Cisco PIX VPN question...
|
View:
New views
9 Messages
—
Rating Filter:
Alert me
|
 |
Cisco PIX VPN question...
by ddenton
::
Rate this Message:
-----Original Message----- From: Dan Denton [mailto:ddenton@...] Sent: Monday, May 21, 2007 1:47 PM To: 'firewalls@...' Subject: Cisco PIX VPN question... Hello list... I have a PIX 506E and a PIX515E, each at a different location. Each firewall has a remote access VPN set up. I'd like to set up a point-to-point VPN connection between the two so users at one location won't have to use their VPN clients unless they're off site. Each firewall only has one outside and one inside interface. The 515E is running 7.0 and the 506E is running 6.3. Does anyone out there have experience on setting up the two vpn technologies simultaneously? I don't want to break the existing remote access vpn's. Dan Denton |
|
|
RE: Cisco PIX VPN question...
by Chris Odell-2
::
Rate this Message:
Yes, I do this all of the time - I have configs if you would like them, but they are for the 6.x os.... -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Dan Denton Sent: Tuesday, May 22, 2007 1:33 PM To: firewalls@... Subject: Cisco PIX VPN question... -----Original Message----- From: Dan Denton [mailto:ddenton@...] Sent: Monday, May 21, 2007 1:47 PM To: 'firewalls@...' Subject: Cisco PIX VPN question... Hello list... I have a PIX 506E and a PIX515E, each at a different location. Each firewall has a remote access VPN set up. I'd like to set up a point-to-point VPN connection between the two so users at one location won't have to use their VPN clients unless they're off site. Each firewall only has one outside and one inside interface. The 515E is running 7.0 and the 506E is running 6.3. Does anyone out there have experience on setting up the two vpn technologies simultaneously? I don't want to break the existing remote access vpn's. Dan Denton |
|
|
|
|
|
RE: Cisco PIX VPN question...
by Michael Diana
::
Rate this Message:
Sorry, I do not have a PDM v7 to try and talk you through the easy VPN setup. However, it is fairly straight forward to set up a Pix to Pix VPN tunnel in the PDM using the VPN Wizard (EASY VPN is a little less straight forward than the wizard). Under Wizards >>VPN >> Peer to Peer. It's very straight forward and should be the same in 6.3 or 7.0. Below is the long handed VPN setup with the PDM just so you can see what's going on a little bit. IPSEC-- IPSEC rules tab to define the protected network segments. Tunnel Policy Tab to define peers and pick a transform set. *Transform sets tab -- if you want to create a custom set of encryption algorithms... otherwise use one that's already there* IKE-- Policies Tab to set up how the peer's negotiate. I generally pick pre-shared key. Pre-shared key -- to wset up which key belongs to which peer. Finally, here is the command line version, which can appear to be in Chinese but it's really English. http://www.cisco.com/warp/public/110/38.html As long as everything matches, your tunnel should come up. Make sure that there are networks listed under "Translation Exemption rules" matching the networks you put in the IPSEC rules list. You need to use split tunneling in the VPN client policy so that the tunnel knows not to pass traffic not destined for a protected network. You can manage that under the VPN client tab "Manage Split tunnelling" where you define IP nets that the VPN client should tunnel... the rest will go out their local connection. Good luck and Keep us posted, Michael -----Original Message----- From: Dan Denton [mailto:info@...] Sent: Wednesday, May 23, 2007 2:36 PM To: Michael Diana Cc: firewalls@... Subject: RE: Cisco PIX VPN question... I've read through Cisco's docs on creating remote access VPN's and L2L VPN's and they do seem really straight forward, but I've ran into a few sticking points. I'm using ASDM/PDM on the two firewalls to set this up, and since the two versions (firewall software and management software) are different, it creates more questions. 1. During the guided setup (on the first page actually...) of the L2L VPN on the PIX running 6.3, there's no place to specify the Tunnel Group, whereas on the 7.0 there is. Also the commands seem to be slightly different (vpngroup versus tunnel-group). Are these the same? 2. That leads to point two, which is, since I can't specify a tunnel-group name on the 6.3 firewall, how will it know which tunnel to use? The existing remote access VPN, or whatever the guided setup names it? 3. Also, I've read a lot about 6.3 having the limitation that traffic from VPN clients can't be routed back out the same interface it entered. This will be a problem if true, because firewall in question only has 1 external interface. I've read that the same-interface-security and split-tunnel commands can mitigate that problem. Is this true?. I think it may be true that is does work, since I can access the internet unhindered when connected by VPN client, but I'll have to trace it and verify that. Thanks to all who have replied, and your further input is greatly appreciated... -----Original Message----- From: Michael Diana [mailto:MDiana@...] Sent: Wednesday, May 23, 2007 12:45 PM To: Dan Denton Subject: RE: Cisco PIX VPN question... You can easily have both VPN clients and Multiple PIX to PIX tunnels on the same appliance. The easiest way is to go through the easy VPN set up within the PDM on both ends. Be aware though that when you add a new VPN instance, the IPSEC is reset and clients might be bounced. So I tend to add new tunnels after hours and notifying the clients. Hope this helps, Michael -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Dan Denton Sent: Tuesday, May 22, 2007 4:33 PM To: firewalls@... Subject: Cisco PIX VPN question... -----Original Message----- From: Dan Denton [mailto:ddenton@...] Sent: Monday, May 21, 2007 1:47 PM To: 'firewalls@...' Subject: Cisco PIX VPN question... Hello list... I have a PIX 506E and a PIX515E, each at a different location. Each firewall has a remote access VPN set up. I'd like to set up a point-to-point VPN connection between the two so users at one location won't have to use their VPN clients unless they're off site. Each firewall only has one outside and one inside interface. The 515E is running 7.0 and the 506E is running 6.3. Does anyone out there have experience on setting up the two vpn technologies simultaneously? I don't want to break the existing remote access vpn's. Dan Denton |
|
|
Re: Cisco PIX VPN question...
by Prabhu Gurumurthy
::
Rate this Message:
Dan Denton wrote:
> > -----Original Message----- > From: Dan Denton [mailto:ddenton@...] > Sent: Monday, May 21, 2007 1:47 PM > To: 'firewalls@...' > Subject: Cisco PIX VPN question... > > Hello list... > > I have a PIX 506E and a PIX515E, each at a different location. Each firewall > has a remote access VPN set up. I'd like to set up a point-to-point VPN > connection between the two so users at one location won't have to use their > VPN clients unless they're off site. Each firewall only has one outside and > one inside interface. The 515E is running 7.0 and the 506E is running 6.3. > > Does anyone out there have experience on setting up the two vpn technologies > simultaneously? I don't want to break the existing remote access vpn's. > > Dan Denton > > > > Do you want to have remote access VPN users to traverse the tunnel too? 1. Define the ACL which needs to traverse the tunnel remember three things: a. the source must be local subnet/system b. uni-directional ACL is fine (although PIX will take bi-directional), because PIX is smart enough to allow the corresponding return traffic to plumb through c. If you have NAT enabled "enable NAT 0" How: assumption: Local subnet is 192.168.137.0/24, remote is 172.25.45.0/24 Local peer is 10.35.47.1 remote peer: 10.64.71.1 Note: PIX takes subnet mask not wild card bits, anything in caps, means it is user defined. Define object-groups, in this way it can be expanded to allow more subnets to ride the tunnel. object-group network LOCAL_VPN_SUBNET network-object 192.168.137.0 255.255.255.0 exit object-group network REMOTE_VPN_SUBNET network-object 172.25.45.0 255.255.255.0 exit access-list VPN_ACL permit ip object-group LOCAL_SUBNET object-group REMOTE_SUBNET enabling nat 0: nat (inside) 0 access-list VPN_ACL 2. Define the ISAKMP policy, policy number are sequentially examined from (1 - X )and correct policies are accepted This is called PHASE 1, the SA (security association) is called "phase 1 sa" Please remember the policy numbers are locally significant (it does not bother the remote VPN concentrators) How: define a name, in that way you dont need to remember IP address name 10.64.71.1 REMOTE_VPN_PEER Remember if you pre 7.2 or 6.3 PIX OS version then this is the command set On PIX 6.3: isakmp key ******** address REMOTE_VPN_PEER netmask 255.255.255.255 no-xauth On both pre 7.2 and 6.3 isakmp identity auto isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption aes-256 isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 1800 If you need IKE NAT-T, then enable isakmp nat-traversal 20 After 7.2 PIX OS: crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 1800 If you need IKE NAT-T, then enable crypto isakmp nat-traversal 20 3. Define the transform set, this defines the encryption and optional authentication to take place How: crypto ipsec transform-set VPN_SET esp-aes-256 esp-sha-hmac encryption is AES using CBC, key length is 256 authentication is SHA1 4. Define the crypto map, again policy number are sequentially examined from (1 - X) the correct policies are accepted. Note: If you want Remote access VPN too, please define the Remote access crypto map policy to be something really higher like 65535, because it has caused problems for me, when two crypto transform and ISAKMP policies match but the ACL's dont match resulting in "IPSEC ERROR IN PHASE 2" How: crypto map VPN_MAP 1 match address VPN_ACL crypto map VPN_MAP 1 set peer REMOTE_VPN_PEER crypto map VPN_MAP 1 set transform-set VPN_SET If you need PFS (Perfect Forward Secrecy) which is called DH group then use: crypto map VPN_MAP 1 set pfs group1 options for group are: group1(768 bits), group2(1024 bits), group5(1536 bits) Note: PIX 525/535 and ASA may have group7(2048), but I am not sure. 5. Define the Group policy like Pre-shared keys: (this is only for 7.x) How: Note: tunnel-group command does not take pre-defined names example: tunnel-group REMOTE_VPN_PEER type ipsec-l2l is invalid. tunnel-group 10.64.71.1 type ipsec-l2l tunnel-group 10.64.71.1 ipsec-attributes pre-shared-key TEST123 The other end is mirror image of the same, in your example you are using PIX both ways, so this will be easy. If you have any questions let me know. Hope this helps Prabhu |
|
|
RE: Cisco PIX VPN question...
by Mohamed Farid
::
Rate this Message:
I am doing this all the times specially after most of our clients
migrate to V7.0 I have a lot of drafts which are working , just email me if you still need them ... Thanks ,,, Mohamed Farid ,, Telecommunication & Security Department Manager ,,, MSCC ( www.mscc.com.eg ) -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Dan Denton Sent: Tuesday, May 22, 2007 11:33 PM To: firewalls@... Subject: Cisco PIX VPN question... -----Original Message----- From: Dan Denton [mailto:ddenton@...] Sent: Monday, May 21, 2007 1:47 PM To: 'firewalls@...' Subject: Cisco PIX VPN question... Hello list... I have a PIX 506E and a PIX515E, each at a different location. Each firewall has a remote access VPN set up. I'd like to set up a point-to-point VPN connection between the two so users at one location won't have to use their VPN clients unless they're off site. Each firewall only has one outside and one inside interface. The 515E is running 7.0 and the 506E is running 6.3. Does anyone out there have experience on setting up the two vpn technologies simultaneously? I don't want to break the existing remote access vpn's. Dan Denton * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * This e-mail (including attachments) is classified as Mediterranean Smart Cards Company confidential and proprietary information The recipient hereby is committed to hold in strict confidence the contents of this (e-mail, document, and information) and not to disclose to any third party without the prior written consent of Mediterranean Smart Cards Company. Recipient will be held liable for any unauthorized disclosure. It is intended solely for the addressee. Unless you are the addressee, you may not read, copy, use or store this e-mail in any way, or permit others to. If you have received it in error, please notify the sender by return e-mail and delete the message in its entirety, including any attachments * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * |
|
|
RE: Cisco PIX VPN question...
by ddenton
::
Rate this Message:
Thanks to all who have responded. I've made some progress but hit another
bump in the road. Here's my network layout.. [net2] [office net]--[pix1]------<VPN>------[pix2]---[net1]---[pix3]/ \ [net3] I can get to any host on net1 without any trouble, but I cannot get to net2 or net3. Connection attempts don't seem to go anywhere, and nothing (for the connections in question) shows up in the logs from any of the pix's. The only thing out of the ordinary I've noticed in that in the PDM for pix1 under the IPSEC rules detailing each of the target networks to be protected, the IPSEC rules for net2 and net3 have (Null Rule) next to them. Can anyone tell me why this might be the case? Also, I can connect to pix2 with a vpn client and hit net2 and net3, so I atleast know connectivity isn't an issue. Thanks again... -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Mohamed Farid Sent: Sunday, May 27, 2007 1:16 AM To: firewalls@... Subject: RE: Cisco PIX VPN question... I am doing this all the times specially after most of our clients migrate to V7.0 I have a lot of drafts which are working , just email me if you still need them ... Thanks ,,, Mohamed Farid ,, Telecommunication & Security Department Manager ,,, MSCC ( www.mscc.com.eg ) -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Dan Denton Sent: Tuesday, May 22, 2007 11:33 PM To: firewalls@... Subject: Cisco PIX VPN question... -----Original Message----- From: Dan Denton [mailto:ddenton@...] Sent: Monday, May 21, 2007 1:47 PM To: 'firewalls@...' Subject: Cisco PIX VPN question... Hello list... I have a PIX 506E and a PIX515E, each at a different location. Each firewall has a remote access VPN set up. I'd like to set up a point-to-point VPN connection between the two so users at one location won't have to use their VPN clients unless they're off site. Each firewall only has one outside and one inside interface. The 515E is running 7.0 and the 506E is running 6.3. Does anyone out there have experience on setting up the two vpn technologies simultaneously? I don't want to break the existing remote access vpn's. Dan Denton * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * This e-mail (including attachments) is classified as Mediterranean Smart Cards Company confidential and proprietary information The recipient hereby is committed to hold in strict confidence the contents of this (e-mail, document, and information) and not to disclose to any third party without the prior written consent of Mediterranean Smart Cards Company. Recipient will be held liable for any unauthorized disclosure. It is intended solely for the addressee. Unless you are the addressee, you may not read, copy, use or store this e-mail in any way, or permit others to. If you have received it in error, please notify the sender by return e-mail and delete the message in its entirety, including any attachments * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * |
|
|
RE: Cisco PIX VPN question...
by ddenton
::
Rate this Message:
I wanted to let the list know that I figured out why I couldn't hit net2 and
net3 earlier. I was missing a few NAT exemption rules, and now that seems to work fine. My next and last issue seems to be getting to net1, 2, or 3 while connected by remote access vpn client to pix1 from the outside. When viewing the PDM, it appears that the pool of addresses assigned to VPN clients is associated with the outside interface. When I attempt to add an IPSEC rule to allow traffic from the VPN pool to traverse the VPN, I get a message saying communication isn't allowed between interfaces with the same security level. I think in 7.0 this is remedied with the "same-security-traffic" command, but 6.3 doesn't seem to have this. Is this a valid workaround, and is there a similar version of this command for pix 6.3? -----Original Message----- From: Dan Denton [mailto:ddenton@...] Sent: Tuesday, May 29, 2007 10:03 AM To: 'Mohamed Farid'; 'firewalls@...' Subject: RE: Cisco PIX VPN question... Thanks to all who have responded. I've made some progress but hit another bump in the road. Here's my network layout.. [net2] [office net]--[pix1]------<VPN>------[pix2]---[net1]---[pix3]/ \ [net3] I can get to any host on net1 without any trouble, but I cannot get to net2 or net3. Connection attempts don't seem to go anywhere, and nothing (for the connections in question) shows up in the logs from any of the pix's. The only thing out of the ordinary I've noticed in that in the PDM for pix1 under the IPSEC rules detailing each of the target networks to be protected, the IPSEC rules for net2 and net3 have (Null Rule) next to them. Can anyone tell me why this might be the case? Also, I can connect to pix2 with a vpn client and hit net2 and net3, so I atleast know connectivity isn't an issue. Thanks again... -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Mohamed Farid Sent: Sunday, May 27, 2007 1:16 AM To: firewalls@... Subject: RE: Cisco PIX VPN question... I am doing this all the times specially after most of our clients migrate to V7.0 I have a lot of drafts which are working , just email me if you still need them ... Thanks ,,, Mohamed Farid ,, Telecommunication & Security Department Manager ,,, MSCC ( www.mscc.com.eg ) -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Dan Denton Sent: Tuesday, May 22, 2007 11:33 PM To: firewalls@... Subject: Cisco PIX VPN question... -----Original Message----- From: Dan Denton [mailto:ddenton@...] Sent: Monday, May 21, 2007 1:47 PM To: 'firewalls@...' Subject: Cisco PIX VPN question... Hello list... I have a PIX 506E and a PIX515E, each at a different location. Each firewall has a remote access VPN set up. I'd like to set up a point-to-point VPN connection between the two so users at one location won't have to use their VPN clients unless they're off site. Each firewall only has one outside and one inside interface. The 515E is running 7.0 and the 506E is running 6.3. Does anyone out there have experience on setting up the two vpn technologies simultaneously? I don't want to break the existing remote access vpn's. Dan Denton * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * This e-mail (including attachments) is classified as Mediterranean Smart Cards Company confidential and proprietary information The recipient hereby is committed to hold in strict confidence the contents of this (e-mail, document, and information) and not to disclose to any third party without the prior written consent of Mediterranean Smart Cards Company. Recipient will be held liable for any unauthorized disclosure. It is intended solely for the addressee. Unless you are the addressee, you may not read, copy, use or store this e-mail in any way, or permit others to. If you have received it in error, please notify the sender by return e-mail and delete the message in its entirety, including any attachments * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * |
|
|
RE: mfarid@mscc.com.eg - Found word(s) list error in the Text body - RE: Cisco PIX VPN question...
by Mohamed Farid
::
Rate this Message:
Most probably - this is because there is no correct NAT for net2 and
net3 Mohamed Farid ,, Telecommunication & Security Department Manager ,,, Mediterranean Smart Cards Company ,, 92 Tahreer Street. Dokki / Cairo / Egypt Website : www.mscc.com.eg Email : mfarid@... Phone : +2 02 3331439/+2 02 3331400 Fax : +2 02 7621164 Mobile : +2 0122258350 -----Original Message----- From: Dan Denton [mailto:info@...] Sent: Tuesday, May 29, 2007 6:03 PM To: Mohamed Farid; firewalls@... Subject: mfarid@... - Found word(s) list error in the Text body - RE: Cisco PIX VPN question... Thanks to all who have responded. I've made some progress but hit another bump in the road. Here's my network layout.. [net2] [office net]--[pix1]------<VPN>------[pix2]---[net1]---[pix3]/ \ [net3] I can get to any host on net1 without any trouble, but I cannot get to net2 or net3. Connection attempts don't seem to go anywhere, and nothing (for the connections in question) shows up in the logs from any of the pix's. The only thing out of the ordinary I've noticed in that in the PDM for pix1 under the IPSEC rules detailing each of the target networks to be protected, the IPSEC rules for net2 and net3 have (Null Rule) next to them. Can anyone tell me why this might be the case? Also, I can connect to pix2 with a vpn client and hit net2 and net3, so I atleast know connectivity isn't an issue. Thanks again... -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Mohamed Farid Sent: Sunday, May 27, 2007 1:16 AM To: firewalls@... Subject: RE: Cisco PIX VPN question... I am doing this all the times specially after most of our clients migrate to V7.0 I have a lot of drafts which are working , just email me if you still need them ... Thanks ,,, Mohamed Farid ,, Telecommunication & Security Department Manager ,,, MSCC ( www.mscc.com.eg ) -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Dan Denton Sent: Tuesday, May 22, 2007 11:33 PM To: firewalls@... Subject: Cisco PIX VPN question... -----Original Message----- From: Dan Denton [mailto:ddenton@...] Sent: Monday, May 21, 2007 1:47 PM To: 'firewalls@...' Subject: Cisco PIX VPN question... Hello list... I have a PIX 506E and a PIX515E, each at a different location. Each firewall has a remote access VPN set up. I'd like to set up a point-to-point VPN connection between the two so users at one location won't have to use their VPN clients unless they're off site. Each firewall only has one outside and one inside interface. The 515E is running 7.0 and the 506E is running 6.3. Does anyone out there have experience on setting up the two vpn technologies simultaneously? I don't want to break the existing remote access vpn's. Dan Denton * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * This e-mail (including attachments) is classified as Mediterranean Smart Cards Company confidential and proprietary information The recipient hereby is committed to hold in strict confidence the contents of this (e-mail, document, and information) and not to disclose to any third party without the prior written consent of Mediterranean Smart Cards Company. Recipient will be held liable for any unauthorized disclosure. It is intended solely for the addressee. Unless you are the addressee, you may not read, copy, use or store this e-mail in any way, or permit others to. If you have received it in error, please notify the sender by return and delete the message in its entirety, including any attachments * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * |
| Free embeddable forum powered by Nabble | Forum Help |
