01-21-2009 05:08 PM
I have a multi-interfaced pix, the interface description is as follows:
Outside -> 10MB to ISP
Inside -> main vlan
dmz -> webservers, etc..
lab1 -> test application servers
lab2 -> test application servers
etc...
guest wireless -> open wireless access (connected to Cisco WAP)
The open wireless has only access to the internet, not any of the trusted networks. This is an untrusted interface (security lvl 1). The outside interface is security lvl 0.
I want to be able to allow vpn access from the wireless into the trusted networks just like vpn from the outside (internet) will be treated.
I guess that the pix sees a vpn connection attempt from one of its interfaces to another one.
The client times out connecting from the wireless to the pix outside interface IP.
The pix merely logs this:
Jan 20 2009 13:38:23: %PIX-7-710005: UDP request discarded from 192.168.20.5/1346 to GuestWireless:yy.yy.yy.yy/500
yy.yy.yy.yy = outside interface IP
the pix is also the dhcp server for the wireless network connections.
Can this even be done? If so, what am I missing?
Thanks,
Dave
Solved! Go to Solution.
01-22-2009 05:25 AM
To answer:-
The wireless leg of the PIX is security level 1 and the outside interface is security level 0. Would that not mean that vpn is being initiated from a higher security interface to a lower one? yes but the traffic is in the clear - requested to terminate a VPN connection from an interface locally attached to the PIX effectivly in the inside of the device. Pretty sure PIX will refuse the connection it recevies on the outside interface from the guest wireless interface.
Not it's not the same, something like:-
crypto isakmp enable GuestWireless - this tells the PIX to listen and accept ISAKMP/VPN connections made TO the GuestWireless interface from ANY device connected to that interface.
HTH>
01-22-2009 04:55 AM
AFAIK - you cannot connect from a lower secuity interface connected to the PIX to the outside interface to terminate a VPN connection.
You are better off enabling ISKAMP on the guest wireless interface then terminating the VPN over the Wireless to the PIX, so then the encrypted traffic will decrypt on the interface. Thne just write an acl to allow that traffic to the inside without NAT - in theory it should work!
HTH>
01-22-2009 05:10 AM
Thanks for the response. I'm confused by your answer a little.
The wireless leg of the PIX is security level 1 and the outside interface is security level 0. Would that not mean that vpn is being initiated from a higher security interface to a lower one?
Also, Can you explain a bit further about what you mean by "enabling ISAKMP on the wireless"? Sorry, I'm not really a pix expert :)
IS that the same as this -> crypto map mymap interface GuestWireless
Thanks,
DAve
01-22-2009 05:25 AM
To answer:-
The wireless leg of the PIX is security level 1 and the outside interface is security level 0. Would that not mean that vpn is being initiated from a higher security interface to a lower one? yes but the traffic is in the clear - requested to terminate a VPN connection from an interface locally attached to the PIX effectivly in the inside of the device. Pretty sure PIX will refuse the connection it recevies on the outside interface from the guest wireless interface.
Not it's not the same, something like:-
crypto isakmp enable GuestWireless - this tells the PIX to listen and accept ISAKMP/VPN connections made TO the GuestWireless interface from ANY device connected to that interface.
HTH>
01-22-2009 11:10 AM
OK - thanks. I managed to solve the issue.
I had to point the client to the PIX interface IP on the wireless subnet.
I then had to add "authentication-server-group (guestwireless) RADIUS" to the tunnel group attributes.
Thanks for the help!
01-22-2009 01:01 PM
np - glad to help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide