Re: V3K on DMZ

mddistor · ‎02-19-2003

ajagadee · ‎02-20-2003

Hi Mercy,

Can you post a more detail message. Thanks!!

Regards,

Arul

mddistor · ‎02-21-2003

Hi Arul,

Sorry I must have pressed enter so soon, any way, here's my scenario..

My pix515 is currently in parallel with 3005, no routers in the scene.. they're directly connected to the DSL. VPN clients are authenticated via NT domain.

I am planning to connect branches to HO, via vpn, terminating to 3005, tried to simulate but I was having problems, I was advised to put concentrator on dmz instead. Now I have made pix and 3005 ping each other.. but when I test authentication from 3005, it failed, that's why my vpn client could not establish tunnel.. I wonder if Im missing access-list or static..

below is the summary of my setup.

pix inside - 10.11.0.1

pix dmz - 10.50.0.1

pix outside - 66.13.1.2

gateway - 66.13.1.1

3005 outside - 10.50.0.2

3005 gateway - 10.50.0.1

3005 ip pool - 192.168.1.1-100

Here's my pix config:

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list ipsec permit ip 10.11.0.0 255.255.0.0 10.14.0.0 255.255.0.0

access-list europe permit ip 10.11.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 10.11.0.0 255.255.0.0 10.14.0.0 255.255.0.0

access-list nonat permit ip 10.11.0.0 255.255.0.0 10.15.0.0 255.255.0.0

access-list nonat permit ip 10.11.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list nonat permit ip any 192.168.0.0 255.255.255.0

access-list nonat permit ip 10.11.0.0 255.255.0.0 10.50.0.0 255.255.0.0

access-list 100 permit tcp any host 66.13.1.4 eq smtp

access-list 100 permit tcp any host 66.13.1.4 eq pop3

access-list 100 permit udp any host 66.13.1.3 eq isakmp

access-list 100 permit icmp any any

access-list 100 permit esp any host 66.13.1.3

access-list 100 permit tcp any host 66.13.1.3 eq 10000

access-list 200 permit ip 192.168.0.0 255.255.255.0 10.11.0.0 255.255.0.0

access-list 200 permit ip 10.50.0.0 255.255.0.0 10.11.0.0 255.255.0.0

access-list 200 permit icmp any any

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 66.13.1.2 255.255.255.248

ip address inside 10.11.0.1 255.255.0.0

ip address dmz 10.50.0.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 10.15.0.101-10.15.0.105

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 10.11.0.0 255.255.0.0 0 0

nat (dmz) 0 access-list nonat

nat (dmz) 1 10.50.0.0 255.255.0.0 0 0

alias (inside) 10.11.0.8 66.13.1.4 255.255.255.255

static (inside,dmz) 10.11.0.0 10.11.0.0 netmask 255.255.0.0 0 0

static (inside,outside) 66.13.1.4 10.11.0.8 netmask 255.255.255.255 0 0

static (dmz,outside) 66.13.1.3 10.50.0.2 netmask 255.255.255.255 0 0

access-group 100 in interface outside

access-group 200 in interface dmz

route outside 0.0.0.0 0.0.0.0 66.13.1.1 1

route dmz 192.168.0.0 255.255.255.0 10.50.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip

0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set jersey esp-des esp-md5-hmac

crypto ipsec transform-set euro esp-3des esp-md5-hmac

crypto dynamic-map acndyn 20 set transform-set jersey

crypto map vpn_remote 10 ipsec-isakmp

crypto map vpn_remote 10 match address ipsec

crypto map vpn_remote 10 set peer 65.244.11.2

crypto map vpn_remote 10 set transform-set jersey

crypto map vpn_remote 20 ipsec-isakmp dynamic acndyn

crypto map vpn_remote 30 ipsec-isakmp

crypto map vpn_remote 30 match address europe

crypto map vpn_remote 30 set peer 206.220.218.10

crypto map vpn_remote 30 set transform-set euro

crypto map vpn_remote interface outside

isakmp enable outside

isakmp key ******** address 65.244.11.2 netmask 255.255.255.255

isakmp key ******** address 206.220.218.10 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup acnmain address-pool vpnpool

vpngroup acnmain wins-server 10.11.0.6

vpngroup acnmain default-domain domain01

vpngroup acnmain split-tunnel nonat

vpngroup acnmain idle-time 1800

vpngroup acnmain password ********

I tried to add these access-list for NT authentication but I still cant get thru.

10.11.0.5 and 10.11.0.6 being my NT server and WINS respectively.

access-list 200 permit tcp any host 10.11.0.5 eq 139

access-list 200 permit udp any host 10.11.0.5 eq 138

access-list 200 permit udp any host 10.11.0.5 eq 137

access-list 200 permit tcp any host 10.11.0.6 eq 139

access-list 200 permit udp any host 10.11.0.6 eq 138

access-list 200 permit udp any host 10.11.0.6 eq 137

Thanks in advance.

cym