07-06-2005 11:28 PM - edited 02-21-2020 12:15 AM
Hi,
Need help on this as I'm newbie in PIX.
Have gone through the doc but still cannot get what i want.
Lets say,
Inside Interface : Internal Network
Outside Interface : Public Network
DMZ Interface : DMZ servers
VPN Interface : connected to VPN Concentrator
Desired reults:
1) All the inside are able to access outside
2) Outside users can access the DMZ
3) Outside users can VPN. (PIX have to bypass the IPSec tunnel to the VPN box)
But still cannot get what i wanted..
Please help.
07-06-2005 11:35 PM
Hi,
did you already have a look at this url:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
It show all kinds of configuration examples.
Hope this help?
Kind Regards,
Tom
07-07-2005 12:03 AM
already did...but still cannot get what i wanted..especially on the access list that i've to build..in order for the access..
07-07-2005 12:24 AM
What kind of access do you need (smtp, http, ...) from where to where (inside, dmz, ...)? Is it possible to post the access-list you already have?
Kind Regards,
Tom
07-07-2005 12:31 AM
I'll have a stab at it, i think your config will be along the lines of:
Allow internal users to access internet using PAT to the public address assigned to the outside interface
----
# global (outside) 1 interface
# nat (inside) 1 0 0
To permit HTTP traffic to a host on the DMZ from the outside:
----
# static (dmz,outside)
# access-list outside_in permit tcp any host
# access-group outside_in in interface outside
To permit IPSEC to VPN Gateway on DMZ:
----
# sysopt connection permit-ipsec
# static (dmz,outside)
To permit outbound VPN connections
----
# global (outside) 2
# nat (dmz)
The "sysopt connection permit-ipsec" command will allow all packets from an IPSEC tunnel to bypass ACL checking so you don't need to build an access list for this.
I'm sure you'll be permitting other ports to your DMZ, these can be added to the access-list outside_in.
HTH
PJD
07-07-2005 12:54 AM
Hi,
I have a few remarks :-)
° sysopt connection permit-ipsec
This only works if the vpn tunnel is TO the PIX (so the pix is the vpn gateway) and not THROUGH the pix (in your case).
So you need to add access-list entries to the outside-in access-list to allow the vpn traffic (udp/500 for ike, esp or UDP encap for encrypted data)from the outside to the dmz.
° static (dmz,outside)
This works in both direction, so you don't need:
global (outside) 2
nat (dmz)
Kind Regards,
Tom
07-07-2005 02:24 AM
Hi Tom,
Thanks for the remarks :)
Are you sure about the syslopt comment, i thought it would allow IPSEC pass through aswell.
Have a look here:
Thanks
Paddy
07-07-2005 03:53 AM
Hi Paddy,
I am quite sure.
Somewhere in the link you posted, you will find this:
"To enable IPSec authenticated/cipher inbound sessions to always be permitted, use the sysopt connection permit-ipsec command."
The PIX can only be sure that the session is autheticated if the PIX is also the endpoint of the VPN tunnel.
If it is still not working, you should consider to enable logging to see what packets are denied. More info on how to setup syslogging can be found here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094030.shtml
Hope this helps?
Kind Regards,
Tom
07-07-2005 04:18 AM
Thanks Tom,
It's confusing because the link also says:
Note If the sysopt connection permit-ipsec command is not configured, you must explicitly configure an access-list command statement to permit IPSec traffic to traverse the PIX Firewall.
I can't really test it as i don't have a PIX at the mo :(
Thanks
Paddy
07-07-2005 08:42 AM
Hi,
in order for the vpn traffic to bypass, which one i should use??
should i create a static nat to the vpn box, and then create an accesslist to permit the vpn traffic??
Thanks.
07-08-2005 03:07 AM
I think Tom is correct, i've done some more reading on the sysopt command however if you can i would still try using it out of curiosity.
Other than that you need to have access-lists as:
For AH
---
PIX1(config)# access-list outside_access_in permit 50 any host
For ESP
---
PIX1(config)# access-list outside_access_in permit 51 any
For both ESP and AH (IKE)
PIX1(config)# access-list outside_access_in permit udp host
HTH
PJD
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: