Re: help with vpn scenario [7:74366]
Hi Chandler, To secure the laptop of company a while connected via VPN form company B my suggestion is to run the Client Firewall feature the concentrator has, (this is why I love this device so much). While you are connected via VPN, the concentrator will inject a set of rules, (a firewall configuration), that will run on the PC while connected. In other words: COMPANY A CVPN 300XLAPTOPCOMPANY B (DOMAIN) + + PC1 LAPTOP is connected to company B directly right? Ok, PC1 should be able to ping LAPTOP due they belong to the same network. If LAPTOP is connected to CVPN300X, the concentrator will inject a firewall set of rules, (like a PIX), that will avoid PC1 to ping LATOP, in other words the VPN client installed is protecting and is acting as a firewall for its own. This means that while LAPTOP is connected, no one from company B will be able to ping it, if LAPTOP is disconnected from the CVPN300X, no PC1 will be able to ping it, due the firewall was removed with the tunnel as well. For more details on this please check the link below: Client FW Parameters Tab (version 4.X) http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_0/config/userm gt.htm#1759740 My two cents, Frank Costa Rica - Original Message - From: Chandler Mike To: Sent: Monday, August 25, 2003 6:06 PM Subject: help with vpn scenario [7:74366] Please help with the following scenario: A laptop user works for Company A and possesses a Company A laptop that belongs to their domain. The user has needs to frequently access confidential records that belong to Company A, while on another company's network. The user also works onsite (with Company A's laptop) of another company, Company B. This company has its own network, unrelated and not tied into Company A's network in any way. How does the user access a vpn concentrator located at Company A while working onsite at Company B without logging on to their domain? The laptop has the cisco vpn client installed on it and the user uses it from home fine. But how does one setup a secure method of having the user vpn into Company A while on another company's network without compromising the data on the laptop? This is a real scenario, sorry if I am overlooking some obvious things, but I would appreciate any input on making this work. Thanks Mike C **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74382t=74366 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: PIX VPN Setup [7:74369]
John, One question at the time: 1) I noticed that I never set an isakmp pre-share key - Remember that for a VPN client connection, ISAKMP or Phase I is established using aggressive mode in this case and due the remote connection would come from any place on the Internet; a pre-share key is not used like in a L2L tunnel isakmp key etc... This is not a security risk but if you want to be a little more specific, you can use digital certificates, (rsa-signatures), so that will give you the opportunity to trust more in the people getting connected. CRLs will be definitely something I will suggest. For more details check this link: http://www.cisco.com/warp/public/471/configipsecsmart.html ...you can avoid the eToken part 2) In testing I tried to get all traffic to flow through the VPN but I think the pix prevents traffic coming in on the outside interface to leave on that same interface - The PIX firewall will never re-direct packets to the same interface they have just arrived and this is in order to prevent IP spoofing, (that how ASA works on the PIX). In the other hand, another interface is the solution for this, but the 501 only comes with outside/inside, the four ports you see on the back are all inside, (this is an embedded switch for SOHO users). But remember that if you have another interface on the PIX, (a 515 or 525), that interface should be connected to another ISP and you'll need another default gateway; another default gateway is something you cannot achieve unless you are running 6.3.1 and enable OSPF for that device but then again, this is a design I will not recommend. Summarizing, go with split-tunneling or use a IOS router or VPN concentrator and that will do the trick for you. Finally and in regards with the config, everything looks ok, no need to have more than one isakmp polices but if you wish you can leave things the way they are. Hope this helps a little. My two cents, Frank Costa Rica Original Message - From: John Cianfarani To: Sent: Monday, August 25, 2003 6:25 PM Subject: PIX VPN Setup [7:74369] I'm setting up a small VPN just for home use so me and a few friends can log in remotely via a PIX 501 w/ 3DES over my cable connection. Now I've got it working, but found a few strange things I had questions about. I have each user setup with the VPNGROUP config lines. (I will post config below), everyone uses the Cisco VPN client to connect. Now I noticed that I never set an isakmp pre-share key and there is no spot to add one in the Cisco client only user/pass I would think that should be needed for secure connectivety. The other setup I did was have a split-tunnel applied to the user when they connect to only encrypt traffic destined for the local network and any regular internet traffic would still go out the persons internet connection. In testing I tried to get all traffic to flow through the VPN but I think the pix prevents traffic coming in on the outside interface to leave on that same interface (as it would with internet traffic) . Any way to do this or do you need another interface? Also just wondering if there is a better way to write this config or any other tips are appreciated. Here is an edited config with only the relevant portions. Thanks for any help John PIX Version 6.3(1) ! access-list 80 permit ip any host 192.168.1.75 access-list 80 permit ip any host 192.168.1.76 access-list 80 permit ip any host 192.168.1.77 access-list 80 permit ip any host 192.168.1.78 access-list 80 permit ip any host 192.168.1.79 ! access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.75 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.76 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.77 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.78 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.79 ! ip address outside dhcp setroute ip address inside 192.168.1.254 255.255.255.0 ip local pool REMOTEUSER 192.168.1.75-192.168.1.79 ! global (outside) 1 interface nat (inside) 0 access-list 80 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 floodguard enable ! crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac crypto dynamic-map DYNOMAP 10 set transform-set TRANSFORM crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP crypto map MYMAP interface outside ! isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash sha isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 isakmp policy 30 authentication pre-share isakmp policy 30 encryption 3des isakmp policy 30 hash md5 isakmp policy 30 group 2 isakmp policy 30 lifetime 86400 isakmp policy 40 authentication
Re: PIX VPN Client Configuration - At my wit's end! [7:74363]
Hi James, It would be nice to have the output of the show crypto ipsec sa on the PIX while pinging back and forth. It would be nice to get the output of the debug icmp trace and the sh access-list as well but in any case my suggestion is this: 1) If you are doing split-tunneling I will suggest and access-list like this: access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 and not: access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any This is because you need to tell the PIX to creat a pair of SAs for Phase II so the VPN client will encrypt data destined to the 192.168.1.0/24 and PIX will encrypt traffic from the local LAN to the pool only. Lastly, if you need to communicate to the DMZ as well, you may add these lines to the access-list for nonat and interesting traffic: access-list nonat permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list VPNUser_splitTunnelAcl permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0 I will recommend to use the same access-list nonat for the line below: nat (dmz) 0 access-l nonat This is in order to avoid some bugs surfing around 6.3.1. Hope this helps a little, and if you can send more details it would be nice to follow up in this a little more. Have a good one! My two cents, Frank Costa Rica - Original Message - From: James Willard To: Sent: Monday, August 25, 2003 5:17 PM Subject: PIX VPN Client Configuration - At my wit's end! [7:74363] Hi all, Thanks in advance for reading this message. I am completely boggled on an issue here that I have literally been trying to troubleshoot for some 12 hours now. I'm trying to configure a PIX 515E for Cisco VPN Client connectivity. Here are the relevant parts of my config: :PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any ip local pool vpnusers 192.168.2.100-192.168.2.254 nat (inside) 0 access-list nonat nat (inside) 10 0.0.0.0 0.0.0.0 0 0 sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set vpn esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 300 crypto dynamic-map dynmap 30 set transform-set vpn crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap crypto map crypto-map-swa interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 300 vpngroup VPNUser address-pool vpnusers vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22 vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21 vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl vpngroup VPNUser idle-time 1800 vpngroup VPNUser password Let's say the outside interface is 100.100.100.28. These are the networks: 100.100.100.28 255.255.255.240(outside) 192.168.1.0255.255.255.0 (inside) 192.168.2.0255.255.255.0 (vpn IP pool) 10.0.1.0 255.255.255.0 (dmz) I can connect with the client just fine, but neither end can ping the other. Say the client machine gets the IP 192.168.2.100 from the pool, it cannot ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping 192.168.2.100. The VPN Client side shows packets being encrypted but none decrypted. The IPSec SA on the PIX shows packets being encrypted and none decrypted. Also worth noting is that the VPN client status shows Transparent Tunneling: Inactive on the status page while connecting, even though isakmp nat-traversal is enabled. An ethereal capture shows the client sending ESP packets to the PIX but none are coming back. Please, if anyone has any ideas I would love to hear them. This has been driving me crazy! Thanks, James Willard [EMAIL PROTECTED] **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74384t=74363 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
