topic Re: Pix with 4 interfaces in Network Security

Pix with 4 interfaces

naive.naive — Fri, 21 Feb 2020 08:15:19 GMT

Hi,

Need help on this as I'm newbie in PIX.

Have gone through the doc but still cannot get what i want.

Lets say,

Inside Interface : Internal Network

Outside Interface : Public Network

DMZ Interface : DMZ servers

VPN Interface : connected to VPN Concentrator

Desired reults:

1) All the inside are able to access outside

2) Outside users can access the DMZ

3) Outside users can VPN. (PIX have to bypass the IPSec tunnel to the VPN box)

But still cannot get what i wanted..

Please help.

Re: Pix with 4 interfaces

tvanginneken — Thu, 07 Jul 2005 06:35:41 GMT

Hi,

did you already have a look at this url:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

It show all kinds of configuration examples.

Hope this help?

Kind Regards,

Tom

Re: Pix with 4 interfaces

naive.naive — Thu, 07 Jul 2005 07:03:16 GMT

already did...but still cannot get what i wanted..especially on the access list that i've to build..in order for the access..

Re: Pix with 4 interfaces

tvanginneken — Thu, 07 Jul 2005 07:24:30 GMT

What kind of access do you need (smtp, http, ...) from where to where (inside, dmz, ...)? Is it possible to post the access-list you already have?

Kind Regards,

Tom

Re: Pix with 4 interfaces

paddyxdoyle — Thu, 07 Jul 2005 07:31:00 GMT

I'll have a stab at it, i think your config will be along the lines of:

Allow internal users to access internet using PAT to the public address assigned to the outside interface

----

# global (outside) 1 interface

# nat (inside) 1 0 0

To permit HTTP traffic to a host on the DMZ from the outside:

----

# static (dmz,outside) netmask 255.255.255.255

# access-list outside_in permit tcp any host eq http

# access-group outside_in in interface outside

To permit IPSEC to VPN Gateway on DMZ:

----

# sysopt connection permit-ipsec

# static (dmz,outside) netmask 255.255.255.255

To permit outbound VPN connections

----

# global (outside) 2

# nat (dmz) 255.255.255.255

The "sysopt connection permit-ipsec" command will allow all packets from an IPSEC tunnel to bypass ACL checking so you don't need to build an access list for this.

I'm sure you'll be permitting other ports to your DMZ, these can be added to the access-list outside_in.

HTH

PJD

Re: Pix with 4 interfaces

tvanginneken — Thu, 07 Jul 2005 07:54:31 GMT

Hi,

I have a few remarks 🙂

° sysopt connection permit-ipsec

This only works if the vpn tunnel is TO the PIX (so the pix is the vpn gateway) and not THROUGH the pix (in your case).

So you need to add access-list entries to the outside-in access-list to allow the vpn traffic (udp/500 for ike, esp or UDP encap for encrypted data)from the outside to the dmz.

° static (dmz,outside) netmask 255.255.255.255

This works in both direction, so you don't need:

global (outside) 2

nat (dmz) 255.255.255.255

Kind Regards,

Tom

Re: Pix with 4 interfaces

paddyxdoyle — Thu, 07 Jul 2005 09:24:22 GMT

Hi Tom,

Thanks for the remarks 🙂

Are you sure about the syslopt comment, i thought it would allow IPSEC pass through aswell.

Have a look here:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a00801aed85.html#1034087

Thanks

Paddy

Re: Pix with 4 interfaces

tvanginneken — Thu, 07 Jul 2005 10:53:12 GMT

Hi Paddy,

I am quite sure.

Somewhere in the link you posted, you will find this:

"To enable IPSec authenticated/cipher inbound sessions to always be permitted, use the sysopt connection permit-ipsec command."

The PIX can only be sure that the session is autheticated if the PIX is also the endpoint of the VPN tunnel.

If it is still not working, you should consider to enable logging to see what packets are denied. More info on how to setup syslogging can be found here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094030.shtml

Hope this helps?

Kind Regards,

Tom

Re: Pix with 4 interfaces

paddyxdoyle — Thu, 07 Jul 2005 11:18:45 GMT

Thanks Tom,

It's confusing because the link also says:

Note If the sysopt connection permit-ipsec command is not configured, you must explicitly configure an access-list command statement to permit IPSec traffic to traverse the PIX Firewall.

I can't really test it as i don't have a PIX at the mo 😞

Thanks

Paddy

Re: Pix with 4 interfaces

naive.naive — Thu, 07 Jul 2005 15:42:43 GMT

Hi,

in order for the vpn traffic to bypass, which one i should use??

should i create a static nat to the vpn box, and then create an accesslist to permit the vpn traffic??

Thanks.

Re: Pix with 4 interfaces

paddyxdoyle — Fri, 08 Jul 2005 10:07:06 GMT

I think Tom is correct, i've done some more reading on the sysopt command however if you can i would still try using it out of curiosity.

Other than that you need to have access-lists as:

For AH

---

PIX1(config)# access-list outside_access_in permit 50 any host

For ESP

---

PIX1(config)# access-list outside_access_in permit 51 any

For both ESP and AH (IKE)

PIX1(config)# access-list outside_access_in permit udp host eq 500

HTH

PJD