Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
0
Helpful
3
Replies

PIX VPN / Acl question - with 2 legal IP

agoodwin
Level 1
Level 1

‎05-25-2004 03:17 AM - edited ‎02-21-2020 01:10 PM

Hi all,

If I had the following situation what sort of problems should I look out for?

Router

|100.100.100.1 /30

|

|100.100.100.2 /30

PIX

|10.0.2.1 /16

|

|10.0.0.2 /16

Server

I have:

nat (inside) 1 10.0.0.2 255.255.255.255

global (outside) 1 interface

static (inside,outside) tcp 100.100.100.2 25 10.0.0.2 25

static (inside,outside) tcp 100.100.100.2 80 10.0.0.2 80

static (inside,outside) tcp 100.100.100.2 443 10.0.0.2 443

access-list inbound permit tcp any host 100.100.100.2 eq smtp

access-list inbound permit tcp any host 100.100.100.2 eq http

access-list inbound permit tcp any host 100.100.100.2 eq https

access-list inbound permit esp any host 100.100.100.2

access-list inbound permit udp any host 100.100.100.2 eq isakmp

access-group inbound in interface outside

plus vpn stuff.

I have put the acl bits for isakmp and esp because I "think" that otherwise my acl will block the traffic by default as it is assigned to the outside interface / ip address.

Not sure if 'sysopt conn perm ipsec' would negate this.

thanks

Andy

Labels:
0 Helpful
3 Replies 3

joneschw1
Level 1
Level 1

‎05-25-2004 06:10 PM

You are using PAT so IPSec out from the inside will be a bit of an issue. You should also use the 6.3.3 and the fixup pptp 1723. That will make pptp out work well.

Remember the access list for the vpn subnet to the inside subnet and the nat 0 on it.

Also, wouldn't you want to do nat (inside) 1 0 0 so that you don't nat anything internal

I'm still learning, but I've gotten the "opportunity" to see these issues first hand.

0 Helpful

agoodwin
Level 1
Level 1
In response to joneschw1

‎05-26-2004 04:01 AM

Hi,

thanks for the reply.

I was trying to get vpn inbound from outside rather than from the inside out through the pix (but then that does help with another issue I have so thanks!)

I found my problem in the end, the isp I was using to test with appear to have been blocking something... I used another and suddenly it all worked.

Thanks again

Andy

0 Helpful

ehirsel
Level 6
Level 6

‎05-26-2004 04:05 AM

By default, the pix would allow any connection originating on the highest security interface, inside in your case, to proceed. So unless there is a reason that the server 10.0.0.2 to initiate connections, other than IPSec/VPN traffic, I would apply an access-list on the inside interface that only allows udp port 500 (isakmp) and the esp protocol from that server.

Because you want to run ipsec thru the firewall and not to it, you do need the acl clauses for isakmp and esp. The sysopt comm permit-ipsec only works when the ipsec tunnel terminates at the pix, and what it does is if the crypto map acl permits the traffic then the pix would allow it without checking the acl applied to the outside interface.

Note that if ipsec is to allow remote-access to the server, you may be better of terminating the vpn traffic on the firewall, so that it can only see and allow cleartext traffic to and from the server. The pix won't be able to secure the server from improper remote-access if the ipsec is an end-to-end setup.

0 Helpful
Customers Also Viewed These Support Documents