Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
238
Views
0
Helpful
2
Replies

Ok I am not sure if i am doing this right :(

rbinc
Level 1
Level 1

‎02-06-2003 10:09 AM - edited ‎03-09-2019 01:59 AM

I have 4 interfaces (actually 6 but only using 4 right now) on my pix system.

I have Outside, inside, dmz and vpn.

I plugged my cisco 3015 into interface 4 and gave it the following internal IP:

192.168.3.1 - (using NAT) x.x.x.x public

I setup the following acls to allow authenication and that works:

access-list vpn_access_in permit udp host 192.168.200.2 any eq isakmp access-list outside_access_in permit udp any eq isakmp host x.x.x.x

nat rules:

static (inside, vpn) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (inside, vpn) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

(vpn box has own dhcp pool separate network)

now my question - what are the correct acls' to allow my internal network to communicate with my vpn box?

???

access-list inside_access_in permit tcp any host 192.168.200.2

access-list vpn_access_in permit tcp host 192.168.200.2 any

Also - just to make sure - i added a route to send 192.168.200.0 traffic back to my firewall.

am i doing this right?

thanks for any input!

Labels:
0 Helpful
2 Replies 2

r-simpson
Level 3
Level 3

‎02-13-2003 08:42 AM

Use the following URL for rules on how to write Access list

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#1067755

0 Helpful

yizhar
Level 1
Level 1

‎02-15-2003 01:05 PM

HI.

> plugged my cisco 3015 into interface 4

That's a good idea to use dedicated interface for VPN server.

> I setup the following acls to allow authenication and that works...

Did you also permit esp traffic in those access lists?

> nat rules:

> static (inside, vpn) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

> static (inside, vpn) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

An alternate way which is similar but does not involve proxy arp:

access-list nonatinside permit ip 192.168.0.0 255.255.0.0 VPNCLIENTS 255.255.255.0

nat (inside) 0 access-list nonatinside

> now my question - what are the correct acls' to allow my internal network to communicate with my vpn box

Good question.

The answer is also a question - what is your VPN network policy?

A general rule is - only allow the minimal traffic you need.

You have used a dedicated interface at the pix which can give you better control over VPN traffic, but if you simply permit all traffic between VPN and LAN, then it is almost the same as placing the VPN server on the inside LAN. Isn't it?

So, if the VPN users need access to a specific server only, then you can use:

access-list vpn_access_in permit ip VPNCLIENTS 255.255.255.0 host INTERNAL SERVER

And add fine tunning and access control at the 3015 VPN server.

> access-list inside_access_in permit tcp any host 192.168.200.2

No need for this, because VPN clients typically initiate the connection to the internal server(s), but the internal server(s) normally do not initiate sessions to the VPN clients.

Bye

Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar

0 Helpful
Customers Also Viewed These Support Documents