01-30-2004 07:18 PM
I was wondering if someone could answer this question. Our Vendor who installed our Firewall and Concentrator can't seem to get the Concenctrator to connect from the outside at all. He put the concentrator on the DMZ of the firewall. He also used the public and private interface and not the external. Should the Concentrator be put on the internal side of the firewall?
01-31-2004 01:01 PM
Hi Julian,
Its perfectly alright to put the Concentrator on the DMZ of the firewall, but a couple of things to keep inmind:
- Define a Static translation (with public ip addresses) for the CVPN3000 on the Firewall.
- Allow all VPN traffic or other traffic that you want to go to CVPN3000 through the firewall
- If you are trying to do Remote management on the CVPN3000, then make sure that you allow management access to the public interface of the CVPN3000 as follows:
Additionally, although the Public interface will be on the DMZ, the Private interface should be on the inside of the Firewall.
hope this helps,
Regards,
Aamir
-=-=-
02-01-2004 08:23 PM
Thanks Aamir,
The concentrator is on the dmz of the pix. Prior to installing the concenctrator we used the pix for remote access.
This is the pix configuration:
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto
interface gb-ethernet0 1000auto shutdown
interface gb-ethernet1 1000auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security60
nameif gb-ethernet0 dmz3 security55
nameif gb-ethernet1 dmz2 security50
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list BRSC_splitTunnelAcl permit ip 10.17.0.0 255.255.0.0 any
access-list inside_outbound_nat0_acl permit ip 10.17.0.0 255.255.0.0 10.17.123.0
255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.17.123.0 255.255.255.0
access-list acl-out permit esp any host x.x.x.252
access-list acl-out permit ah any host x.x.x.252
access-list acl-out permit udp any host x.x.x.252 eq isakmp
access-list acl-out permit gre any host x.x.x.252
access-list acl-out permit udp any host x.x.x.252 eq 1000
access-list acl-out permit tcp any host x.x.x.252 eq 1023
access-list acl-out deny tcp any any eq 2048
access-list acl-out deny udp any any eq 2048
access-list acl-out deny tcp any any eq 4444
access-list acl-out deny tcp any any eq 135
access-list acl-out deny icmp any any
access-list acl-out deny ip any any
access-list acl-in deny tcp any any eq 2048
access-list acl-in deny udp any any eq 2048
access-list acl-in deny tcp any any eq 135
access-list acl-in deny tcp any any eq 137
access-list acl-in deny tcp any any eq 4444
access-list acl-in deny udp any any eq tftp
access-list acl-in deny tcp any any eq netbios-ssn
access-list acl-in deny tcp any any eq 445
access-list acl-in deny tcp any any eq 593
access-list acl-in deny icmp any any
access-list acl-in permit ip 10.17.0.0 255.255.0.0 any
pager lines 25
logging trap debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu dmz3 1500
mtu dmz2 1500
ip address outside x.x.x.1 255.255.255.0
ip address inside 10.17.x.x 255.255.255.0
ip address dmz 172.16.1.1 255.255.255.0
ip address dmz3 127.0.0.1 255.255.255.0
ip address dmz2 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.17.123.1-10.17.123.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address dmz3
no failover ip address dmz2
pdm location 10.17.x.x 255.255.255.0 inside
pdm location 10.17.x.x 255.255.255.255 inside
pdm location 10.17.x.x 255.255.255.255 inside
pdm location 10.17.x.x 255.255.255.255 inside
pdm location 10.17.x.x 255.255.255.255 inside
pdm location 10.17.x.x 255.255.255.255 inside
pdm location 10.17.x.x 255.255.255.255 inside
pdm location 10.17.x.x 255.255.255.255 inside
pdm location 10.17.x.x 255.255.255.255 inside
pdm location 10.17.x.x 255.255.255.0 inside
pdm location 10.17.x.x 255.255.255.255 inside
pdm location 10.17.x.x 255.255.0.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.3
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.6 10.17.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.10 10.17.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.247 10.17.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.248 10.17.x.x netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.249 10.17.x.x netmask 255.255.255.255 0 0
static (inside,dmz) 10.17.0.0 10.17.0.0 netmask 255.255.0.0 0 0
static (dmz,outside) x.x.x.252 172.16.1.5 netmask 255.255.255.255 0 0
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.5 1
route inside 10.17.0.0 255.255.0.0 10.17.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server BRSC protocol radius
aaa-server BRSC (inside) host 10.17.x.x MYSITE timeout 10
http server enable
http 10.17.x.x 255.255.255.255 inside
http 10.17.x.x 255.255.255.255 inside
http 10.17.x.x 255.255.255.0 inside
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication BRSC
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup BRSC address-pool ippool
vpngroup BRSC dns-server 10.17.x.x 10.17.x.x
vpngroup BRSC wins-server 10.17.x.x 10.17.x.x
vpngroup RBSC default-domain BRSC.com
vpngroup BRSC split-tunnel BRSC_splitTunnelAcl
vpngroup BRSC idle-time 1800
vpngroup BRSC password AAAAAAA
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxxx
we are still not able to authenticate through. Could you provide further assistance?
02-02-2004 11:45 AM
Hi Julian,
Ine thing that I see is the PIX still has the Crypto config on it with the Crypto map applied on it. Kindly remove that config if you are trying to terminate the clients on the Concentrator now. Additionally, make sure that whatever the IP addresses you assign the clients (lets say 10.17.123.x) on the CVPN3000 that the inside machines will point to the inside of the CVPN3000 for that network rather then PIX. Also if you are using IPSec/NAT then open up the udp port 10,000 aswell as thats used for the IPSec/udp port rather then the port 1000 open at this time.
If this doesn't work then go ahead and open up a TAC case with all the config's for them to troubleshoot by running debugs on the CVPN3000 and PIX.
hope this helps,
Regards,
Aamir
-=-=-
02-05-2004 04:20 PM
can't authenticate? has the username/password prompt come up at all? anyway, i totally agree with the previous post to permit udp 10000. i would as well permit udp 4500. in case you still not sure if the access-list is blocking any related traffic, then do the following for test
access-l acl-out permit ip any host x.x.x.152
it sounds like your vendor hasn't got much experience on concentrator. here is another advice. you will need a router on your local lan that acts as the default gateway.
i believe the default route on inside host is the pix inside interface, right? for example, if the remote client pool on the concentrator is 192.168.1.0. then you will have to put a static route on the router as belows:
ip route 0.0.0.0 0.0.0.0
ip route 192.168.1.0 255.255.255.0
otherwise you won't be able to access anything as the pix hasn't got the route to 192.168.1.0.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: