Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Ok I am not sure if i am doing this right :(

I have 4 interfaces (actually 6 but only using 4 right now) on my pix system.

I have Outside, inside, dmz and vpn.

I plugged my cisco 3015 into interface 4 and gave it the following internal IP:

192.168.3.1 - (using NAT) x.x.x.x public

I setup the following acls to allow authenication and that works:

access-list vpn_access_in permit udp host 192.168.200.2 any eq isakmp access-list outside_access_in permit udp any eq isakmp host x.x.x.x

nat rules:

static (inside, vpn) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (inside, vpn) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

(vpn box has own dhcp pool separate network)

now my question - what are the correct acls' to allow my internal network to communicate with my vpn box?

???

access-list inside_access_in permit tcp any host 192.168.200.2

access-list vpn_access_in permit tcp host 192.168.200.2 any

Also - just to make sure - i added a route to send 192.168.200.0 traffic back to my firewall.

am i doing this right?

thanks for any input!

2 REPLIES
New Member

Re: Ok I am not sure if i am doing this right :(

Use the following URL for rules on how to write Access list

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#1067755

New Member

Re: Ok I am not sure if i am doing this right :(

HI.

> plugged my cisco 3015 into interface 4

That's a good idea to use dedicated interface for VPN server.

> I setup the following acls to allow authenication and that works...

Did you also permit esp traffic in those access lists?

> nat rules:

> static (inside, vpn) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

> static (inside, vpn) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

An alternate way which is similar but does not involve proxy arp:

access-list nonatinside permit ip 192.168.0.0 255.255.0.0 VPNCLIENTS 255.255.255.0

nat (inside) 0 access-list nonatinside

> now my question - what are the correct acls' to allow my internal network to communicate with my vpn box

Good question.

The answer is also a question - what is your VPN network policy?

A general rule is - only allow the minimal traffic you need.

You have used a dedicated interface at the pix which can give you better control over VPN traffic, but if you simply permit all traffic between VPN and LAN, then it is almost the same as placing the VPN server on the inside LAN. Isn't it?

So, if the VPN users need access to a specific server only, then you can use:

access-list vpn_access_in permit ip VPNCLIENTS 255.255.255.0 host INTERNAL SERVER

And add fine tunning and access control at the 3015 VPN server.

> access-list inside_access_in permit tcp any host 192.168.200.2

No need for this, because VPN clients typically initiate the connection to the internal server(s), but the internal server(s) normally do not initiate sessions to the VPN clients.

Bye

Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar

81
Views
0
Helpful
2
Replies