Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
405
Views
0
Helpful
5
Replies

Use Pix VPN to Secure Wireless Communucation

pwicks
Level 1
Level 1

‎11-12-2005 06:00 AM - edited ‎02-21-2020 02:06 PM

After demonstrating how easy it is to sniff traffic on unknown/unsecured wireless networks, I find myself needing to come up with a solution for the problem.

Since all of our laptop users have the Cisco VPN client installed, we thought about setting up a Pix firewall with VPN configured to act as a gateway to the Internet when users are "forced" to use unsecured wireless in the various parks and restaurants around the NYC area. I understand that Pix version 7 allows traffic to come in and out of the same interface now, so it would seem that this task is logically possible.

I would like to set up the firewall so that when users connect to wireless networks, they can connect to the firewall using VPN so that all wireless traffic is encrypted. The firewall will then act as a gateway to the Internet. For the test, I loaded version Pix 7.02 on a spare 506e, so I only have command-line access. Once the test is complete and I can demonstrate the results to the executive staff, we will get funded to buy an ASA 5510 just for the employees around NYC to use. I have configured the 506e for VPN access (without split tunneling of course) and it’s working like a charm, but I cannot get out to the Internet once I am connected. The VPN configuration is posted below. Any assistance will be greatly appreciated.

- JPW

access-list net_vpn_net extended permit ip 192.168.80.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list net_vpn_net extended permit ip any 10.2.2.0 255.255.255.0

ip local pool MYVPNPOOL 10.2.2.1-10.2.2.10

nat (inside) 0 access-list net_vpn_net

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

group-policy TESTVPN internal

group-policy TESTVPN attributes

dns-server value x.x.x.x y.y.y.y

vpn-idle-timeout 30

default-domain value jameswicks.com

username TestUser password xxxxxxxxxxxxxxxxx encrypted privilege 1

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp nat-traversal 60

tunnel-group DefaultRAGroup type ipsec-ra

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (outside) LOCAL

tunnel-group TESTVPN type ipsec-ra

tunnel-group TESTVPN general-attributes

address-pool MYVPNPOOL

default-group-policy TESTVPN

tunnel-group TESTVPN ipsec-attributes

pre-shared-key *

Labels:
0 Helpful
5 Replies 5

jackko
Level 7
Level 7

‎11-12-2005 06:48 AM

i thought the magical command "same-security-traffic permit intra-interface" is required.

further, i thought that v7 doesn't support pix 501 and 506e, interesting.

0 Helpful

pwicks
Level 1
Level 1
In response to jackko

‎11-12-2005 06:26 PM

Cisco does not support Version 7 on the 506e. Version 7 can be installed and operate on a 506e since it only requires 5MB of flash, but you do not have enough flash left to install the Cisco Adaptive Security Device Manager (ASDM). That is why I am doing everything from the command line.

I will try the "same-security-traffic permit intra-interface" command and report back the results. Thanks for the information.

0 Helpful

pwicks
Level 1
Level 1
In response to pwicks

‎11-12-2005 07:22 PM

No luck. Still no access to the Internet after adding the statement "same-security-traffic permit intra-interface".

0 Helpful

jackko
Level 7
Level 7
In response to pwicks

‎11-12-2005 11:04 PM

having a second look at the command reference, the description of the command is "Permits communication in and out of the same interface when traffic is IPSec protected".

does it mean the traffic has to be hopping from one vpn to another vpn; as opposed to from vpn to the pure internet. i guess you need to contact the cisco tac in order to verify.

an alternative is to setup proxy for the remote vpn client, which would be less complicated and much easier to manage.

0 Helpful

jackko
Level 7
Level 7
In response to jackko

‎11-16-2005 02:41 AM

just wondering how you go.

finally, i've found a cisco doc addressing your scenario:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents