Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. PIX firewall licensing and beyond (newbie) (Vahid Pazirandeh)
2. Cisco Remote Access VPN Problem (Firewall-Wizards)
--__--__--
Message: 1
Date: Mon, 5 Sep 2005 20:40:44 -0700 (PDT)
From: Vahid Pazirandeh <vpaziran@yahoo.com>
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] PIX firewall licensing and beyond (newbie)
Hello everyone,
I come from a linux admin background and have an assignment to setup a pix
firewall. This is new territory and will be my first time playing with pix os
instead of iptables. Please excuse my newb questions, but we all start
somewhere. :-)
1. Which model? Our servers are in a co-location with a 100mbit drop. Would
that make the 515E the right choice if we actually want to make use of our
bandwith? The pix becomes the bottleneck?
2. I'm a little uneasy about the licensing. What are the typical features I
should make sure that are included (e.g., 3DES)? What should I watch out for.
3. I read somewhere that vlan support is only in pix os 6.3. Is vlan support
also based on which model I'm using, or do all pix firewall models have this
feature?
4. How many physical ports do the pix firewalls typically come with? It seems
like it's 2: one uplink, one downlink. I can already think of 3 security
levels that I want my servers separated into. Does that mean I have to buy
expansion slots? Or should I use VLANs instead?
5. Any recommendations on a location to order the pix firewall and licensing
from? Good deals, good support, etc.
6. Any recommendations on some online reading that will help with implementing
the pix firewall? It would help to see some example network layouts to get a
better idea of how the components should be pieced together.
Here are a few places that I've already scoped out:
http://www.netcraftsmen.net/welcher/papers/pix01.html (also:
pix02-pix04.html)
http://www.examcram2.com/articles/article.asp?p=101741&seqNum=1
Your guidance would be very helpful. Thanks for a great mail list!
A PIX student in training,
-Vahid
=============================================
"Make it better before you make it faster."
=============================================
______________________________________________________
Click here to donate to the Hurricane Katrina relief effort.
http://store.yahoo.com/redcross-donate3/
--__--__--
Message: 2
Cc:
From: "Firewall-Wizards" <Firewall-Wizards@govnet.gov.fj>
To: <firewall-wizards@honor.icsalabs.com>
Date: Wed, 7 Sep 2005 14:07:35 +1200
Subject: [fw-wiz] Cisco Remote Access VPN Problem
Hi Folks=20
Would apreciate any help on the following problem which has been bugging
me for a few days.
Have setup a remote access VPN using a Cisco 2600XM as the VPN endpoint
device and using Cisco VPN Clients (latest ver). Have basically utilized
the config guide at
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example0
9186a00800a393b.shtml , with the pool of virtual ips assigned from the
dmz segment.
I can get the tunnel successfully established ,the client successfully
authenticated with RADIUS, SA's formed and virtual ips (from the dmz)
assigned to the remote vpn client. There's static routes present on the
2600 to route internal network traffic to the dmz gateway (ie. fw) which
subsequently has rules to route these vpn traffic inside the internal
network.
However my problem is the vpn client CANNOT get into the internal
network.The virual ips, seem 'invisible' to the rest of the network when
it comes to routing, rendering traffic from these sources unroutable
onwards from the dmz. Sniffing on the dmz segment shows inbound int net
traffic from the vpn client making its way to the fw, but arp requests
from the fw failing to get the MAC of virtual ip, thus preventing return
traffic.
As a workaround, i tried putting in some static arp entries on the fw ,
for these virtual ips to point to physical dmz interface of the vpn
device The ensuring result was that return traffic made it way back to
the vpn device, but then couldn't get to the actual vpn client :-(
Could someone help me point on the right direction to go, as to what i
am missing or doing wrong. I was of the opinion that virtual ip's bind
themselves to some physical interface to resolve ARP issues as with PPP,
but it in this, this isnt appearing so or maybe binding itself is on the
ext intf of the vpn ??. Do i have to use public add's in ip pools and
NAT them to DMZ ips in order for all this to work (ughhh..)
My scenario
***********
ext
(10.1.85.x)INT-----------------
FW-----------------------------------router---internet
| |=20
|dmz (192.168.0.x) |
| |
VPN-----------------------------
Configs
***************
aaa authentication login userauthen group radius aaa authorization
network groupauthor local aaa session-id common ip subnet-zero no ip
source-route ip cef !
!
!
no ip bootp server
no ip domain lookup
ip domain name vpn.gov.fj
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
! =20
!
!
!
!
!
!
!
!
!
!=20
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client key cisco dns
10.1.85.156 wins 10.1.85.156 domain govnet.local pool ippool
! =20
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac !
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen crypto map
clientmap isakmp authorization list groupauthor crypto map clientmap
client configuration address respond crypto map clientmap 10
ipsec-isakmp dynamic dynmap !
!
interface FastEthernet0/0
description VPN Link to Internet -unprotected ip address x.x.x.x
255.255.255.240 ip access-group 100 in no ip redirects no ip
unreachables no ip proxy-arp duplex auto speed auto crypto map
clientmap !
interface FastEthernet0/1
description VPN Link to DMZ termination point ip address 192.168.0.249
255.255.255.0 ip access-group 102 in no ip proxy-arp duplex auto
speed auto !
ip local pool ippool 192.168.0.250 192.168.0.254 ip classless ip route
0.0.0.0 0.0.0.0 external_router_ip ip route 10.1.85.0 255.255.255.0
192.168.0.1 !
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000 !
access-list 10 permit x.x.x.x 0.0.0.15
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.1.85.0 0.0.0.255
access-list 100 permit ip any host vpnexternalip access-list 100 permit
ip x.x.x.x 0.0.0.15 any access-list 102 permit ip 192.168.0.0 0.0.0.255
any access-list 102 permit ip 10.1.85.0 0.0.0.255 any !
!
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7
02050D480809
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Thanks in advance=20
Cheers=20
AN
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment