Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

501 VPN and config question

We currently have a PIX 501 at a client site. Everything is working great for the internal services that are required by remote users (smtp, www, etc..)

We have configured the VPN to use a local user db for authentication with the MS VPN client. We require the ability of the VPN users to access the internet via the VPN to the office network.

What is the best way to allow this to work correctly and most importantly securely.

Also, is it best in a situation with an MS AD network on the internal interface to use RADIUS on IAS to authenticate against the AD accounts to minimize management tasks? Would it also be best to let the DHCP server on the Win2k server issue IP's to the VPN clients?

I apologize for multiple questions in the same thread.

  • Other Security Subjects
3 REPLIES
Bronze

Re: 501 VPN and config question

Hi,

you can configure a router as a PAT device and provide internet access to your vpn users from office network over the tunnel.

You can't assing IPs from DHCP server to vpn clients from a PIX FW (though possible with VPN3K), RADIUS authentication would work fine from PIX for user authentication purposes.

thanks,

Afaq

New Member

Re: 501 VPN and config question

Here is their configuration

Internet side

1601 Router

Pix external interface

Should I set the PAT device as the Internal interface on the PIX since all traffic passes via the PIX to go to the internet?

-----------

PIX Version 6.2(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

names

name inside.xx.xx.5 mail

name inside.xx.xx.0 NetworkInternal

access-list inbound permit icmp any any echo-reply

access-list inbound permit icmp any any source-quench

access-list inbound permit icmp any any unreachable

access-list inbound permit icmp any any time-exceeded

access-list inbound permit tcp any eq smtp host outside.xx.xx.38 eq smtp

access-list acl_inside deny udp any any eq tftp

access-list acl_inside deny tcp any any eq 135

access-list acl_inside deny udp any any eq 135

access-list acl_inside deny tcp any any eq 137

access-list acl_inside deny udp any any eq netbios-ns

access-list acl_inside deny tcp any any eq 138

access-list acl_inside deny udp any any eq netbios-dgm

access-list acl_inside deny tcp any any eq netbios-ssn

access-list acl_inside deny udp any any eq 139

access-list acl_inside deny tcp any any eq 445

access-list acl_inside deny tcp any any eq 593

access-list acl_inside deny tcp any any eq 4444

access-list acl_inside permit tcp host mail eq smtp any

access-list acl_inside permit ip any any

access-list 101 permit tcp any host outside.xx.xx.38 eq www

access-list 101 permit tcp any host outside.xx.xx.38 eq smtp

access-list 101 permit tcp any host outside.xx.xx.38 eq pop3

access-list 101 permit tcp any host outside.xx.xx.38 eq imap4

access-list 101 permit tcp any host outside.xx.xx.38 eq 3389

access-list 101 permit tcp any any

access-list inside_outbound_nat0_acl permit ip NetworkInternal 255.255.255.0 inside.xx.xx.192 255.255.255.224

access-list inside_outbound_nat0_acl permit ip any inside.xx.xx.192 255.255.255.224

access-list pptp permit ip any any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any echo outside

icmp permit any source-quench outside

icmp permit any unreachable outside

icmp permit any time-exceeded outside

icmp permit any echo-reply inside

icmp permit any echo inside

mtu outside 1500

mtu inside 1500

ip address outside outside.xx.xx.38 255.255.255.252

ip address inside inside.xx.xx.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn-pool inside.xx.xx.201-inside.xx.xx.220

pdm location mail 255.255.255.255 inside

pdm location outside.xx.xx.0 255.255.255.240 outside

pdm location NetworkInternal 255.255.255.0 inside

pdm location outside.xx.xx.10 255.255.255.255 outside

pdm location inside.xx.xx.103 255.255.255.255 inside

pdm location inside.xx.xx.103 255.255.255.255 outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp mail smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www mail www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 mail pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface hostname mail hostname netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 mail 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp mail ftp netmask 255.255.255.255 0 0

access-group 101 in interface outside

access-group acl_inside in interface inside

route outside 0.0.0.0 0.0.0.0 outside.xx.xx.38 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server radius-authport 1812

aaa-server radius-acctport 1813

aaa-server TACACS+ protocol tacacs+

aaa-server LOCAL protocol local

http server enable

http outside.xx.xx.36 255.255.255.252 outside

http outside.xx.xx.0 255.255.255.240 outside

http NetworkInternal 255.255.255.0 inside

tftp-server outside outside.xx.xx.11 2

floodguard enable

sysopt connection permit-pptp

no sysopt route dnat

service resetinbound

service resetoutside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map inside_map interface inside

crypto map outside_map interface outside

isakmp enable outside

telnet timeout 5

ssh outside.xx.xx.0 255.255.255.192 outside

ssh outside.xx.xx.38 255.255.255.255 inside

ssh inside.xx.xx.1 255.255.255.255 inside

ssh timeout 30

vpdn group vpn accept dialin pptp

vpdn group vpn ppp authentication pap

vpdn group vpn ppp authentication chap

vpdn group vpn ppp authentication mschap

vpdn group vpn client configuration address local vpn-pool

vpdn group vpn client configuration dns mail

vpdn group vpn client accounting RADIUS

vpdn group vpn pptp echo 60

vpdn group vpn client authentication local

vpdn username 1 password ********

vpdn username 2 password ********

vpdn username 3 password ********

vpdn username 4 password ********

vpdn username 5 password ********

vpdn username 6 password ********

vpdn enable outside

terminal width 80

---------------

Thanks

david

New Member

Re: 501 VPN and config question

Based on the following link our config won't work for this..

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.ee9ae04

Have to implement IPSec instead...

80
Views
0
Helpful
3
Replies