Re: Any Advice On This Kind Of VPN Design

kengyiam · ‎03-30-2006

Hi guys,

I have a PIX 515E(Pix os 7.0) with 3 interfaces(outside, dmz and internal_net) and a Border Cisco router with 2 interfaces(fa0/0 connected to internet, fa0/1 connected to pix's outside interface). The IP addresses(hypothesis) are as below:

Router:

fa0/0(hypothesis internet's ip addr): 8.8.8.1

fa0/1(Pix's outside): 10.1.1.1

Pix:

E0, outside, security-level=0: 10.1.1.2

E1, dmz, security-level=50(hypothesis public ip address): 9.9.9.1

E2, internal_net,security-level=100:192.168.1.1

My purpose is to create remote users(using Cisco VPN client software) to connect to my internal_net by configuring VPN on the Pix. I was thinking of using my dmz's ip address as the VPN's gateway address as it is a public address so that remote users are able to connect to it from the internet.

Is there any Cisco VPN experts who can show me on this configuration? Any fully elaborated configuration(pre-share key and certificate) is greatly appreciated. Another doubt of mine is how to get the remote users to connect to my internal network even they manage to get their private IP address from the PIX's DHCP pool(192.168.1.100 - 192.168.1.200)?

Thanks in advance.

Regards,

Franco

Nicholas Vigil · ‎03-30-2006

This link should be helpful for you.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml

If this helps please rate my post, thanks.

joneschw1 · ‎03-30-2006

Don't worry about the doing it to the dmz b/c of public ip address. You bond it to your external interface of the pix anyway. Don't forget to set a domain name and hostname on the pix

access-list Inside_nat0_outbound extended permit ip in.si.de.network sub.net.ma.sk 192.168.231.0 sub.net.ma.sk

access-list split_tunnel standard permit in.si.de.network sub.net.ma.sk

access-list business_splitTunnelAcl standard permit in.si.de.network sub.net.ma.sk

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.231.0 255.255.255.0

ip local pool ippool 192.168.231.1-192.168.231.254 mask 255.255.255.0

nat (Inside) 0 access-list Inside_nat0_outbound

aaa-server vpn protocol radius

aaa-server vpn host 192.168.1.210

timeout 5

key xxx

group-policy businessvpn internal

group-policy businessvpn attributes

dns-server value (ip of internal dns server)

split-tunnel-policy tunnelspecified

split-tunnel-network-list value business_splitTunnelAcl

default-domain value business.com

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group business type ipsec-ra

tunnel-group business general-attributes

address-pool ippool

default-group-policy business

strip-realm

strip-group

tunnel-group business ipsec-attributes

pre-shared-key (password)

m.sir · ‎03-30-2006

Why do you have DMZ with public IP??? Its very strange design and its negate role of DMZ...Internet connections should have lowest security level

You should terminate you VPN on private public PIX interface

Before its working you need You need configure port forwarding for UDP ports 500 (IKE) and UDP 4500 (port for encapsulation for NAT traversal) on router

ip nat inside source static UDP privateIP-outside_ASA 500 PublicIP_router 500

ip nat inside source static UDP privateIP-outside_ASA 4500 PublicIP_router 4500

and

On routers Public interface

ip nat outside

On routers Public interface

ip nat inside

Regarding VPN configuration trz following document

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

joneschw1 · ‎03-30-2006

You can do your dmz with public IPs and still protect the devices in the dmz. Its just not that common. I worked at a place that did it though. It was a real waste of public IP addresses. That was the biggest problem.

You shouldn't need to do anything on the router unless your router is performing nat somewhere. I assumed in my post above that the router was just routing.

kengyiam · ‎03-30-2006

Hi,

Thank you guys for the replies. Anyway, my router is doing NAT that translate the Internal_Net to the router's fa0/0 so that users are able to go out into the Internet.

Sorry here as Im still unclear about your answers. So how should I really going into this? You mean I can use the PIX's outside interface(a private ip addr that connect to the router) as the VPN gateway? It seems strange isn't it?

Yongbing WU · ‎04-05-2006

Get rid of the Internet router and configure public IP directly on PIX outside interface.

Hope this helps.

kengyiam · ‎04-05-2006

I wish I can just get rid of the router but I can't. The problem occurs when there is a site-to-site VPN being established before the arrival of PIX. I can't do without the border router.

Yongbing WU · ‎04-06-2006

Configure private IP for your DMZ and move the public IP block to the outside interface. You need a good plan for your NAT (outside Internet, outside site-to-site VPN, DMZ, inside).

kengyiam · ‎04-06-2006

Hi 4bwu,

Thanks for your responses. Anyway, can you advise me on why is it a good practice to use private IP addresses for machines in the DMZ and translate the machines's address to public IP address? Why cant we just assign public IP address to the DMZ directly since the public will be accessing the servers in the DMZ?

Thank you.

Patrick Iseli · ‎04-06-2006

I do not think it does really matter if you use public IP's or Private IP in security perspective.

Usually people try to save public IP's because they do not have plenty of them and in splitting the public range you loose 3 more public IP's because one Broadcast the network and the PIX IP itself.

Another point is in using public IP's instead of private ones you winn some Performance because you do not do any Adress Translation NAT. Even if the PIX has enough performance and this might not really be a problem in standard enviroement.

If you are looking for good security practise then take a look at this readings:

http://www.cisco.com/go/safe

http://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1

http://www.sans.org/rr/whitepapers/firewalls/

sincerely

Patrick

kengyiam · ‎04-06-2006

Hi Pat,

Is there really no other way out if I use my PIX DMZ(public ip) interface address as my VPN gateway? I can't change the config in my border router and my PIX's outside interface is connectec with my border router inteface using private address.

Patrick Iseli · ‎04-06-2006

I do not see why you want to use the DMZ interface IP for the VPN Clients ?

You just have to forward the IPSEC traffic and ESP to the PIX outside interface.

Finaly how many IP public IP addresses have you ?

Just one on the outside interface of your Border Router ? And why are you using a Private IP on the PIX outside interface and a public on the DMZ, this is really unusual.

Usually you connect to that interface that is conneted to the Internet. Which is in your case the outside interface.

Another point is that the DHCP ip range for the VPN users should be diffrent than the inside or any other network that you are using. Otherwise you will get routing troubles.

sincerely

Patrick

kengyiam · ‎04-06-2006

Hi,

(Internal_net,DMZ,etc,outside)<->PIX<->Router<->Internet<->(via site2site vpn thru router)RemoteSite.

The IP of my border router's outside interface is a single public IP. I have another different set of public IP in which I had assigned to the DMZ's interface. Im using private IP on the PIX outside interface due to some constraints in the initial setup that we had with foreign remote site(if u read the post and answer above).

The router itself has a IPSec over GRE in a site2site VPN with a remote site and therefore I cant seems to establish easyVPN on the router itself. My objective here is not to create another site2site VPN on the PIX but rather a remote access VPN for users to access my servers in my internal network.

The reason why I keep thinking of using my DMZ(public ip) interface as a VPN gateway is because I had this thought that internet remote users that need to connect to my internal network will first need to connect to a VPN gateway and therefore they need to recognise a public IP.

You mentioned about "You just have to forward the IPSEC traffic and ESP to the PIX outside interface". Do you mean forward the IPSec and ESP traffic from my router to the PIX when remote users sees the router's outside interface as a VPN gateway address? How do I actually do this? Will it affect my current site2site VPN configuration on the router if I just route the IPSec traffic to the PIX's outside interface?

Please kindly advise.