10-25-2003 01:38 AM - edited 02-21-2020 12:50 PM
We currently have a PIX 501 at a client site. Everything is working great for the internal services that are required by remote users (smtp, www, etc..)
We have configured the VPN to use a local user db for authentication with the MS VPN client. We require the ability of the VPN users to access the internet via the VPN to the office network.
What is the best way to allow this to work correctly and most importantly securely.
Also, is it best in a situation with an MS AD network on the internal interface to use RADIUS on IAS to authenticate against the AD accounts to minimize management tasks? Would it also be best to let the DHCP server on the Win2k server issue IP's to the VPN clients?
I apologize for multiple questions in the same thread.
10-25-2003 05:33 PM
Hi,
you can configure a router as a PAT device and provide internet access to your vpn users from office network over the tunnel.
You can't assing IPs from DHCP server to vpn clients from a PIX FW (though possible with VPN3K), RADIUS authentication would work fine from PIX for user authentication purposes.
thanks,
Afaq
10-26-2003 01:55 AM
Here is their configuration
Internet side
1601 Router
Pix external interface
Should I set the PAT device as the Internal interface on the PIX since all traffic passes via the PIX to go to the internet?
-----------
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name inside.xx.xx.5 mail
name inside.xx.xx.0 NetworkInternal
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any source-quench
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-list inbound permit tcp any eq smtp host outside.xx.xx.38 eq smtp
access-list acl_inside deny udp any any eq tftp
access-list acl_inside deny tcp any any eq 135
access-list acl_inside deny udp any any eq 135
access-list acl_inside deny tcp any any eq 137
access-list acl_inside deny udp any any eq netbios-ns
access-list acl_inside deny tcp any any eq 138
access-list acl_inside deny udp any any eq netbios-dgm
access-list acl_inside deny tcp any any eq netbios-ssn
access-list acl_inside deny udp any any eq 139
access-list acl_inside deny tcp any any eq 445
access-list acl_inside deny tcp any any eq 593
access-list acl_inside deny tcp any any eq 4444
access-list acl_inside permit tcp host mail eq smtp any
access-list acl_inside permit ip any any
access-list 101 permit tcp any host outside.xx.xx.38 eq www
access-list 101 permit tcp any host outside.xx.xx.38 eq smtp
access-list 101 permit tcp any host outside.xx.xx.38 eq pop3
access-list 101 permit tcp any host outside.xx.xx.38 eq imap4
access-list 101 permit tcp any host outside.xx.xx.38 eq 3389
access-list 101 permit tcp any any
access-list inside_outbound_nat0_acl permit ip NetworkInternal 255.255.255.0 inside.xx.xx.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any inside.xx.xx.192 255.255.255.224
access-list pptp permit ip any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any echo outside
icmp permit any source-quench outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any echo-reply inside
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
ip address outside outside.xx.xx.38 255.255.255.252
ip address inside inside.xx.xx.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool inside.xx.xx.201-inside.xx.xx.220
pdm location mail 255.255.255.255 inside
pdm location outside.xx.xx.0 255.255.255.240 outside
pdm location NetworkInternal 255.255.255.0 inside
pdm location outside.xx.xx.10 255.255.255.255 outside
pdm location inside.xx.xx.103 255.255.255.255 inside
pdm location inside.xx.xx.103 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www mail www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 mail pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface hostname mail hostname netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 mail 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp mail ftp netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 outside.xx.xx.38 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server LOCAL protocol local
http server enable
http outside.xx.xx.36 255.255.255.252 outside
http outside.xx.xx.0 255.255.255.240 outside
http NetworkInternal 255.255.255.0 inside
tftp-server outside outside.xx.xx.11 2
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
service resetinbound
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map inside_map interface inside
crypto map outside_map interface outside
isakmp enable outside
telnet timeout 5
ssh outside.xx.xx.0 255.255.255.192 outside
ssh outside.xx.xx.38 255.255.255.255 inside
ssh inside.xx.xx.1 255.255.255.255 inside
ssh timeout 30
vpdn group vpn accept dialin pptp
vpdn group vpn ppp authentication pap
vpdn group vpn ppp authentication chap
vpdn group vpn ppp authentication mschap
vpdn group vpn client configuration address local vpn-pool
vpdn group vpn client configuration dns mail
vpdn group vpn client accounting RADIUS
vpdn group vpn pptp echo 60
vpdn group vpn client authentication local
vpdn username 1 password ********
vpdn username 2 password ********
vpdn username 3 password ********
vpdn username 4 password ********
vpdn username 5 password ********
vpdn username 6 password ********
vpdn enable outside
terminal width 80
---------------
Thanks
david
10-26-2003 02:11 PM
Based on the following link our config won't work for this..
Have to implement IPSec instead...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide