RE: PIX VPN Setup [7:74369]

[Deepali S]

Hi! John,

 The isakmp and pre-share key is used only when you have the L2L tunnel
setup.
 When you have a VPN tunnel between Client and PIX , the command below is
same as the isakmp and pre-shared key.

 vpngroup VPNUSER password  
 
 Spli tunneling is used when you want the user to browse the internet when
he still has a VPN tunnel established.

 Pls check this link to know more abt split tunneling: 

 http://www.cisco.com/warp/public/707/ipsec_debug.html#inability

 Let me know if you have any queries.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74635t=74369
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

PIX VPN Setup [7:74369]

[John Cianfarani]

I'm setting up a small VPN just for home use so me and a few friends can
log in remotely via a PIX 501 w/ 3DES over my cable connection.  
 
Now I've got it working, but found a few strange things I had questions
about.  I have each user setup with the VPNGROUP config lines. (I will
post config below), everyone uses the Cisco VPN client to connect.  Now
I noticed that I never set an isakmp pre-share key and there is no spot
to add one in the Cisco client only user/pass I would think that should
be needed for secure connectivety.  The other setup I did was have a
split-tunnel applied to the user when they connect to only encrypt
traffic destined for the local network and any regular internet traffic
would still go out the persons internet connection.  In testing I tried
to get all traffic to flow through the VPN but I think the pix prevents
traffic coming in on the outside interface to leave on that same
interface (as it would with internet traffic) . Any way to do this or do
you need another interface?
Also just wondering if there is a better way to write this config or any
other tips are appreciated.
 
Here is an edited config with only the relevant portions.
 
Thanks for any help
John
 
PIX Version 6.3(1)
!
access-list 80 permit ip any host 192.168.1.75 
access-list 80 permit ip any host 192.168.1.76 
access-list 80 permit ip any host 192.168.1.77 
access-list 80 permit ip any host 192.168.1.78 
access-list 80 permit ip any host 192.168.1.79 
!
access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.75 
access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.76 
access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.77 
access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.78 
access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.79 
!
ip address outside dhcp setroute
ip address inside 192.168.1.254 255.255.255.0
ip local pool REMOTEUSER 192.168.1.75-192.168.1.79
!
global (outside) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
floodguard enable
!
crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac 
crypto dynamic-map DYNOMAP 10 set transform-set TRANSFORM
crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP
crypto map MYMAP interface outside
!
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
!
vpngroup VPNUSER address-pool REMOTEUSER
vpngroup VPNUSER dns-server 
vpngroup VPNUSER default-domain cisco.com
vpngroup VPNUSER split-tunnel 90
vpngroup VPNUSER idle-time 1800
vpngroup VPNUSER password 
vpngroup john address-pool REMOTEUSER
vpngroup john dns-server 
vpngroup john default-domain cisco.com
vpngroup john idle-time 1800
vpngroup john password 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74369t=74369
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: PIX VPN Setup [7:74369]

[Francisco Gomez]

John,



One question at the time:



1)  I noticed that I never set an isakmp pre-share key



  - Remember that for a VPN client connection, ISAKMP or Phase I is
established using aggressive mode in this case and due the remote
connection would come from any place on the Internet; a pre-share key is not
used like in a L2L tunnel isakmp key  etc... This is not a security
risk but if you want to be a little more specific, you can use digital
certificates, (rsa-signatures), so that will give you the opportunity to
trust more in the people getting connected. CRLs will be definitely
something I will suggest. For more details check this link:



http://www.cisco.com/warp/public/471/configipsecsmart.html



...you can avoid the eToken part



2)   In testing I tried to get all traffic to flow through the VPN but I
think the pix prevents  traffic coming in on the outside interface to leave
on that same  interface



  - The PIX firewall will never re-direct packets to the same interface they
have just arrived and this is in order to prevent IP spoofing, (that how ASA
works on the PIX). In the other hand, another interface is the solution for
this, but the 501 only comes with outside/inside, the four ports you see on
the back are all inside, (this is an embedded switch for SOHO users). But
remember that if you have another interface on the PIX, (a 515 or 525), that
interface should be connected to another ISP and you'll need another default
gateway; another default gateway is something you cannot achieve unless you
are running 6.3.1 and enable OSPF for that device but then again, this is a
design I will not recommend.



Summarizing, go with split-tunneling or use a IOS router or VPN
concentrator and that will do the trick for you.



Finally and in regards with the config, everything looks ok, no need to have
more than one isakmp polices but if you wish you can leave things the way
they are. Hope this helps a little.





My two cents,



Frank

Costa Rica





 Original Message -
From: John Cianfarani 
To: 
Sent: Monday, August 25, 2003 6:25 PM
Subject: PIX VPN Setup [7:74369]


 I'm setting up a small VPN just for home use so me and a few friends can
 log in remotely via a PIX 501 w/ 3DES over my cable connection.

 Now I've got it working, but found a few strange things I had questions
 about.  I have each user setup with the VPNGROUP config lines. (I will
 post config below), everyone uses the Cisco VPN client to connect.  Now
 I noticed that I never set an isakmp pre-share key and there is no spot
 to add one in the Cisco client only user/pass I would think that should
 be needed for secure connectivety.  The other setup I did was have a
 split-tunnel applied to the user when they connect to only encrypt
 traffic destined for the local network and any regular internet traffic
 would still go out the persons internet connection.  In testing I tried
 to get all traffic to flow through the VPN but I think the pix prevents
 traffic coming in on the outside interface to leave on that same
 interface (as it would with internet traffic) . Any way to do this or do
 you need another interface?
 Also just wondering if there is a better way to write this config or any
 other tips are appreciated.

 Here is an edited config with only the relevant portions.

 Thanks for any help
 John

 PIX Version 6.3(1)
 !
 access-list 80 permit ip any host 192.168.1.75
 access-list 80 permit ip any host 192.168.1.76
 access-list 80 permit ip any host 192.168.1.77
 access-list 80 permit ip any host 192.168.1.78
 access-list 80 permit ip any host 192.168.1.79
 !
 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.75
 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.76
 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.77
 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.78
 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.79
 !
 ip address outside dhcp setroute
 ip address inside 192.168.1.254 255.255.255.0
 ip local pool REMOTEUSER 192.168.1.75-192.168.1.79
 !
 global (outside) 1 interface
 nat (inside) 0 access-list 80
 nat (inside) 1 0.0.0.0 0.0.0.0 0 0
 floodguard enable
 !
 crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac
 crypto dynamic-map DYNOMAP 10 set transform-set TRANSFORM
 crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP
 crypto map MYMAP interface outside
 !
 isakmp enable outside
 isakmp identity address
 isakmp policy 10 authentication pre-share
 isakmp policy 10 encryption 3des
 isakmp policy 10 hash sha
 isakmp policy 10 group 2
 isakmp policy 10 lifetime 86400
 isakmp policy 20 authentication pre-share
 isakmp policy 20 encryption des
 isakmp policy 20 hash sha
 isakmp policy 20 group 1
 isakmp policy 20 lifetime 86400
 isakmp policy 30 authentication pre-share
 isakmp policy 30 encryption 3des
 isakmp policy 30 hash md5
 isakmp policy 30 group 2
 isakmp policy 30 lifetime 86400
 isakmp policy 40 authentication