03-30-2006 07:43 AM - edited 02-21-2020 02:20 PM
Hi guys,
I have a PIX 515E(Pix os 7.0) with 3 interfaces(outside, dmz and internal_net) and a Border Cisco router with 2 interfaces(fa0/0 connected to internet, fa0/1 connected to pix's outside interface). The IP addresses(hypothesis) are as below:
Router:
fa0/0(hypothesis internet's ip addr): 8.8.8.1
fa0/1(Pix's outside): 10.1.1.1
Pix:
E0, outside, security-level=0: 10.1.1.2
E1, dmz, security-level=50(hypothesis public ip address): 9.9.9.1
E2, internal_net,security-level=100:192.168.1.1
My purpose is to create remote users(using Cisco VPN client software) to connect to my internal_net by configuring VPN on the Pix. I was thinking of using my dmz's ip address as the VPN's gateway address as it is a public address so that remote users are able to connect to it from the internet.
Is there any Cisco VPN experts who can show me on this configuration? Any fully elaborated configuration(pre-share key and certificate) is greatly appreciated. Another doubt of mine is how to get the remote users to connect to my internal network even they manage to get their private IP address from the PIX's DHCP pool(192.168.1.100 - 192.168.1.200)?
Thanks in advance.
Regards,
Franco
03-30-2006 10:08 AM
This link should be helpful for you.
If this helps please rate my post, thanks.
03-30-2006 10:25 AM
Don't worry about the doing it to the dmz b/c of public ip address. You bond it to your external interface of the pix anyway. Don't forget to set a domain name and hostname on the pix
access-list Inside_nat0_outbound extended permit ip in.si.de.network sub.net.ma.sk 192.168.231.0 sub.net.ma.sk
access-list split_tunnel standard permit in.si.de.network sub.net.ma.sk
access-list business_splitTunnelAcl standard permit in.si.de.network sub.net.ma.sk
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.231.0 255.255.255.0
ip local pool ippool 192.168.231.1-192.168.231.254 mask 255.255.255.0
nat (Inside) 0 access-list Inside_nat0_outbound
aaa-server vpn protocol radius
aaa-server vpn host 192.168.1.210
timeout 5
key xxx
group-policy businessvpn internal
group-policy businessvpn attributes
dns-server value (ip of internal dns server)
split-tunnel-policy tunnelspecified
split-tunnel-network-list value business_splitTunnelAcl
default-domain value business.com
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group business type ipsec-ra
tunnel-group business general-attributes
address-pool ippool
default-group-policy business
strip-realm
strip-group
tunnel-group business ipsec-attributes
pre-shared-key (password)
03-30-2006 10:26 AM
Why do you have DMZ with public IP??? Its very strange design and its negate role of DMZ...Internet connections should have lowest security level
You should terminate you VPN on private public PIX interface
Before its working you need You need configure port forwarding for UDP ports 500 (IKE) and UDP 4500 (port for encapsulation for NAT traversal) on router
ip nat inside source static UDP privateIP-outside_ASA 500 PublicIP_router 500
ip nat inside source static UDP privateIP-outside_ASA 4500 PublicIP_router 4500
and
On routers Public interface
ip nat outside
On routers Public interface
ip nat inside
Regarding VPN configuration trz following document
03-30-2006 10:53 AM
You can do your dmz with public IPs and still protect the devices in the dmz. Its just not that common. I worked at a place that did it though. It was a real waste of public IP addresses. That was the biggest problem.
You shouldn't need to do anything on the router unless your router is performing nat somewhere. I assumed in my post above that the router was just routing.
03-30-2006 05:05 PM
Hi,
Thank you guys for the replies. Anyway, my router is doing NAT that translate the Internal_Net to the router's fa0/0 so that users are able to go out into the Internet.
Sorry here as Im still unclear about your answers. So how should I really going into this? You mean I can use the PIX's outside interface(a private ip addr that connect to the router) as the VPN gateway? It seems strange isn't it?
04-05-2006 10:06 AM
Get rid of the Internet router and configure public IP directly on PIX outside interface.
Hope this helps.
04-05-2006 07:23 PM
I wish I can just get rid of the router but I can't. The problem occurs when there is a site-to-site VPN being established before the arrival of PIX. I can't do without the border router.
04-06-2006 10:27 AM
Configure private IP for your DMZ and move the public IP block to the outside interface. You need a good plan for your NAT (outside Internet, outside site-to-site VPN, DMZ, inside).
04-06-2006 04:59 PM
Hi 4bwu,
Thanks for your responses. Anyway, can you advise me on why is it a good practice to use private IP addresses for machines in the DMZ and translate the machines's address to public IP address? Why cant we just assign public IP address to the DMZ directly since the public will be accessing the servers in the DMZ?
Thank you.
04-06-2006 05:38 PM
I do not think it does really matter if you use public IP's or Private IP in security perspective.
Usually people try to save public IP's because they do not have plenty of them and in splitting the public range you loose 3 more public IP's because one Broadcast the network and the PIX IP itself.
Another point is in using public IP's instead of private ones you winn some Performance because you do not do any Adress Translation NAT. Even if the PIX has enough performance and this might not really be a problem in standard enviroement.
If you are looking for good security practise then take a look at this readings:
http://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1
http://www.sans.org/rr/whitepapers/firewalls/
sincerely
Patrick
04-06-2006 06:31 PM
Hi Pat,
Is there really no other way out if I use my PIX DMZ(public ip) interface address as my VPN gateway? I can't change the config in my border router and my PIX's outside interface is connectec with my border router inteface using private address.
04-06-2006 07:12 PM
I do not see why you want to use the DMZ interface IP for the VPN Clients ?
You just have to forward the IPSEC traffic and ESP to the PIX outside interface.
Finaly how many IP public IP addresses have you ?
Just one on the outside interface of your Border Router ? And why are you using a Private IP on the PIX outside interface and a public on the DMZ, this is really unusual.
Usually you connect to that interface that is conneted to the Internet. Which is in your case the outside interface.
Another point is that the DHCP ip range for the VPN users should be diffrent than the inside or any other network that you are using. Otherwise you will get routing troubles.
sincerely
Patrick
04-06-2006 07:40 PM
Hi,
(Internal_net,DMZ,etc,outside)<->PIX<->Router<->Internet<->(via site2site vpn thru router)RemoteSite.
The IP of my border router's outside interface is a single public IP. I have another different set of public IP in which I had assigned to the DMZ's interface. Im using private IP on the PIX outside interface due to some constraints in the initial setup that we had with foreign remote site(if u read the post and answer above).
The router itself has a IPSec over GRE in a site2site VPN with a remote site and therefore I cant seems to establish easyVPN on the router itself. My objective here is not to create another site2site VPN on the PIX but rather a remote access VPN for users to access my servers in my internal network.
The reason why I keep thinking of using my DMZ(public ip) interface as a VPN gateway is because I had this thought that internet remote users that need to connect to my internal network will first need to connect to a VPN gateway and therefore they need to recognise a public IP.
You mentioned about "You just have to forward the IPSEC traffic and ESP to the PIX outside interface". Do you mean forward the IPSec and ESP traffic from my router to the PIX when remote users sees the router's outside interface as a VPN gateway address? How do I actually do this? Will it affect my current site2site VPN configuration on the router if I just route the IPSec traffic to the PIX's outside interface?
Please kindly advise.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide