Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX with H&S VPN DMZ hosting web server at the hub

Ok,

Heres a problem that I would think would be fairly common for those even remotely security concious. Unfortunately, my knowledge of the PIX (as well as other Cisco devices) is still in the "growing" phase.

So, here is the problem. I've got a WAN set up with PIXen and SonicWalls, we're confiured in a mostly Hub and Spoke design (ok fine so it's partially meshed). We just recently decided to pull the trigger on getting a "real" web site and all went fairly well getting that up and rolling. (even with my 3 day notice/deadline), but here is the problem: I set up the web server on the DMZ at the hub pix, and I figured out (the easy part) how to set things so folks in the home office can connect to the web server using internal addressing, but I'm not sure what to do for the people out in the remote offices with VPN connections home. I've tried setting static routes, I've tried adding the DMZ to the VPN trigger, I've tried doing both of the last things together, and I've verified that I've got rules allowing traffic from the VPN's on the outside to the DMZ on the inside. So, what else can I be looking for?!?!!

I have no problem configuring a PIX for basic set ups, and even VPN's at this point, I can do most of it through the CLI (though I still like to do most through the PDM). My biggest stumbling block on the PIX thus far has been when I actually involve that pesky DMZ...

I've actually got two PIX at my office, two for my home network (one for my place in the states, and one for my place in Japan), so if you can help me out, I'll be solving two problems, and make sure to give a great feedback rating!

so I guess that leaves me at the point where I yell....

HELP!!!

and humbly await your feedback.

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: PIX with H&S VPN DMZ hosting web server at the hub

the current pix configuration should look sth like this,

access-list 101 permit ip

access-list 110 permit ip

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set superset esp-3des esp-md5-hmac

crypto map myvpn 10 ipsec-isakmp

crypto map myvpn 10 match address 110

crypto map myvpn 10 set peer

crypto map myvpn 10 set transform-set superset

crypto map myvpn interface outside

isakmp enable outside

isakmp key address netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

now, to add dmz on top of the existing vpn, add the following to the pix (and apply the same concept on the remote end device)

access-list 102 permit ip

access-list 110 permit ip

nat (dmz) 0 access-list 102

3 REPLIES
Gold

Re: PIX with H&S VPN DMZ hosting web server at the hub

the current pix configuration should look sth like this,

access-list 101 permit ip

access-list 110 permit ip

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set superset esp-3des esp-md5-hmac

crypto map myvpn 10 ipsec-isakmp

crypto map myvpn 10 match address 110

crypto map myvpn 10 set peer

crypto map myvpn 10 set transform-set superset

crypto map myvpn interface outside

isakmp enable outside

isakmp key address netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

now, to add dmz on top of the existing vpn, add the following to the pix (and apply the same concept on the remote end device)

access-list 102 permit ip

access-list 110 permit ip

nat (dmz) 0 access-list 102

New Member

Re: PIX with H&S VPN DMZ hosting web server at the hub

Thanks for the response jackko, unfortunately due to construction in my office I won't be able to try this for a few days, but I'll get back to you and let you know how it goes as soon as I have a chance.

--Serp

New Member

Re: PIX with H&S VPN DMZ hosting web server at the hub

Thanks Jackko. I lookedover your config, took a look at mine and found the problem I had (basically had everything set but VPN encryption for the DMZ) As promised I voted 5 points for your response. thanks again for the quick and accurate response!

--Serp

129
Views
0
Helpful
3
Replies