Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

PIX configuration for VPDN or IPsec configuration

0 views
Skip to first unread message

mikester

unread,
Aug 19, 2003, 12:36:56 AM8/19/03
to
I have a PIX 515R with the 3DES license. I need to use it to provide
some remote access into our network as well as the obvious Firewall.

At the moment we have a PPTP server (Win2K) that provide remote
access, When we are connected to that PPTP server we have complete
access to the internet via it's network as well as our network shares.
We use it for remote access into the network and that's it, we don't
have a real windows network with a PDC/Domain it's a simple work group
situation with no requirement for real windows networking.

What I have tried is the IPsec configuration, which may or may not be
correct...

access-list Outside-ACL permit icmp X.0.0.0 255.0.0.0 any
access-list Outside-ACL permit gre host X.X.X0.192 X.X.X5.0
255.255.255.128
access-list Outside-ACL permit esp host X.X.X0.167 any
access-list Outside-ACL permit ah host X.X.X0.167 any
access-list Outside-ACL permit gre any host X.X.X0.167
access-list 80 permit ip host X.X.X0.167 any
access-list VPNOUT permit ip X.X.X5.0 255.255.255.128 X.X.X5.128
255.255.255.240
ip address outside X.X.X0.167 255.255.255.128
ip address inside X.X.X5.1 255.255.255.128
ip local pool dealer X.X.X5.128-X.X.X5.143
static (inside,outside) X.X.X5.0 X.X.X5.0 netmask 255.255.255.128 0 0
access-group Outside-ACL in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X0.129 1
sysopt connection permit-ipsec
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
crypto dynamic-map dynomap 10 set transform-set aaades
crypto dynamic-map dynmap 30 set transform-set myset
crypto dynamic-map cisco 4 set transform-set strong-des
crypto map X.X.X5.0 10 ipsec-isakmp dynamic cisco
crypto map X.X.X5.0 client configuration address initiate
crypto map X.X.X5.0 interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool dealer
vpngroup vpn3000 default-domain socal.rr.com
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup address-pool idle-time 1800
dhcpd address X.X.X5.2-X.X.X5.126 inside
dhcpd dns X.X.X0.41 X.X.X0.42
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd domain <yeah>.com
dhcpd enable inside

With this config I could connect and have an up tunnel, with the split
tunnel vpngroup command I could also access the internet through the
existing internet configuration (NOT through the tunnel which is what
I want).

Then I tried VPDN;

access-list Outside-ACL permit icmp X.0.0.0 255.0.0.0 any
access-list Outside-ACL permit gre host X.X.X0.192 X.X.X5.0
255.255.255.128
access-list VPDNOUT permit ip X.X.X5.0 255.255.255.128 X.X.X5.128
255.255.255.240
ip address outside X.X.X0.167 255.255.255.128
ip address inside X.X.X5.1 255.255.255.128
ip address intf2 127.0.0.1 255.255.255.255
ip local pool dealer X.X.X5.128-X.X.X5.143
static (inside,outside) X.X.X5.0 X.X.X5.0 netmask 255.255.255.128 0 0
access-group Outside-ACL in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X0.129 1
sysopt connection permit-pptp
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local dealer
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username ORANGERDC password ********
vpdn enable outside
dhcpd address X.X.X5.2-X.X.X5.126 inside
dhcpd dns X.X.X0.41 X.X.X0.42
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd domain <yeah>.com
dhcpd enable inside

That gets the same results, connection via PPTP ;

Tunnel id 17, remote id is 17, 1 active sessions
Tunnel state is estabd, time since event change 9 secs
remote Internet Address X.75.160.214, port 1370
Local Internet Address X.75.160.167, port 1723
15 packets sent, 11986 received, 479 bytes sent, 784939 received


Call id 17 is up on tunnel id 17
Remote Internet Address is X.75.160.214
Session username is <BOINK>, state is estabd
Time since event change 11470 secs, interface outside
Remote call id is 16384
PPP interface id is 1
15 packets sent, 11986 received, 479 bytes sent, 784939 received
Seq 16, Ack 11985, Ack_Rcvd 15, peer RWS 64
0 out of order packets

But still, no internet access via that tunnel. I'm using the standard
Windows 2K and XP PPTP client.

Any ideas?

Thanks!

thesubm...@aol.com

mikester

unread,
Aug 19, 2003, 10:30:26 PM8/19/03
to
nobody?

Walter Roberson

unread,
Aug 19, 2003, 11:17:35 PM8/19/03
to
In article <132d4744.03081...@posting.google.com>,
mikester <thesubm...@aol.com> wrote:
:I have a PIX 515R

:What I have tried is the IPsec configuration, which may or may not be
:correct...

:access-list Outside-ACL permit icmp X.0.0.0 255.0.0.0 any
:access-list Outside-ACL permit gre host X.X.X0.192 X.X.X5.0 255.255.255.128
:access-list Outside-ACL permit esp host X.X.X0.167 any
:access-list Outside-ACL permit ah host X.X.X0.167 any
:access-list Outside-ACL permit gre any host X.X.X0.167

That access-list has to be wrong. It is inconsistant as to whether
X.X.X0.167 is inside (last line) or outside (the two before that.)
--
Studies show that the average reader ignores 106% of all statistics
they see in .signatures.

Rik Bain

unread,
Aug 19, 2003, 6:52:50 PM8/19/03
to

mikester,

if i understand your question correctly, you want to:

access the pix with PPTP/L2TP and have internet traffic go through the
tunnel and then back out through the pix to the "outside".

if so, it "aint gonna happen".

the problem is that the pix is a NAT based firewall. traffic cannot
arrive and leave the same interface, as it will not have an interface to
interface based translation rule (logs will show no xlate messages).

not a security feature. design limitation.

it is not based on traffic being redirected in/out a physical interface,
but rather an interface in general (see vlan feature).

IOS router will do what you want. VPN3000 (>!=3002) will do what you want.
Just about anything else that I have worked with will do what you want.
but not PIX.

you could add an interface, but then where would the default route point?
since the clients source ip address can't be static routes?

major limitation of the pix...no hub and spoke possibility...but it is a
great firewall!

stick with split tunneling, or the MS PPTP/L2TP option.

Rik Bain

mikester

unread,
Aug 21, 2003, 12:51:06 PM8/21/03
to
I do have a third interface that is not configured for use at the
moment.

I am aware of the limitation you discuss, regarding traffic trying to
go in via the outside interface and then back out it again, I do see
the "no xlate" message in the log.

So...if I used that DMZ interface to host this network? I could do it
that way?

The static route would be something like;

route dmz X.X.X.X netmask X.X.X.167

(X.X.X.167 is the outside interface by the way)

Rik Bain

unread,
Aug 21, 2003, 1:30:12 PM8/21/03
to

you can "route dmz" to the outside. you would need to split your subnet
between the dmz and the outside. hve the clients terminate on the dmz.
this would require static routes for each client (something that would
prove difficult, if not impossible for dynamic clients).

alot of folks will throw a vpn3000 in parallel to the pix in this type of
scenario. not sure if that is an option for you.

mikester

unread,
Aug 21, 2003, 5:29:01 PM8/21/03
to
I don't have the budget for the VPN3000 solution. The PIX can provide
this if the proper configuration can be worked out.

I have no shortage of public IP space for this purpose so I can keep
my /25 on the inside interface and put my /28 for remote access on the
DMZ.

I can have two static routes, one for each network. The /25 would
point to the Outside interface and the /28 would point to the DMZ. The
DMZ would then be the access point for the VPN? Correct?

Rik Bain

unread,
Aug 21, 2003, 3:20:37 PM8/21/03
to

yes, you could do that. the only obstacle would be that the clients would
need to terminate on the non-outside interface (since they need to
subsequently exit the outside interface for non-local traffic). if the
clients are coming from a fixed address...no problem....host route the
client's real address out of the "dmz" (to a secondary ip address on the
next hop router).

but if the client's addresses are
dynamic, then you cant specify a host route to them, and they will follow
the default route (outside). asymmetric routing problem, compiled by nat.

i have done this type of config many times for lan to lan tunnels, but i
know who the peers are.

of course, you could policy route the incoming traffic destined to the dmz
interface and subsequently nat the source ip. in that type of config, the
pix could route to the nat'd addresses out of the dmz.

for example, packet enters router destined for pix dmz address. router
will nat the source ip address of said packet another address of you
liking and send to pix dmz. pix has static route for that subnet out of
the dmz. seen this done as well...on paper, i think.

but, man, that is alot of work just to terminate a tunnel on the pix...you
have a windows box inside, right?

cheers,

rik


0 new messages