Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
386
Views
0
Helpful
3
Replies

Isolating multiple supplier IPSEC VPNs on single PIX

mrrussell
Level 1
Level 1

‎12-09-2004 11:31 PM - edited ‎02-21-2020 01:29 PM

Hi, I'm checking on what else I could do to ensure supplier VPN traffic is kept isolated. Also I want to ensure VPN's are only instigated from my head end site and that a particular supplier on my site can only start a VPN to their site. I've taken out the security association stuff etc from config below. PDF Drawing also attached.

Many thanks

Mick

! Security 0 lowest to 100 highest

nameif ethernet0 outside security0

nameif vlan625 supplier1 security10

nameif vlan626 supplier2 security20

! inside is the mgmt VLAN

nameif ethernet1 inside security100

! Create One access list to define the networks at either end of each VPN from a vendor

! These are used by crypto map VPN-supplier ##, where ## is the No pertaining to the Vendor

! i.e.supplier1 remote end network is 192.168.150.0 255.255.255.0

access-list supplier1 permit ip 172.25.48.40 255.255.255.248 192.168.150.0 255.255.255.0

access-list supplier1 deny ip any any

!

! i.e.supplier2 remote end network is 172.25.100.0 255.255.255.0

access-list supplier2 permit ip 172.25.48.48 255.255.255.240 172.25.100.0 255.255.255.0

access-list supplier2 deny ip any any

!

access-list no-outbound remark Deny any non VPN outband initiated access from within supplier mgmt network

access-list no-outbound remark -add permits for each Vendor VPN, deny any other outband traffic

access-list no-outbound permit ip 172.25.48.40 255.255.255.248 192.168.150.0 255.255.255.0

access-list no-outbound permit ip 172.25.48.48 255.255.255.240 172.25.100.0 255.255.255.0

access-list no-outbound deny ip any any

!

ip address outside 131.x.x.x.255.255.0

ip address inside 172.25.48.33 255.255.255.248

ip address supplier1 172.25.48.41 255.255.255.248

ip address supplier2 172.25.48.49 255.255.255.240

!

! NAT exemption for the VPN

nat (inside) 0 access-list no-outbound

! stop any outband access to native Internet services, only VPN's

access-group no-outbound in interface inside

!

route outside 141.141.x.y 255.255.255.0 131.x.x.130 1

route outside 142.142.x.y 255.255.255.0 131.x.x.130 1

!

! permit IPSEC incoming by bypassing any access-list checks

sysopt connection permit-ipsec

!

! crypto map vpn-supplier ## for each IPSEC VPN peer

crypto map vpn-supplier 20 match address supplier1

crypto map vpn-supplier 20 set peer 141.141.x.y

! crypto map vpn-supplier ## for each IPSEC VPN peer

crypto map vpn-supplier 30 match address supplier2

crypto map vpn-supplier 30 set peer 142.142.x.y

!

! apply crypto map to the outside interface

crypto map vpn-supplier interface outside

!

! define security association parameters for IPSEC VPN

isakmp enable outside

isakmp key <secret1> address 141.141.x.y netmask 255.255.255.255

isakmp key <secret2> address 142.142.x.y netmask 255.255.255.255

Labels:
Preview file
15 KB
Preview file
3 KB
0 Helpful
3 Replies 3

didyap
Level 6
Level 6

‎12-15-2004 02:35 PM

Check the following link...

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Technologies:IPSec

0 Helpful

mrrussell
Level 1
Level 1
In response to didyap

‎12-16-2004 01:50 AM

I've had a look through the IPSec Technologies pages but its not obvious to me exactly what I can change to the config. Any more specific help would be appreciated.

Thanks

Mick

0 Helpful

johnny_br
Level 1
Level 1
In response to mrrussell

‎12-16-2004 03:21 AM

Your posted config is really fuzzy, and the description of what you're trying to do made it worse for me. But, let's how close I am to what you want to do:

- Isolate vlan625 from 626

- Isolate supplier1 from 2

- Give inside (mgmt) access to vlan625 and 626 (not supplier1 and supplier2)

If so, see this make sense to you:

Assume:

acl_out = outside

acl_vlan625 = vlan625

acl_vlan626 = vlan626

acl_in = inside

no sysopt conn permit-ipsec.

By removing the permit-ipsec, you'll need the next two acls to allow VPN traffic terminating outside, into your higher interfaces, in this case vlan625 and vlan626.

access-list acl_out permit ip 192.168.150.0 255.255.255.0 172.25.48.40 255.255.255.248

access-list acl_out permit ip 172.25.100.0 255.255.255.0 172.25.48.48 255.255.255.240

access-group acl_out in interface outside

- Permit traffic from SUPPLIERx into VLANx, and Block everything else (no need for deny after assigning access-group)

access-list acl_vlan625 permit ip 172.25.48.40 255.255.255.248 192.168.150.0 255.255.255.0

access-group acl_vlan625 in interface vlan625

access-list acl_vlan626 permit ip 172.25.48.48 255.255.255.240 172.25.100.0 255.255.255.0

access-group acl_vlan626 in interface vlan626

- Permit VLANx into Inside

access-list acl_in permit ip 172.25.48.0 255.255.255.248 172.25.48.48 255.255.255.240

access-list acl_in permit ip 172.25.48.0 255.255.255.248 172.25.48.40 255.255.255.248

access-group acl_in in interface insdie

Now, all you need to do is to get your NAT settings setup to allow access from Inside->VLAN62x

I guess you wouldn't need any other NAT translations from VLANx to Outside.

Don't forget to do nat (vlan62x) 0 access-list acl_nat0

acl_nat0 =

access-list acl_nat0 permit ip

You need two of them of course.

I hope this helps.

Double-check IP address and mask.

0 Helpful
Customers Also Viewed These Support Documents