Re: IPSEC to PIX 515
- From: davidspollack@xxxxxxxxx
- Date: 14 Apr 2006 08:39:59 -0700
thanks for the quick reply. I'll take your recommendations into
consideration.
as for the "savvis" interface - we are in teh midst of switching from
one provider (business calss cable, no bgp available) over to a T1 -
thats why the 2 ints have the same security level, and why only one
host (for testing) was set up to go that way.
Also, you must not use the same access list for a 'match address' and an 'access-group': I'm looking to solve the cisco IPSec client problem right now, they connect to the Outside interface via a dynamic crypto map.
- note these are different:
access-group savvist in interface savvist (note the t)
crypto map outside 1 match address savvis
the full conf is below. thanks!
==============================================
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 savvist security0
fixup protocol dns maximum-length 512
fixup protocol domain 53
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit icmp any any echo-reply
access-list outside permit icmp any any unreachable
access-list outside permit icmp any any source-quench
access-list outside permit icmp any any time-exceeded
access-list savvis permit ip 10.0.0.0 255.255.0.0 192.168.10.0
255.255.255.0
access-list savvis permit ip 10.0.0.0 255.255.0.0 192.168.11.0
255.255.255.0
access-list savvis permit ip 10.0.0.0 255.255.0.0 192.168.12.0
255.255.255.0
access-list savvis permit ip 10.0.0.0 255.255.0.0 192.168.13.0
255.255.255.0
access-list inside permit ip any any
access-list houston permit ip 10.0.0.0 255.255.0.0 10.1.0.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.10.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.11.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.12.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.13.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.20.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.21.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.22.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.23.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.253.58.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.0.0.0 255.255.0.0
access-list att permit ip 10.0.0.0 255.255.0.0 192.168.20.0
255.255.255.0
access-list att permit ip 10.0.0.0 255.255.0.0 192.168.21.0
255.255.255.0
access-list att permit ip 10.0.0.0 255.255.0.0 192.168.22.0
255.255.255.0
access-list att permit ip 10.0.0.0 255.255.0.0 192.168.23.0
255.255.255.0
access-list pune permit ip 10.0.10.0 255.255.255.0 10.253.58.0
255.255.255.0
access-list pune permit ip 10.0.0.0 255.255.255.0 10.253.58.0
255.255.255.0
access-list savvist permit icmp any any echo-reply
access-list savvist permit icmp any any unreachable
access-list savvist permit icmp any any source-quench
access-list savvist permit icmp any any time-exceeded
pager lines 24
logging on
logging timestamp
logging trap informational
logging facility 23
logging device-id hostname
logging host inside 10.0.0.42
no logging message 305012
icmp deny any outside
mtu outside 1500
mtu inside 1500
mtu savvist 1500
ip address outside w.x.y.z 255.255.255.248
ip address inside 10.0.15.1 255.255.255.0
ip address savvist a.b.c.d 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 10.0.15.100-10.0.15.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (savvist) 2 interface
nat (inside) 0 access-list nonat
nat (inside) 2 10.0.0.2 255.255.255.255 0 0
nat (inside) 1 10.0.0.0 255.255.0.0 0 0
access-group outside in interface outside
access-group savvist in interface savvist
route outside 0.0.0.0 0.0.0.0 w.x.y.z 1
route inside 10.0.0.0 255.255.255.0 10.0.15.2 1
route inside 10.0.1.0 255.255.255.0 10.0.15.2 1
route inside 10.0.10.0 255.255.255.0 10.0.15.2 1
route inside 10.0.12.0 255.255.255.0 10.0.15.2 1
route inside 10.0.14.0 255.255.255.0 10.0.15.2 1
route savvist a.b.c.d 255.255.255.255 e.f.g.h 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 10.0.0.42 LehMePo23HHHee timeout 10
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.0.0.10 k10D3* timeout 10
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+
aaa authentication ssh console TACACS+
aaa accounting include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
TACACS+
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set kiodex esp-3des esp-md5-hmac
crypto dynamic-map dynmap 5 set transform-set kiodex
crypto map outside 1 ipsec-isakmp
crypto map outside 1 match address savvis
crypto map outside 1 set peer 216.74.163.199
crypto map outside 1 set transform-set kiodex
crypto map outside 2 ipsec-isakmp
crypto map outside 2 match address houston
crypto map outside 2 set peer 209.163.128.71
crypto map outside 2 set transform-set kiodex
crypto map outside 3 ipsec-isakmp
crypto map outside 3 match address att
crypto map outside 3 set peer 63.240.29.99
crypto map outside 3 set transform-set kiodex
crypto map outside 4 ipsec-isakmp
crypto map outside 4 match address pune
crypto map outside 4 set peer 59.160.68.2
crypto map outside 4 set transform-set kiodex
crypto map outside 5 ipsec-isakmp dynamic dynmap
crypto map outside client authentication RADIUS
crypto map outside interface outside
isakmp enable outside
isakmp key ******** address 216.74.163.199 netmask 255.255.255.255
isakmp key ******** address 209.163.128.71 netmask 255.255.255.255
isakmp key ******** address 63.240.29.99 netmask 255.255.255.255
isakmp key ******** address 59.160.68.2 netmask 255.255.255.255
no-xauth
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup 628vpn address-pool vpn
vpngroup 628vpn dns-server 10.0.0.10 10.0.0.204
vpngroup 628vpn wins-server 10.0.0.10 10.0.0.204
vpngroup 628vpn default-domain vpn.kiodex.com
vpngroup 628vpn split-tunnel nonat
vpngroup 628vpn idle-time 1800
vpngroup 628vpn password ********
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 10
ssh 10.0.0.0 255.255.0.0 inside
ssh timeout 10
console timeout 0
vpdn group 628pptp accept dialin pptp
vpdn group 628pptp ppp authentication mschap
vpdn group 628pptp ppp encryption mppe auto
vpdn group 628pptp client configuration address local vpn
vpdn group 628pptp client configuration dns 10.0.0.10 10.0.0.204
vpdn group 628pptp client configuration wins 10.0.0.10 10.0.0.204
vpdn group 628pptp client authentication aaa RADIUS
vpdn group 628pptp pptp echo 60
vpdn enable outside
terminal width 80
.
- Follow-Ups:
- Re: IPSEC to PIX 515
- From: Walter Roberson
- Re: IPSEC to PIX 515
- References:
- IPSEC to PIX 515
- From: davidspollack
- Re: IPSEC to PIX 515
- From: Walter Roberson
- IPSEC to PIX 515
- Prev by Date: OSPF + ACLs
- Next by Date: Re: OSPF + ACLs
- Previous by thread: Re: IPSEC to PIX 515
- Next by thread: Re: IPSEC to PIX 515
- Index(es):
Relevant Pages
|
|
