cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1256
Views
0
Helpful
15
Replies

VPN concentrator on PIX515 DMZ

binaghimire
Beginner
Beginner

hi all ,

I'm  planning connect VPN concentrator in our company to PIX515 DMZ interface.At the moment , VPN concentrator(used for remote access VPN for laptop users) is connected directly to core switch so as PIx515. Having VPN Concentrator connected directly to LAN is security risk .SO i want to connect VPN concentrator to DMZ of the Firewall(pix515).

We don't have any test environment and we are not allowed to have downtime of more than 10 minutes in production network ,I want to make sure my design and commands would work without problem .

I've attached  doigram of our curernt setup and new setup I'm planning to work on as well as commands .Please review and advice if everyhting is all right and this design will work .Nat , routing everything .

Let me know if you need to know anything else about  current network.

Looking forwardv to hear expert advice.

15 Replies 15

Jennifer Halim
Cisco Employee
Cisco Employee

What you have put down so far are all correct with a few additions as follows:

On the Concentrator:

1) Firstly meed to change the inside interface from 10.76.50.3 to 192.168.2.2

On the PIX:

1) Don't really need "nat(dmz) 1 192.168.1.0 255.255.255.0"

On core switch:

1) Change the route for "ip route 192.168.1.0 255.255.255.0 10.76.50.3", to either remove it and just use the default gateway, or if you might have other routes that might overlaps:

ip route 192.168.1.0 255.255.255.0 10.76.50.2

Hope that helps.

hi jennifer ,

thanks for reply.

on reply to three points you have mentioned,

1>Yes inside interface of VPN concentrator will be changed to 192.168.2.2,as shown in new setup.vsd .

2>on Pix, Without nat(dmz) 1 , how would the VPN users be able to access internet ?

3>on core switch , at the moment ,  default route is poiting  to 10.76.50.2(pix inside interface).i think that will cover VPN concentrator subnet too..

please let me know if my above assumptions are correct ..

Is routing and Natting all right?

Thanks

1) Yes, your new setup.vsd has it, but your command text doesn't

2) So assuming that you don't configure split tunnel for your vpn users, then yes, the "nat (dmz) 1" statement is required.

And you will also need to add the following in your ACL 101 applied to DMZ:

access-list 101 permit ip 192.168.1.0 255.255.255.0 any

otherwise, the vpn user will not be able to access the internet

Plus you will also need to change the tunnel default gateway on the vpn concentrator from 10.76.50.x to 192.168.2.1

3) On the core switch, since your pix and concentrator inside interface are in the same subnet, I assume that on top of the default gateway pointing towards the PIX inside interface, you will also have static route for the vpn pool to point to the concentrator inside interface.

Everything else that you have provided in the command text is correct.

thanks jennifer for clarifying this . yes i missed to add VPN concentrator interface command in text .

On point 2, i need to find a way to give vpn users internet access wihtout allowing everything or using access-list below,

access-list 101 permit ip 192.168.1.0 255.255.255.0 any

We have websense for url-filtering for internal LAN , i need to may be incorporate DMz interface with websense..do you have experince with websense ??

thinkign about doing this

access-list 101 permit tcp 192.168.1.0 255.255.255.0 any eq http

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

url-server (inside) vendor websense host 10.76.50.101 timeout 30 protocol TCP version 4

what do you think ??

OK, how do you currently point your internal hosts to the websense server? via the url filtering feature on the PIX or by explicit proxy?

If you use explicit proxy, that will work out just fine because you don't need to open the access-list widely for internet traffic as internet traffic will be forwarded to the websense server first which is internal, and it should be covered via the permit from 192.168.1.0/24 to 10.0.0.0/8.

However if you are using the URL filtering feature on PIX, then you still need to allow the traffic through hence as you said you will need "permit tcp 192.168.1.0 255.255.255.0 eq 80" as well as for port 443 (https).

we have got websense server which filters URL.Pix is configured to send traffic to websense server ...these are the commands on pix for websense filtering ,

access-list acl-outbound permit tcp any any eq ftp
access-list acl-outbound permit tcp any any eq www
access-list acl-outbound permit tcp any any eq https

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

url-server (inside) vendor websense host 10.76.50.93 timeout 30 protocol TCP version 4 , where 10.76.50.93 is our websense server .

So I think we just need rule to permit VPN pool to have access to websense server or 10.0.0.0/8

access-list 101 permit 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-group 101 in interface dmz

Dont you think ?

If you use URL filter feature on the PIX firewall, you would need to permit "tcp 192.168.1.0 255.255.255.0 any eq 80" and also on port 443, because interface ACL will be checked first before the URL filtering feature. Once the interface ACL allows the traffic through then PIX will redirect the traffic to the web sense server.

So you would need the following:

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list 101 permit tcp 192.168.1.0 255.255.255.0 any eq 80

access-list 101 permit tcp 192.168.1.0 255.255.255.0 any eq 443

dear all ,

i managed to test this change yesterday .But needed to backout the change because something didint work properly.

Radius authentication didnt work , when i tried to connect to network using cisco VPN cleint , i got username and password  prompt, but authentication wasnt successful .Then what i did was , remove authntication from VPN concentrator and connected to VPN bypassing Authentication.When i was connected , i got ip address from the pool , and i could do everything i tried to do which was good thing .But i couldnt get first bit which was login auth working .

just to let you know , my radius server in in inside network , 10.76.50.22 ..

i also added access list

access-list 101 udp permit host 192.168.2.2 host 10.76.50. 22 eq radius .

but even that didnt resolve teh issue .

Can anyone think of anything i might have miseed ?

Yes, on the Radius server itself, since you have changed the vpn concentrator IP Address, have you change that on the radius server itself?

You will need to point the network device on the radius server to point to the new ip address of the concentrator.

Yes, the access-list is correct, you will need to configure that to allow radius traffic from the concentrator towards the radius server.

yes ..i have added 192.168.2.2 as radius client in radius server and changed ip address of radius profile as well from 10.76.50.3 to 192.168.2.2..but even then ..it didnt work ..

Where was it failing? Did you perform packet capture on the PIX to see where it's failing?

Also did you get any hitcount on ACL 101 for the radius?

Also what radius port is the radius server using? did you try to enable both UDP/1645 and UDP/1812?

Can you ping the radius server from the VPN Concentrator?

m.kafka
Enthusiast
Enthusiast

Hi,

could you please provide a neutral format of the drawing? Maybe export resp. print to PDF?

The following design could be acceptable for you: VPN3000 public connetcted to the outside, using a public address, VPN3000 private connected to a DMZ of the PIX. The PIX will receive the VPN content and can apply firewall rules and inspection before traffic enters the inside.

Rgds, MiKa

hi mika ,

Please find attached diagram in pdf format .

yes I'm planning to do exactly how you adviced in last post(you can see that in diagram) ..just neeed to be sure about commands.#

Thanks

Hi,

that looks very reasonable. just make sure that the tunnel-default gateway on the VPN3000 also points to the ASA DMZ

VPN3000 is long time ago but I remember that the default gateway applied to the tunneled traffic will be configured separately, make sure it points to 192.168.2.1

this will allow the tunneled traffic (your VPN clients with a source of 192.168.1.0/24) to be routed towards the PIX and the PIX can either forward to the inside according to your access-list or apply nat and route it towards the internet but then you would need to extend your dmz-access-list to permit also internet traffic for the VPN clients. this is why you have a nat (dmz) don't you?

if your clients use split-tunnel then you can remove the nat (dmz)

regards,

MiKa

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: