topic Re: Concentrator behind PIX in Network Security

Concentrator behind PIX

naive.naive — Fri, 21 Feb 2020 08:16:10 GMT

The cisco concentrator is behind pix..

but i ca't to get to the concentractor to allow user to login..

please find the config below

IX Version 6.3(3)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 100full

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security80

nameif ethernet3 vpn security80

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password ZM2.IZknY5iIYxDH encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname FWPDN-A1.2-1

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.50 Exchange-Private

name 192.168.1.51 Antivirus-Private

access-list permit-all permit ip any any

access-list 100 permit tcp any any eq www

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq pop3

access-list 100 permit tcp any any eq https

access-list 100 permit tcp any any eq domain

access-list 100 permit udp any any eq domain

access-list 100 permit tcp any any eq telnet

access-list 100 permit tcp any any eq 8080

access-list 100 permit icmp any any

access-list 100 deny ip any any

access-list any-vpn permit esp any any

access-list any-vpn permit udp any any eq isakmp

access-list any-vpn permit udp any any eq 4500

access-list any-vpn permit icmp any any

access-list any-vpn deny ip any any

access-list vpn-all permit ip any any

pager lines 24

logging console debugging

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu vpn 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 10.1.1.1 255.255.255.248

ip address inside 10.72.50.12 255.255.255.248

ip address dmz 192.168.1.1 255.255.255.0

ip address vpn 10.1.1.10 255.255.255.248

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

ip local pool VPDN 192.168.3.10-192.168.3.20

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

no failover ip address vpn

no failover ip address intf4

no failover ip address intf5

pdm location 10.72.50.14 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) 10.1.1.8 Exchange-Private netmask 255.255.255.255 0 0

static (dmz,outside) 10.1.1.7 Antivirus-Private netmask 255.255.255.255 0 0

static (dmz,outside) 10.1.1.99 192.168.1.10 netmask 255.255.255.255 0 0

static (vpn,outside) 10.1.1.6 192.168.2.1 netmask 255.255.255.255 0 0

access-group 100 in interface outside

access-group permit-all in interface inside

access-group 100 in interface dmz

access-group vpn-all in interface vpn

route outside 0.0.0.0 0.0.0.0 10.1.1.2 1

route inside 10.72.0.0 255.255.0.0 10.72.50.10 1

route vpn 192.168.2.0 255.255.255.0 10.1.1.9 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

telnet 10.72.101.10 255.255.255.255 inside

telnet 192.168.1.10 255.255.255.255 dmz

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Re: Concentrator behind PIX

UPPILIV — Thu, 14 Jul 2005 03:12:10 GMT

Hai,

I am Nanda. Tell me Through which interface the Vpn User Come in. And IN which Interface the Concentrator is located.

Also I Coul'd see VPN and DMZ interface has same Security level. If the Security level is same packet won't flow through.

Regard's

Nanda kumar.K

Re: Concentrator behind PIX

naive.naive — Thu, 14 Jul 2005 06:06:47 GMT

initially the security level is different (dmz-80, vpn-90)..just change to c whether it will work or not.

users come in from the outside..

concentrator is at the vpn interface..

Re: Concentrator behind PIX

ciscokrishna — Thu, 14 Jul 2005 06:27:39 GMT

Hi,

There is nothing to do with the DMZ and VPN interface security levels as long as they don't need communication. There are certain config issues which caught my eye

1) The tunnel terminates on the Concentrator. then the any-vpn access list is on the in interface VPN. This shud be on the in interface outside. This is because the encrypted traffic shud be allowed to pass thru PIX.

2) There is a static translation between the outside IP of the concentrator to a public pool (assumed to be as IP 192.168.2.1). You can permit any-vpn access list for this IP as the dest.

For testing purposes, u can try accessing (telnet or HTTPS) the outside of concentrator from outside the PIX (internet).

Will appreciate your comments

Re: Concentrator behind PIX

naive.naive — Thu, 14 Jul 2005 07:24:53 GMT

Have tried that, but still no success..

now, i've moved the concentrator to the dmz zone..but it's still the same

i can ping from internet to the concentrator public IP..

but when i try to vpn, it seems that no packet is travelling to the concentrator..and the error message is concentrator no response..but i can ping.

Re: Concentrator behind PIX

naive.naive — Thu, 14 Jul 2005 07:29:08 GMT

the whole scenario..

internet->router->pix with dmz zone

router doing nat n so does the pix (wanted to configure pix for passthru but cannot)..

public ip | router ip | pix ip

-------------------------------

60.x.x.x | 10.1.1.4 | 192.168.1.50 (servers)

60.x.x.x | 10.1.1.5 | 192.168.1.51 (servers)

60.x.x.x | 10.1.1.6 | 192.168.1.49 (concentrator)

from internet, i can ping to all the public ip and also access the servers services (http/pop3).

but cannot vpn to the concentrator..

please help

Re: Concentrator behind PIX

ciscokrishna — Thu, 14 Jul 2005 12:48:56 GMT

hmm...

but did u check the rules on the concentrator??

do one thing. first try to access (http or https) inside of the concentrator sitting inside. If that is happening. Check the rules on the public interface of the concentrator. U shud be giving https(in) access and https(out) access. Then from the internet try to access (https suggested) the concentrator's public IP.