topic Network Security for a department in Network Security

Network Security for a department

shameer sa — Tue, 12 Mar 2019 00:18:32 GMT

Hi all ,

Please go through my network diagram

I am using ospf in the network .I only mentioned some of the routers in the diagram .

Consider a Department A which is having a branch connected to Router R3 and to some other routers through E1 links which is no mentioned here .

Department A is having servers in the DMZ Zone of the firewall .

I need to add security features(Ipsec) to the department A network either though firewall or through routers .Here consider 192.168.2.0/24 in the R3 as department A network .Need to provide ipsec or any other security features to 192.168.2.0/24 network only not to the whole R3 network .

Routers Cisco 7206 ,7204

Network Security for a department

Jennifer Halim — Sat, 03 Nov 2012 11:00:44 GMT

You can configure LAN-to-LAN IPSec VPN between R3 and the PIX 525 firewall.

What version is your PIX firewall?

Here is a few sample configuration for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

Network Security for a department

shameer sa — Tue, 06 Nov 2012 06:18:25 GMT

Hi Jennifer ,

Thanx for the quick reply .

My pix version is PIX Version 7.0(7) .

The document i will check and will reply

Network Security for a department

shameer sa — Tue, 06 Nov 2012 11:49:18 GMT

Hi jennifer ,

I understood the router part configuration .

Let me clear a point

In the pix ,servers are in the server zone whose security Level is 95 and wan network in W AN zone and security level is 91. The ipsec is to be enable in WAN zone interface for a particulaR traffic .

interface Ethernet4

speed 100

duplex full

nameif WAN

security-level 91

ip address x.x.x.x y.y.y.y

interface Ethernet5

speed 100

duplex full

nameif SERVER

security-level 95

ip address X.X.X.X Y.Y.Y.Y

I had read the following link

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

I had totally confused with PIX part .

crypto ipsec transform-set avalanche esp-des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 3600
crypto ipsec df-bit clear-df outside
crypto map forsberg 21 match address Ipsec-conn
crypto map forsberg 21 set peer 172.17.63.230 
crypto map forsberg 21 set transform-set avalanche
crypto map forsberg interface outside

tunnel-group 172.17.63.230 type ipsec-l2l

tunnel-group 172.17.63.230 ipsec-attributes

pre-shared-key *

The above configuration is mentioning about one branch router and its ip 172.17.63.230.

But i had 14 branch routers .Then what is the change in the network configuration also what is the significance of

access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

.Here my traffic is not to the outside interface but only to the intranet .

Network Security for a department

Jennifer Halim — Tue, 06 Nov 2012 11:54:23 GMT

In your case, instead of terminating the IPSec tunnel on outside interface, you just have to change the interface to match your requirement, which is on the WAN interface.

If you have 14 branch routers, are you planning to build IPSec VPN from all the 14 branch routers?

If you are, then you just have to configure the crypto map with different sequence number. As per the above, the crypto map sequence number is 21, in your case, you can just configure 1 sequence number per branch router that you woudl like to build the VPN.

The crypto ACl must match the subnet local to PIX towards the remote subnet on the branch router.

The NONAT access-list is to bypass translation for those internal subnets.

Network Security for a department

shameer sa — Tue, 06 Nov 2012 12:21:55 GMT

Hi jeniffer,

Thank you for the quick solution .

Can you please clarify the following

tunnel-group 172.17.63.230 type ipsec-l2l

tunnel-group 172.17.63.230 ipsec-attributes

pre-shared-key *

Here the above preshared key is cisco123 the same we configured in the router ? What is the significance of the line

tunnel-group 172.17.63.230 type ipsec-l2l.

Network Security for a department

Jennifer Halim — Wed, 07 Nov 2012 02:01:51 GMT

The line: tunnel-group 172.17.63.230 type ipsec-l2l

will create the tunnel-group for the ipsec-l2l (ipsec-lan to lan) so you can configure attributes for this particular ipsec peer.

And yes, it is the same as the router where we configure the preshared key.