PIX VPN mesh with acess to multiple subnets at one of the sites?
- From: "Tim Levy" <cd-n@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 16 Jun 2006 13:44:45 +0100
I wonder whether any of the experts in this group can help me.
I have three sites (a 'central' one, and two remotes), each with a single
subnet, and that are interconnected with a PIX-PIX IPsec VPN mesh. The
whole thing has worked flawlessly since originally set up a few months ago,
in that it provides intervisibility between IP hosts at each of the three
sites.
I now have to move some of the servers at the central site to their own
subnet on their own VLAN (named 'Databases' at 192.168.3.0/24). I need to
be able to provide connectivity to hosts on the Databases subnet/VLAN from
the two remote sites. However, I just have not been able to make this work.
With the central and remote configurations that are appended, if I do 'debug
packet Databases' and then ping a host on the Databases VLAN at Central from
the remote site, I can see the echo packet being sent to the host on the
Databases subnet/VLAN, and I can see the echo reply being sent back from
that host to the central PIX.
I can also see the hitcount increment on the
access-list Databases_acl permit icmp any any echo-reply
rule (that is generated from the object group named 'ICMP-allowed') on the
central PIX.
However, I do not see the encapsulated packets count increment on the PIX at
the central site end of the IPsec SA with the remote site that originated
the ping. And, needless to say, the host from which I sent the ping does
not see any response.
Can anybody point me at what I've got wrong in the appended configs. Note
that other required access to the Databases subnet/VLAN from the 10.0.0.0/24
subnet at the central site, and from two other subnets, 10.0.1.0/24 and
10.0.2.0/24, (that are each connected via a router) all works fine. The
problem is only with the VPN-connected sites that have the 10.0.3.0/24 and
10.0.4.0/24 subnets on their inside interfaces. I realise that, in what
follows, some of the ACLs show signs of my increasing desperation to get the
required setup working:
** Central site:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet1 vlan99 physical
interface ethernet1 vlan1 logical
interface ethernet1 vlan3 logical
interface ethernet1 vlan4 logical
nameif ethernet0 outside security0
nameif ethernet1 i-physical security99
nameif vlan1 inside security100
nameif vlan3 Databases security90
nameif vlan4 DMZ1 security50
enable password *** encrypted
passwd *** encrypted
hostname PIX515-1
domain-name ***.co.uk
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 8888
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name x.x.x.x PIX_RemoteA
name 10.0.3.0 Net_RemoteA
name x.x.x.x PIX_RemoteB
name 10.0.4.0 Net_RemoteB
object-group icmp-type ICMP-allowed
description ICMP types allowed in from outside
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
object-group service DellERA tcp
description The bunch of protocols used to access a Dell remote console
card
port-object eq www
port-object eq https
port-object range 5800 5809
port-object range 5900 5909
object-group service sitescope tcp
description Sitesope port
port-object eq 8888
object-group network xxx
description External IPs of xxx systems
network-object x.x.x.x 255.255.255.240
network-object host x.x.x.x
network-object host x.x.x.x
object-group network MLabsInbound
description External IPs of MessageLabs systems permitted to deliver SMTP
.
.
.
object-group network shadowdns
description External IPs of xxx shadow primary DNS servers
network-object host x.x.x.x
network-object host x.x.x.x
access-list outside_acl remark ACL for inbound to the interface named
outside
access-list outside_acl
remark ----------------------------------------------
access-list outside_acl remark -- ICMP access
access-list outside_acl permit icmp any any object-group ICMP-allowed
access-list outside_acl remark -- Access to mailserver from MessageLabs
access-list outside_acl permit tcp object-group MLabsInbound host x.x.x.x eq
smtp
access-list outside_acl remark -- Access to platform management server from
xxx
access-list outside_acl permit tcp object-group xxx host x.x.x.x eq www
access-list outside_acl permit tcp object-group xxx host x.x.x.x eq 8888
access-list outside_acl permit tcp object-group xxx host x.x.x.x eq 3389
access-list outside_acl remark -- DNS access to platform management server
from xxx and xxx
access-list outside_acl permit tcp object-group shadowdns host x.x.x.x eq
domain
access-list outside_acl permit udp object-group shadowdns host x.x.x.x eq
domain
access-list outside_acl permit tcp object-group xxx host x.x.x.x eq domain
access-list outside_acl permit udp object-group xxx host x.x.x.x eq domain
access-list outside_acl remark -- Access to web server pool
access-list outside_acl permit tcp any host x.x.x.x eq www
access-list outside_acl permit tcp any host x.x.x.x eq https
access-list inside_acl remark ACL for inbound to the interface named inside
access-list inside_acl remark ---------------------------------------------
access-list inside_acl remark -- Hosts permittted to send SMTP
access-list inside_acl permit tcp host 10.0.0.3 any eq smtp
access-list inside_acl permit tcp host 10.0.0.93 any eq smtp
access-list inside_acl permit tcp host 10.0.0.14 any eq smtp
access-list inside_acl permit tcp host 10.0.0.178 any eq smtp
access-list inside_acl remark -- Default posture
access-list inside_acl deny tcp any any eq smtp
access-list inside_acl permit ip any any
access-list Databases_acl remark ACL for inbound to the interface named
Databases
access-list Databases_acl
remark ------------------------------------------------
access-list Databases_acl remark -- ICMP access
access-list Databases_acl permit icmp any any object-group ICMP-allowed
access-list DMZ1_acl remark ACL for inbound to the interface named DMZ1
access-list DMZ1_acl remark -------------------------------------------
access-list DMZ1_acl remark -- ICMP access
access-list DMZ1_acl permit icmp any any object-group ICMP-allowed
access-list inside_outbound_nat0_acl remark ACL for NAT exceptions for VPN
users
access-list inside_outbound_nat0_acl
remark ------------------------------------
access-list inside_outbound_nat0_acl permit ip any host 10.0.0.201
access-list inside_outbound_nat0_acl permit ip any host 10.0.0.202
access-list inside_outbound_nat0_acl permit ip any host 10.0.0.203
access-list inside_outbound_nat0_acl permit ip any host 10.0.0.204
access-list inside_outbound_nat0_acl permit ip any host 10.0.0.205
access-list inside_outbound_nat0_acl permit ip any host 10.0.0.206
access-list inside_outbound_nat0_acl permit ip any host 10.0.0.207
access-list inside_outbound_nat0_acl permit ip any host 10.0.0.208
access-list inside_outbound_nat0_acl permit ip any host 10.0.0.209
access-list inside_outbound_nat0_acl permit ip any host 10.100.0.1
access-list inside_outbound_nat0_acl permit ip any host 10.100.0.2
access-list inside_outbound_nat0_acl permit ip any host 10.100.0.3
access-list inside_outbound_nat0_acl permit ip any host 10.100.0.4
access-list inside_outbound_nat0_acl permit ip any host 10.100.0.5
access-list inside_outbound_nat0_acl permit ip any host 10.100.0.6
access-list inside_outbound_nat0_acl permit ip any host 10.100.0.7
access-list inside_outbound_nat0_acl permit ip any host 10.100.0.8
access-list inside_outbound_nat0_acl permit ip any host 10.100.0.9
access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any Net_RemoteA 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any Net_RemoteB 255.255.255.0
access-list outside_cryptomap_dyn_20_acl remark ACL for remote access VPN
users
access-list outside_cryptomap_dyn_20_acl
remark -------------------------------
access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.201
access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.202
access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.203
access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.204
access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.205
access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.206
access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.207
access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.208
access-list outside_cryptomap_dyn_20_acl permit ip any host 10.0.0.209
access-list outside_cryptomap_21_acl remark ACL for crypto map 21 - Remote A
access-list outside_cryptomap_21_acl
remark -------------------------------------
access-list outside_cryptomap_21_acl permit ip 10.0.0.0 255.255.255.0
Net_RemoteA 255.255.255.0
access-list outside_cryptomap_21_acl permit ip 10.0.1.0 255.255.255.0
Net_RemoteA 255.255.255.0
access-list outside_cryptomap_21_acl permit ip 10.0.2.0 255.255.255.0
Net_RemoteA 255.255.255.0
access-list outside_cryptomap_21_acl permit ip 192.168.3.0 255.255.255.0
Net_RemoteA 255.255.255.0
access-list outside_cryptomap_22_acl remark ACL for crypto map 22 - Remote B
access-list outside_cryptomap_22_acl remark ------------------------------
access-list outside_cryptomap_22_acl permit ip 10.0.0.0 255.255.255.0
Net_RemoteB 255.255.255.0
access-list outside_cryptomap_22_acl permit ip 10.0.1.0 255.255.255.0
Net_RemoteB 255.255.255.0
access-list outside_cryptomap_22_acl permit ip 10.0.2.0 255.255.255.0
Net_RemoteB 255.255.255.0
access-list outside_cryptomap_22_acl permit ip 192.168.3.0 255.255.255.0
Net_RemoteB 255.255.255.0
access-list Databases_outbound_nat0_acl remark ACL for NAT exceptions for
Databases interface
access-list Databases_outbound_nat0_acl remark -----------------------------
-----------------
access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.201
access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.202
access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.203
access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.204
access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.205
access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.206
access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.207
access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.208
access-list Databases_outbound_nat0_acl permit ip any host 10.0.0.209
access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.1
access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.2
access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.3
access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.4
access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.5
access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.6
access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.7
access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.8
access-list Databases_outbound_nat0_acl permit ip any host 10.100.0.9
access-list Databases_outbound_nat0_acl permit ip any 192.168.3.0
255.255.255.0
access-list Databases_outbound_nat0_acl permit ip any Net_RemoteA
255.255.255.0
access-list Databases_outbound_nat0_acl permit ip any Net_RemoteB
255.255.255.0
pager lines 20
logging on
mtu outside 1500
mtu i-physical 1500
ip address outside x.x.x.x 255.255.255.192
ip address i-physical 192.168.255.1 255.255.255.0
ip address inside 10.0.0.253 255.255.255.0
ip address Databases 192.168.3.1 255.255.255.0
ip address DMZ1 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNremotes 10.0.0.201-10.0.0.209
ip local pool PPTPremotes 10.100.0.1-10.100.0.9
pdm location 10.0.0.0 255.255.255.0 inside
..
..
..
pdm group shadowdns outside
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x netmask 255.255.255.192
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (Databases) 0 access-list Databases_outbound_nat0_acl
static (inside,outside) x.x.x.x 10.0.0.178 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 10.0.0.14 netmask 255.255.255.255 0 0
static (DMZ1,outside) x.x.x.x 192.168.4.17 netmask 255.255.255.255 0 0
static (inside,Databases) 10.0.0.0 10.0.0.0 netmask 255.255.0.0 0 0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
access-group Databases_acl in interface Databases
access-group DMZ1_acl in interface DMZ1
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.0.1.0 255.255.255.0 10.0.0.254 1
route inside 10.0.2.0 255.255.255.0 10.0.0.254 1
timeout xlate 0:10:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server x.x.x.x source outside prefer
ntp server x.x.x.x source outside
ntp server x.x.x.x source outside
ntp server x.x.x.x source outside
http server enable
http 10.0.0.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
http 10.0.2.0 255.255.255.0 inside
http Net_RemoteA 255.255.255.0 inside
http Net_RemoteB 255.255.255.0 inside
snmp-server host inside 10.0.0.14
snmp-server location First floor server room
snmp-server contact xxx
snmp-server community xxx
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address
outside_cryptomap_dyn_20_acl
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime
seconds 86400 kilobytes 32000
crypto map outside_map 21 ipsec-isakmp
crypto map outside_map 21 match address outside_cryptomap_21_acl
crypto map outside_map 21 set peer PIX_RemoteA
crypto map outside_map 21 set transform-set ESP-AES-256-SHA
crypto map outside_map 21 set security-association lifetime seconds 86400
kilobytes 32000
crypto map outside_map 22 ipsec-isakmp
crypto map outside_map 22 match address outside_cryptomap_22_acl
crypto map outside_map 22 set peer PIX_RemoteB
crypto map outside_map 22 set transform-set ESP-AES-256-SHA
crypto map outside_map 22 set security-association lifetime seconds 86400
kilobytes 32000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address PIX_RemoteA netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address PIX_RemoteB netmask 255.255.255.255 no-xauth
no-config-mode
isakmp nat-traversal 22
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption aes-256
isakmp policy 40 hash sha
isakmp policy 40 group 5
isakmp policy 40 lifetime 86400
vpngroup xxxx address-pool VPNremotes
vpngroup xxxx dns-server 10.0.0.1 10.0.2.1
vpngroup xxxx default-domain xxx.co.uk
vpngroup xxxx split-tunnel inside_outbound_nat0_acl
vpngroup xxxx idle-time 3600
vpngroup xxxx password ********
..
..
..
ca identity xxx 10.0.0.93:/certsrv/mscep/mscep.dll
ca configure xxx ra 1 20 crloptional
telnet 10.0.0.0 255.255.255.0 inside
telnet 10.0.1.0 255.255.255.0 inside
telnet 10.0.2.0 255.255.255.0 inside
telnet Net_RemoteA 255.255.255.0 inside
telnet Net_RemoteB 255.255.255.0 inside
telnet timeout 20
ssh timeout 5
management-access inside
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local PPTPremotes
vpdn group PPTP-VPDN-GROUP client configuration dns 10.0.0.1 10.0.2.1
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username xxx password *********
vpdn username xxx password *********
vpdn enable outside
terminal width 100
Cryptochecksum:42b23b3c93f08380055ffad89c23754f
: end
[OK]
** Remote site (Remote B):
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *** encrypted
passwd *** encrypted
hostname fw1-xx
domain-name xxx.co.uk
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name x.x.x.x PIX_Central
name 10.0.0.0 Net_Central
name x.x.x.x PIX_RemoteA
name 10.0.3.0 Net_RemoteA
object-group icmp-type icmp-allowed
description ICMP types allowed in from outside
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
object-group service DellERA tcp
description The bunch of protocols used to access a Dell remote console
card
port-object eq www
port-object eq https
port-object range 5800 5809
port-object range 5900 5909
access-list outside_acl remark ACL for inbound to the interface named
outside
access-list outside_acl
remark ----------------------------------------------
access-list outside_acl permit icmp any any object-group icmp-allowed
access-list inside_acl remark ACL for inbound to the interface named inside
access-list inside_acl remark ---------------------------------------------
access-list inside_acl remark -- Default posture
access-list inside_acl deny tcp any any eq smtp
access-list inside_acl permit ip any any
access-list inside_outbound_nat0_acl remark ACL for NAT exceptions for VPN
users
access-list inside_outbound_nat0_acl
remark ------------------------------------
access-list inside_outbound_nat0_acl permit ip any host 10.0.4.201
access-list inside_outbound_nat0_acl permit ip any host 10.0.4.202
access-list inside_outbound_nat0_acl permit ip any host 10.0.4.203
access-list inside_outbound_nat0_acl permit ip any host 10.0.4.204
access-list inside_outbound_nat0_acl permit ip any host 10.0.4.205
access-list inside_outbound_nat0_acl permit ip any host 10.0.4.206
access-list inside_outbound_nat0_acl permit ip any host 10.0.4.207
access-list inside_outbound_nat0_acl permit ip any host 10.0.4.208
access-list inside_outbound_nat0_acl permit ip any host 10.0.4.209
access-list inside_outbound_nat0_acl permit ip any host 10.104.0.1
access-list inside_outbound_nat0_acl permit ip any host 10.104.0.2
access-list inside_outbound_nat0_acl permit ip any host 10.104.0.3
access-list inside_outbound_nat0_acl permit ip any host 10.104.0.4
access-list inside_outbound_nat0_acl permit ip any host 10.104.0.5
access-list inside_outbound_nat0_acl permit ip any host 10.104.0.6
access-list inside_outbound_nat0_acl permit ip any host 10.104.0.7
access-list inside_outbound_nat0_acl permit ip any host 10.104.0.8
access-list inside_outbound_nat0_acl permit ip any host 10.104.0.9
access-list inside_outbound_nat0_acl permit ip any Net_Central 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.0.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.0.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any Net_RemoteA 255.255.255.0
access-list split_tunnel_acl remark ACL for split tunnel for VPN users
access-list split_tunnel_acl remark ------------------------------------
access-list split_tunnel_acl remark Apparently needed by PDM 3.0(4)
access-list split_tunnel_acl permit ip any host 10.0.4.201
access-list split_tunnel_acl permit ip any host 10.0.4.202
access-list split_tunnel_acl permit ip any host 10.0.4.203
access-list split_tunnel_acl permit ip any host 10.0.4.204
access-list split_tunnel_acl permit ip any host 10.0.4.205
access-list split_tunnel_acl permit ip any host 10.0.4.206
access-list split_tunnel_acl permit ip any host 10.0.4.207
access-list split_tunnel_acl permit ip any host 10.0.4.208
access-list split_tunnel_acl permit ip any host 10.0.4.209
access-list split_tunnel_acl permit ip any Net_Central 255.255.255.0
access-list split_tunnel_acl permit ip any 10.0.1.0 255.255.255.0
access-list split_tunnel_acl permit ip any 10.0.2.0 255.255.255.0
access-list split_tunnel_acl permit ip any 192.168.3.0 255.255.255.0
access-list split_tunnel_acl permit ip any Net_RemoteA 255.255.255.0
access-list outside_cryptomap_dyn_22_acl remark ACL for remote access VPN
users
access-list outside_cryptomap_dyn_22_acl
remark -------------------------------
access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.201
access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.202
access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.203
access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.204
access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.205
access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.206
access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.207
access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.208
access-list outside_cryptomap_dyn_22_acl permit ip any host 10.0.4.209
access-list outside_cryptomap_20_acl remark ACL for crypto map 20 - Central
access-list outside_cryptomap_20_acl
remark ---------------------------------
access-list outside_cryptomap_20_acl permit ip 10.0.4.0 255.255.255.0
Central 255.255.255.0
access-list outside_cryptomap_20_acl permit ip 10.0.4.0 255.255.255.0
10.0.1.0 255.255.255.0
access-list outside_cryptomap_20_acl permit ip 10.0.4.0 255.255.255.0
10.0.2.0 255.255.255.0
access-list outside_cryptomap_20_acl permit ip 10.0.4.0 255.255.255.0
192.168.3.0 255.255.255.0
access-list outside_cryptomap_21_acl remark ACL for crypto map 21 - Remote A
access-list outside_cryptomap_21_acl
remark -------------------------------------
access-list outside_cryptomap_21_acl permit ip 10.0.4.0 255.255.255.0
Net_RemoteA 255.255.255.0
pager lines 20
logging on
logging timestamp
logging buffered warnings
logging trap warnings
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.248
ip address inside 10.0.4.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNremotes 10.0.4.201-10.0.4.209
ip local pool PPTPremotes 10.104.0.1-10.104.0.9
pdm location 10.0.0.14 255.255.255.255 inside
..
..
..
pdm location 192.168.3.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server x.x.x.x source outside prefer
ntp server x.x.x.x source outside
ntp server x.x.x.x source outside
ntp server x.x.x.x source outside
ntp server x.x.x.x source outside
http server enable
http Net_Central 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
http 10.0.2.0 255.255.255.0 inside
http Net_RemoteA 255.255.255.0 inside
http 10.0.4.0 255.255.255.0 inside
snmp-server host inside 10.0.0.14
snmp-server location RemoteB
snmp-server contact xxx
snmp-server community xxx
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 22 match address
outside_cryptomap_dyn_22_acl
crypto dynamic-map outside_dyn_map 22 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 22 set security-association lifetime
seconds 86400 kilobytes 32000
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20_acl
crypto map outside_map 20 set peer PIX_Central
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 20 set security-association lifetime seconds 86400
kilobytes 32000
crypto map outside_map 21 ipsec-isakmp
crypto map outside_map 21 match address outside_cryptomap_21_acl
crypto map outside_map 21 set peer PIX_RemoteA
crypto map outside_map 21 set transform-set ESP-AES-256-SHA
crypto map outside_map 21 set security-association lifetime seconds 86400
kilobytes 32000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address PIX_Central netmask 255.255.255.255 no-xauth
no-config-mode
isakmp key ******** address PIX_RemoteA netmask 255.255.255.255 no-xauth
no-config-mode
isakmp nat-traversal 22
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption aes-256
isakmp policy 40 hash sha
isakmp policy 40 group 5
isakmp policy 40 lifetime 86400
vpngroup xxx address-pool VPNremotes
vpngroup xxx dns-server 10.0.4.1
vpngroup xxx default-domain xxxx.co.uk
vpngroup xxx split-tunnel split_tunnel_acl
vpngroup xxx idle-time 3600
vpngroup xxx password ********
telnet Net_Central 255.255.255.0 inside
telnet 10.0.1.0 255.255.255.0 inside
telnet 10.0.2.0 255.255.255.0 inside
telnet Net_RemoteA 255.255.255.0 inside
telnet 10.0.4.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local PPTPremotes
vpdn group PPTP-VPDN-GROUP client configuration dns 10.0.4.1
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username xxx password *********
vpdn enable outside
terminal width 100
Cryptochecksum:2d2814d84f5b56055b6e890116ee2c4a
: end
[OK]
And if you've read this far through all that lot, then thanks!
Tim Levy
.
- Prev by Date: restrict port connections on switch for known hosts only
- Next by Date: Replacement components on a Cisco 2611 mainboard (router go boom)
- Previous by thread: restrict port connections on switch for known hosts only
- Next by thread: Replacement components on a Cisco 2611 mainboard (router go boom)
- Index(es):
Relevant Pages
|
