec) remote access vpn. what should be my concerns :
1. IP address allocation from other side?
2. security concerns?
how can i allow requests to multiple, multi-protocol VPNs thru my firewall?
anyone who did this similar setup, please advise me. I do have the authority to make whatever changes required in PIX, this box is still in test phase.
Awaiting your feed-back
Regards
MIC
02-19-2007 05:30 PM
Hello MIC,
These are the standard ports used for IPSEC/PPTP etc:
IPSEC: please open the following on the PIX:
UDP 4500 & UDP 500 - ISAKMP/NAT-T
AH / ESP IP access
TCP 443 - SSL VPN (if any)
you can also add the sysopt commands for IPSEC on your firewall.
PPTP:
TCP/UDP 1723
Are there any ACL defined on the inside of the firewall? IF yes, you need to add the above, or it really doesnt matter. But the best practice anyway is to add ACl on the inside interface too !!
Also, enable split tunneling on the vpn concentrator if possible and tunnel ONLY the traffic that is required to go on the IPSEC tunnel... if you tunnel everything (which is ON by default), there are chances that any rogue packet flooding on your VPN network.. You can allocate a seperate IP pool for IPSEC VPN users and give the required permission on the VPN concentrator. This is always preferred over giving the IP pool from the same LAN network on the destination.
Hope this helps..Try this and let us know... rate replies if found useful..
Raj
02-19-2007 08:23 PM
You need to do this on the Pix:
isakmp nat-traversal 10
allow outbound access on the pix:
isakmp (udp 500)
NAT-T (udp 4500)
ESP (proto 50)
GRE
PPTP (tcp 1723)
The GRE and PPTP is for Microsoft VPN remote
access VPN. You do NOT need AH because
you have NAT device in between. AH will NOT
work anyway. It is not needed. You tried
this in the CCIE security lab and you will
fail.
David
CCIE Security
02-19-2007 08:25 PM
One more thing, if you are running pix 6.x code,
you will need to do this:
fixup protocol pptp 1723
or microsoft VPN will not through the pix.
David
02-20-2007 03:55 AM
Raj,
is there any step-by-step config guide i can work on my firewall. BTW, i do not have any support from the other side vpn (both MS pptp and cisco Ipsec), so 0 chance to modify on others network.
i am just investigating the chance modifying commands on my firewall allow my inside users (10.2.0.0 subnet) to access their corporate vpn. I got a general idea from your e-mail, but stuck the actual config.
Please let me inf you can assist me with a sample config or URL
MIC
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: