05-15-2007 11:45 AM
I have a situation. I want to use Cisco PIX to create 2 VPN tunnels: one called "admingroup"(subnet 192.168.10.X) for full access and the other called "vendorgroup"(subnet 192.168.11.X) for limited access(only www access to 192.168.1.100). Both admin and vendor will use Cisco vpn clients for XP. But for some reasons, both admin and vendor get same access. I think I may need to remove "sysopt" command, currently I use admingroup to login PIX remotely,
1. Can I remove "sysopt" command remotely while I vpn into PIX?
2. Why both admin and vendor have the same access?
Here are the PIX config in short version:
access-list nat_acl permit ip 192.168.1.0 255.255.255.0 any
access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list out_acl permit tcp 192.168.11.0 255.255.255.0 host 192.168.1.100 eq www
access-list out_acl permit ip 192.168.10.0 255.255.255.0 any
ip address outside pppoe setroute
ip address inside 192.168.7.253 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip local pool adminpool 192.168.10.1-192.168.10.7
ip local pool vendorpool 192.168.11.1-192.168.11.7
global (outside) 1 60.1.1.10
nat (inside) 0 access-list 101
nat (inside) 1 access-list nat_acl 0 0
access-group out_acl in interface outside
route inside 192.168.1.0 255.255.255.0 192.168.7.254 1
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup admingroup address-pool adminpool
vpngroup admingroup dns-server 192.168.1.3
vpngroup admingroup default-domain test.com
vpngroup admingroup split-tunnel 101
vpngroup admingroup idle-time 1800
vpngroup admingroup password ********
vpngroup vendorgroup address-pool vendorpool
vpngroup vendorgroup dns-server 192.168.1.3
vpngroup vendorgroup default-domain test.com
vpngroup vendorgroup split-tunnel 101
vpngroup vendorgroup idle-time 1800
vpngroup vendorgroup password ********
vpdn group pppoex request dialout pppoe
Solved! Go to Solution.
05-16-2007 03:15 PM
Any luck?
05-15-2007 11:55 AM
1. I wouldn't unless you first add the appropriate ports in your outside acl to allow you to establish the vpn after you remove the sysopt.
2. They have the same access because there is nothing to prevent either from going anywhere. The sysopt conn permit-ipsec statement is in place and they both have the same split tunnel acl. I would simply create a new split tunnel acl for vendorgroup which is limited to the specific server. If you want to restrict to only www on that server then you will need to remove sysopt and write the access in the acl.
These commands are doing nothing right now because sysopt conn permit-ipsec allows ipsec traffic to bypass interface acls.
access-list out_acl permit tcp 192.168.11.0 255.255.255.0 host 192.168.1.100 eq www
access-list out_acl permit ip 192.168.10.0 255.255.255.0 any
access-group out_acl in interface outside
This should do it...
access-list out_acl extended permit udp any interface outside eq isakmp
access-list out_acl extended permit udp any interface outside eq 4500
access-list out_acl extended permit esp any interface outside
access-list out_acl permit tcp 192.168.11.0 255.255.255.0 host 192.168.1.100 eq www
access-list out_acl permit ip 192.168.10.0 255.255.255.0 any
access-group out_acl in interface outside
no sysopt connection permit-ipsec
access-list 102 permit ip host 192.168.1.100 192.168.11.0 255.255.255.0
vpngroup vendorgroup split-tunnel 102
You could also get rid of these two lines...
access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0
Then you would need as well...
nat (inside) 0 access-list 102
I think that's all :-), please rate if it helps.
05-15-2007 12:33 PM
Do I keep the following commends?
nat(inside) 0 access-list 101
access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
I'll try your commands tonight and let you know the result. Thanks
05-15-2007 12:41 PM
Yes, you need to keep 101 as that is your nat exemption and split tunnel acl for your admin group. So acl 101 will be nat exemption/split tunnel for admingroup and acl 102 will be nat exemption/split tunnel for vendors.
Let me know how it goes. Good luck.
05-15-2007 01:21 PM
Slipped into asa mode there a sec, should be
access-list out_acl permit udp any interface outside eq isakmp
access-list out_acl permit udp any interface outside eq 4500
access-list out_acl permit esp any interface outside
access-list out_acl permit tcp 192.168.11.0 255.255.255.0 host 192.168.1.100 eq www
access-list out_acl permit ip 192.168.10.0 255.255.255.0 any
access-group out_acl in interface outside
05-16-2007 03:15 PM
Any luck?
05-18-2007 12:04 PM
You are correct. PIX 6.35 doesn't support extended access-list commands.
Also, I can't do both of these commands at the same time.
nat (inside) 0 access-list 101
nat (inside) 0 access-list 102
So I use access-list 101 for both.
access-list 101 permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 permit ip host 192.168.1.100 192.168.11.0 255.255.255.0
05-18-2007 12:08 PM
Correct, no problem there, my mistake. So is it fixed? I guess so, good deal. enjoy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide