Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1299
Views
0
Helpful
4
Replies

VPN Concentrator on DMZ

whitejulian
Level 1
Level 1

‎01-30-2004 07:18 PM

I was wondering if someone could answer this question. Our Vendor who installed our Firewall and Concentrator can't seem to get the Concenctrator to connect from the outside at all. He put the concentrator on the DMZ of the firewall. He also used the public and private interface and not the external. Should the Concentrator be put on the internal side of the firewall?

Labels:
0 Helpful
4 Replies 4

awaheed
Cisco Employee
Cisco Employee

‎01-31-2004 01:01 PM

Hi Julian,

Its perfectly alright to put the Concentrator on the DMZ of the firewall, but a couple of things to keep inmind:

- Define a Static translation (with public ip addresses) for the CVPN3000 on the Firewall.

- Allow all VPN traffic or other traffic that you want to go to CVPN3000 through the firewall

- If you are trying to do Remote management on the CVPN3000, then make sure that you allow management access to the public interface of the CVPN3000 as follows:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094341.shtml

Additionally, although the Public interface will be on the DMZ, the Private interface should be on the inside of the Firewall.

hope this helps,

Regards,

Aamir

-=-=-

0 Helpful

whitejulian
Level 1
Level 1
In response to awaheed

‎02-01-2004 08:23 PM

Thanks Aamir,

The concentrator is on the dmz of the pix. Prior to installing the concenctrator we used the pix for remote access.

This is the pix configuration:

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 auto

interface gb-ethernet0 1000auto shutdown

interface gb-ethernet1 1000auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security60

nameif gb-ethernet0 dmz3 security55

nameif gb-ethernet1 dmz2 security50

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list BRSC_splitTunnelAcl permit ip 10.17.0.0 255.255.0.0 any

access-list inside_outbound_nat0_acl permit ip 10.17.0.0 255.255.0.0 10.17.123.0

255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 10.17.123.0 255.255.255.0

access-list acl-out permit esp any host x.x.x.252

access-list acl-out permit ah any host x.x.x.252

access-list acl-out permit udp any host x.x.x.252 eq isakmp

access-list acl-out permit gre any host x.x.x.252

access-list acl-out permit udp any host x.x.x.252 eq 1000

access-list acl-out permit tcp any host x.x.x.252 eq 1023

access-list acl-out deny tcp any any eq 2048

access-list acl-out deny udp any any eq 2048

access-list acl-out deny tcp any any eq 4444

access-list acl-out deny tcp any any eq 135

access-list acl-out deny icmp any any

access-list acl-out deny ip any any

access-list acl-in deny tcp any any eq 2048

access-list acl-in deny udp any any eq 2048

access-list acl-in deny tcp any any eq 135

access-list acl-in deny tcp any any eq 137

access-list acl-in deny tcp any any eq 4444

access-list acl-in deny udp any any eq tftp

access-list acl-in deny tcp any any eq netbios-ssn

access-list acl-in deny tcp any any eq 445

access-list acl-in deny tcp any any eq 593

access-list acl-in deny icmp any any

access-list acl-in permit ip 10.17.0.0 255.255.0.0 any

pager lines 25

logging trap debugging

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu dmz3 1500

mtu dmz2 1500

ip address outside x.x.x.1 255.255.255.0

ip address inside 10.17.x.x 255.255.255.0

ip address dmz 172.16.1.1 255.255.255.0

ip address dmz3 127.0.0.1 255.255.255.0

ip address dmz2 127.0.0.1 255.255.255.255

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 10.17.123.1-10.17.123.254

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

no failover ip address dmz3

no failover ip address dmz2

pdm location 10.17.x.x 255.255.255.0 inside

pdm location 10.17.x.x 255.255.255.255 inside

pdm location 10.17.x.x 255.255.255.255 inside

pdm location 10.17.x.x 255.255.255.255 inside

pdm location 10.17.x.x 255.255.255.255 inside

pdm location 10.17.x.x 255.255.255.255 inside

pdm location 10.17.x.x 255.255.255.255 inside

pdm location 10.17.x.x 255.255.255.255 inside

pdm location 10.17.x.x 255.255.255.255 inside

pdm location 10.17.x.x 255.255.255.0 inside

pdm location 10.17.x.x 255.255.255.255 inside

pdm location 10.17.x.x 255.255.0.0 inside

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.3

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.6 10.17.x.x netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.10 10.17.x.x netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.247 10.17.x.x netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.248 10.17.x.x netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.249 10.17.x.x netmask 255.255.255.255 0 0

static (inside,dmz) 10.17.0.0 10.17.0.0 netmask 255.255.0.0 0 0

static (dmz,outside) x.x.x.252 172.16.1.5 netmask 255.255.255.255 0 0

access-group acl-out in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.5 1

route inside 10.17.0.0 255.255.0.0 10.17.x.x

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server BRSC protocol radius

aaa-server BRSC (inside) host 10.17.x.x MYSITE timeout 10

http server enable

http 10.17.x.x 255.255.255.255 inside

http 10.17.x.x 255.255.255.255 inside

http 10.17.x.x 255.255.255.0 inside

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

sysopt noproxyarp inside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication BRSC

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup BRSC address-pool ippool

vpngroup BRSC dns-server 10.17.x.x 10.17.x.x

vpngroup BRSC wins-server 10.17.x.x 10.17.x.x

vpngroup RBSC default-domain BRSC.com

vpngroup BRSC split-tunnel BRSC_splitTunnelAcl

vpngroup BRSC idle-time 1800

vpngroup BRSC password AAAAAAA

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxxx

we are still not able to authenticate through. Could you provide further assistance?

0 Helpful

awaheed
Cisco Employee
Cisco Employee
In response to whitejulian

‎02-02-2004 11:45 AM

Hi Julian,

Ine thing that I see is the PIX still has the Crypto config on it with the Crypto map applied on it. Kindly remove that config if you are trying to terminate the clients on the Concentrator now. Additionally, make sure that whatever the IP addresses you assign the clients (lets say 10.17.123.x) on the CVPN3000 that the inside machines will point to the inside of the CVPN3000 for that network rather then PIX. Also if you are using IPSec/NAT then open up the udp port 10,000 aswell as thats used for the IPSec/udp port rather then the port 1000 open at this time.

If this doesn't work then go ahead and open up a TAC case with all the config's for them to troubleshoot by running debugs on the CVPN3000 and PIX.

hope this helps,

Regards,

Aamir

-=-=-

0 Helpful

jackko
Level 7
Level 7
In response to awaheed

‎02-05-2004 04:20 PM

can't authenticate? has the username/password prompt come up at all? anyway, i totally agree with the previous post to permit udp 10000. i would as well permit udp 4500. in case you still not sure if the access-list is blocking any related traffic, then do the following for test

access-l acl-out permit ip any host x.x.x.152

it sounds like your vendor hasn't got much experience on concentrator. here is another advice. you will need a router on your local lan that acts as the default gateway.

i believe the default route on inside host is the pix inside interface, right? for example, if the remote client pool on the concentrator is 192.168.1.0. then you will have to put a static route on the router as belows:

ip route 0.0.0.0 0.0.0.0

ip route 192.168.1.0 255.255.255.0

otherwise you won't be able to access anything as the pix hasn't got the route to 192.168.1.0.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents