Announcement

Collapse
No announcement yet.

PIX VPN and crypto ACL general questions?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • PIX VPN and crypto ACL general questions?

    Hi guys,

    I've read all sorts of guides on petri.co.il over the last few years but never noticed there was a forum as well, hopefully it can be as helpful as all the excellent guides have been!

    I've used a lot of Zyxel routers/firewalls over the last few years but for a project I'm working on it seemed like a Cisco would be the most appropriate. So I'm now configuring it, learning as I go along. So if some of my questions seem simple you'll understand why .

    Basically what we're aiming for is this -
    20-25 users (not necessarily staff members, but semi-trusted) connecting to a head office to access a particular service on one server. They won't have static IPs and won't have VPN capable hardware firewalls at their end. So they will be connecting using the Cisco VPN Client software.
    So the plan is a PIX 506E in head office solely for handling these VPN connections. It will sit behind an existing router and will have a static public IP. They already have a firewall in place that will deal with their Internet access etc. The PIX is completely dedicated to receiving these VPNs and providing a connection to that one server on a handful or TCP ports. It is quite important that the users who connect in are restricted to accessing this one server, say it is 192.168.1.100. And if possible only on a specific list of ports, say TCP 5900-5910 for this discussion. I also don't want local users on the office LAN being able to communicate with the clients that connect in. So it basically needs to be as restrictive as it can be.


    As it stands I have the PIX configured for the VPN connections and it seems to be working perfectly. Preshared key, then aaa-server using a local database of users on the PIX (there are no RADIUS servers available). The PIX is issuing users who connect IPs from a pool, say 10.0.0.1-10.0.0.254.

    Hopefully it makes sense what I'm trying to do.

    There are a load of questions I have but I'll start with a few and see how I go. I'm reading Cisco guides till they come out my ears here, but some of it is a bit unclear to somebody who has had practically no Cisco experience until last week!

    1. The "sysopt connection permit-ipsec". My guess is I'd be better off not using it as I don't want all traffic that comes through the IPSEC tunnel to be allowed, I only want the clients to talk to one server on specific ports, and I want to restrict communications from the server/local LAN users to the clients. Right?

    2. Without "sysopt connection permit-ipsec" no traffic will get through the VPN until it is specifically allowed by a crypto ACL right? Are crypto ACLs the way I should go about configuring what I'm trying to achieve here?

    3. To stop LAN users sending outbound traffic through the PIX I need to add something like -
    {access-list acl_outbound deny ip any any}
    {access-group acl_outbound in interface inside}
    But will this also block traffic coming from the server to go through the IPSEC tunnel? If so what should I do here? Something like -
    {access-list acl_outbound permit ip 192.168.1.100 255.255.255.255 10.0.0.0 255.255.255.0}
    {access-list acl_outbound deny ip any any}
    {access-group acl_outbound in interface inside}

    4. I guess that's pretty much it, unless there is anything obvious missing from my config that would make things more/less secure? Any suggestions much appreciated!



    So here is the config as it stands now. It's not actually in place at the moment, I have a laptop connected directly to the outside interface, so there's a route or two not in place yet.



    Thanks very much for any thoughts and suggestions!



    -----------------------------
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ********** encrypted
    passwd ********** encrypted
    hostname vpnfirewall
    domain-name **********.***
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 1.2.3.4 255.255.255.248
    ip address inside 192.168.1.201 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool1 10.0.0.1-10.0.0.254 mask 255.255.255.255
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    crypto ipsec transform-set transset1 esp-aes-256 esp-sha-hmac
    crypto dynamic-map map2 10 set transform-set transset1
    crypto map map1 10 ipsec-isakmp dynamic map2
    crypto map map1 client authentication LOCAL
    crypto map map1 interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes-256
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup mygroup address-pool vpnpool1
    vpngroup mygroup idle-time 1800
    vpngroup mygroup password ********
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    username ****** password ********** encrypted privilege 0
    terminal width 80
    ------------------------------------------

    *Just noticed some NAT commands in there that probably won't be needed in the final config as nobody will be nating through it...

  • #2
    Re: PIX VPN and crypto ACL general questions?

    Another quick question -
    When traffic goes through a VPN tunnel on the PIX it seems like I have to use NAT? Otherwise I get debug errors like "no translation group found for...". Is this correct?
    I don't particularly want/need to access the server using a routable IP, I'd sooner just put the 192.168.1.100 into the application at the client end and have that routed through the tunnel. This is the way it would work with a Zyxel VPN tunnel which I am used to. But by the looks of it using the translated public IP is the way it's done with the Ciscos? Or can I set NAT to do translation, but not really translate the address from private to public at all?

    Maybe I'm making no sense here and using a public IP is the way it should be done, please just let me know. It's a steep learning curve .


    Thanks!

    Comment


    • #3
      Re: PIX VPN and crypto ACL general questions?

      Hi Zenith,
      Thanks for posting your questions here. I am sorry for the delay in getting back to you. WOW- this is a big question. Let me see what I am do and I am sure that, based on the size of the question, there will be some followup questions.

      About #1 - the sysopt connection permit-ipsec
      Yes, you are correct, the sysopt connection permit-ipsec command does the following:
      Implicitly permit any packet that came from an IPSec tunnel and bypass the checking of an associated access-list, conduit, or access-group command statement for IPSec connections.
      (taken from this link http://www.cisco.com/univercd/cc/td/....htm#wp1026942)
      So, no, you don't want to do that as you want more power to filter the traffic coming in the IPSEC tunnel

      About #2 - more sysopt connection permit-ipsec
      Yes, no traffic should come through until you create an ACL and apply it with an access-group command. Yes, I would use ACL's, not conduits.

      About #3 - controlling LAN traffic
      Yes, the second, more specific ACL is more like what you want to apply. I did not go through the entire config to be able to tell you if the ACL is correct but, yes, create an ACL to allow the IP address range of the VPN clients to go to the server on the specific ports. You would apply that ACL inbound becuase the from is the vpn clients and the to is the server.

      About follow up questions
      Your VPN clients will have two IP addresses - on public IP address (or another address that is being NATed by their router) and a VPN IP address. The VPN adaptor IP address will be a PRIVATE address that you are assigning from your pool on this PIX. Thus, as it is private, it doesn't need to be NAT'ed.

      Here are the Cisco PIX 6.3 docs:
      http://www.cisco.com/univercd/cc/td/...v_63/index.htm

      Here is a list of working Cisco PIX conifgurations:
      http://www.cisco.com/en/US/products/...ples_list.html

      Let me know how it goes. It is difficult to troubleshoot a config this complex over a forum but I hope this helps.

      Thanks for your post!
      David

      1. The "sysopt connection permit-ipsec". My guess is I'd be better off not using it as I don't want all traffic that comes through the IPSEC tunnel to be allowed, I only want the clients to talk to one server on specific ports, and I want to restrict communications from the server/local LAN users to the clients. Right?

      2. Without "sysopt connection permit-ipsec" no traffic will get through the VPN until it is specifically allowed by a crypto ACL right? Are crypto ACLs the way I should go about configuring what I'm trying to achieve here?

      3. To stop LAN users sending outbound traffic through the PIX I need to add something like -
      {access-list acl_outbound deny ip any any}
      {access-group acl_outbound in interface inside}
      But will this also block traffic coming from the server to go through the IPSEC tunnel? If so what should I do here? Something like -
      {access-list acl_outbound permit ip 192.168.1.100 255.255.255.255 10.0.0.0 255.255.255.0}
      {access-list acl_outbound deny ip any any}
      {access-group acl_outbound in interface inside}

      4. I guess that's pretty much it, unless there is anything obvious missing from my config that would make things more/less secure? Any suggestions much appreciated!

      When traffic goes through a VPN tunnel on the PIX it seems like I have to use NAT? Otherwise I get debug errors like "no translation group found for...". Is this correct?

      I don't particularly want/need to access the server using a routable IP, I'd sooner just put the 192.168.1.100 into the application at the client end and have that routed through the tunnel. This is the way it would work with a Zyxel VPN tunnel which I am used to. But by the looks of it using the translated public IP is the way it's done with the Ciscos? Or can I set NAT to do translation, but not really translate the address from private to public at all?
      David Davis - Petri Forums Moderator & Video Training Author
      Train Signal - The Global Leader in IT Video Training
      TrainSignalTraining.com - Free IT Training Products
      Personal Websites: HappyRouter.com & VMwareVideos.com

      Comment


      • #4
        Re: PIX VPN and crypto ACL general questions?

        Thanks very much or the reply, I think I have it all sorted out now! I think my main problem was not doing NAT and NONAT, it was making doing the ACLs very confusing!

        Comment

        Working...
        X