Solved: Re: Use PIX VPN to control access

donlin123 · ‎05-15-2007

I have a situation. I want to use Cisco PIX to create 2 VPN tunnels: one called "admingroup"(subnet 192.168.10.X) for full access and the other called "vendorgroup"(subnet 192.168.11.X) for limited access(only www access to 192.168.1.100). Both admin and vendor will use Cisco vpn clients for XP. But for some reasons, both admin and vendor get same access. I think I may need to remove "sysopt" command, currently I use admingroup to login PIX remotely,

1. Can I remove "sysopt" command remotely while I vpn into PIX?

2. Why both admin and vendor have the same access?

Here are the PIX config in short version:

access-list nat_acl permit ip 192.168.1.0 255.255.255.0 any

access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list out_acl permit tcp 192.168.11.0 255.255.255.0 host 192.168.1.100 eq www

access-list out_acl permit ip 192.168.10.0 255.255.255.0 any

ip address outside pppoe setroute

ip address inside 192.168.7.253 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip local pool adminpool 192.168.10.1-192.168.10.7

ip local pool vendorpool 192.168.11.1-192.168.11.7

global (outside) 1 60.1.1.10

nat (inside) 0 access-list 101

nat (inside) 1 access-list nat_acl 0 0

access-group out_acl in interface outside

route inside 192.168.1.0 255.255.255.0 192.168.7.254 1

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-aes esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup admingroup address-pool adminpool

vpngroup admingroup dns-server 192.168.1.3

vpngroup admingroup default-domain test.com

vpngroup admingroup split-tunnel 101

vpngroup admingroup idle-time 1800

vpngroup admingroup password ********

vpngroup vendorgroup address-pool vendorpool

vpngroup vendorgroup dns-server 192.168.1.3

vpngroup vendorgroup default-domain test.com

vpngroup vendorgroup split-tunnel 101

vpngroup vendorgroup idle-time 1800

vpngroup vendorgroup password ********

vpdn group pppoex request dialout pppoe

acomiskey · ‎05-16-2007

Any luck?

View solution in original post

acomiskey · ‎05-15-2007

1. I wouldn't unless you first add the appropriate ports in your outside acl to allow you to establish the vpn after you remove the sysopt.

2. They have the same access because there is nothing to prevent either from going anywhere. The sysopt conn permit-ipsec statement is in place and they both have the same split tunnel acl. I would simply create a new split tunnel acl for vendorgroup which is limited to the specific server. If you want to restrict to only www on that server then you will need to remove sysopt and write the access in the acl.

These commands are doing nothing right now because sysopt conn permit-ipsec allows ipsec traffic to bypass interface acls.

access-list out_acl permit tcp 192.168.11.0 255.255.255.0 host 192.168.1.100 eq www

access-list out_acl permit ip 192.168.10.0 255.255.255.0 any

access-group out_acl in interface outside

This should do it...

access-list out_acl extended permit udp any interface outside eq isakmp

access-list out_acl extended permit udp any interface outside eq 4500

access-list out_acl extended permit esp any interface outside

access-list out_acl permit tcp 192.168.11.0 255.255.255.0 host 192.168.1.100 eq www

access-list out_acl permit ip 192.168.10.0 255.255.255.0 any

access-group out_acl in interface outside

no sysopt connection permit-ipsec

access-list 102 permit ip host 192.168.1.100 192.168.11.0 255.255.255.0

vpngroup vendorgroup split-tunnel 102

You could also get rid of these two lines...

access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0

Then you would need as well...

nat (inside) 0 access-list 102

I think that's all :-), please rate if it helps.

donlin123 · ‎05-15-2007

Do I keep the following commends?

nat(inside) 0 access-list 101

access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

I'll try your commands tonight and let you know the result. Thanks

acomiskey · ‎05-15-2007

Yes, you need to keep 101 as that is your nat exemption and split tunnel acl for your admin group. So acl 101 will be nat exemption/split tunnel for admingroup and acl 102 will be nat exemption/split tunnel for vendors.

Let me know how it goes. Good luck.

acomiskey · ‎05-15-2007

Slipped into asa mode there a sec, should be

access-list out_acl permit udp any interface outside eq isakmp

access-list out_acl permit udp any interface outside eq 4500

access-list out_acl permit esp any interface outside

access-list out_acl permit tcp 192.168.11.0 255.255.255.0 host 192.168.1.100 eq www

access-list out_acl permit ip 192.168.10.0 255.255.255.0 any

access-group out_acl in interface outside

acomiskey · ‎05-16-2007

Any luck?

donlin123 · ‎05-18-2007

You are correct. PIX 6.35 doesn't support extended access-list commands.

Also, I can't do both of these commands at the same time.

nat (inside) 0 access-list 101

nat (inside) 0 access-list 102

So I use access-list 101 for both.

access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 101 permit ip host 192.168.1.100 192.168.11.0 255.255.255.0

acomiskey · ‎05-18-2007

Correct, no problem there, my mistake. So is it fixed? I guess so, good deal. enjoy