Re: PIX VPNs
I feel led to tell you that, unless IOS or PIX software has been enhanced since last I dealt with this issue, you will need to ensure that you're running different IP schemas on each PIX, and preferably non-translated schemas at that. Also, if you're planning to run a routing protocol such as OSPF across the VPN link, you will need to look at setting up a GRE tunnel to accomplish that purpose. Needless to say, Cisco needs to do a better job of due diligence on this VPN solution. GWA Austin wrote: > I am looking for sample configs on PIX to PIX VPNs. > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX VPNs
Here is an example of a 3-way PIX VPN (DES) using pre-shared keys. I used these as a template for setting up a VPN for a client of mine. Rik Guyler Austin wrote: > I am looking for sample configs on PIX to PIX VPNs. > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] , This mail was processed by Mail essentials for Exchange/SMTP, the email security & management gateway. Mail essentials adds content checking, email encryption, anti spam, anti virus, attachment compression, personalised auto responders, archiving and more to your Microsoft Exchange Server or SMTP mail server. For more information visit http://www.mailessentials.com nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix2 fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list 100 permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0 access-list 101 permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0 access-list nonat permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0 access-list nonat permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0 pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor no logging buffered no logging trap no logging history logging facility 20 logging queue 512 interface ethernet0 10baset interface ethernet1 10baset mtu outside 1500 mtu inside 1500 ip address outside 192.168.1.20 255.255.255.0 ip address inside 10.1.2.1 255.255.255.0 arp timeout 14400 global (outside) 1 192.168.1.21-192.168.1.29 nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 192.168.1.75 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 100 crypto map mymap 10 set peer 192.168.1.10 crypto map mymap 10 set transform-set myset crypto map mymap 20 ipsec-isakmp crypto map mymap 20 match address 101 crypto map mymap 20 set peer 192.168.1.30 crypto map mymap 20 set transform-set myset crypto map mymap interface outside isakmp enable outside isakmp key cisco123 address 192.168.1.10 netmask 255.255.255.255 isakmp key cisco123 address 192.168.1.30 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 telnet 10.1.1.0 255.255.255.0 inside telnet timeout 60 terminal width 80 nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix1 fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list 100 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0 access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0 pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor no logging buffered no logging trap no logging history logging facility 20 logging queue 512 interface ethernet0 10baset interface ethernet1 10baset mtu outside 1500 mtu inside 1500 ip address outside 192.168.1.10 255.255.255.0 ip address inside 10.1.1.1 255.255.255.0 arp timeout 14400 global (outside) 1 192.168.1.11-192.168.1.19 nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 192.168.1.75 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 100 crypto map mym
Re: PIX VPNs
Geroge, Interesting perspective. However, depending upon the VPN protocol you are using it may or may not provide a connectivity solution. Since we are talking about the PIX firewall, we must be talking about IPSec. I don't see IPSec as a connectivity solution, it is a security solution. There are many ways to provide security, the most obvious is encryption. Another method for providing security would be to hide the real ip addresses of my Intranet. By using the private address range (RFC 1918) on my Intranet and translating outgoing packets to an Internet routable address, I almost guarantee that no one can send a packet directly to any of the computers on my intranet without going through my firewall or VPN. VPNs can solve many problems, but connectivity is not always one of them. There are certain VPN protocols such as PPTP, L2F, L2TP that can give you a connectivity solution. If you want to run a routing protocol through a VPN, specifically IPSec, then you do need to setup a GRE tunnel. The way I see it GRE tunnels are a connectivity solution, because it allows you to transport protocols that are not routable across an IP only backbone. Keep in mind that GRE tunnels are not a security solution, which is why you might encrypt a GRE tunnel with IPSec. If you don't care about hiding your address space from the rest of the world and thus want a solution that doesn't require two distinct address spaces, why focus on a PIX firewall, especially since it's primary goal is to hide your address space. Instead, why not just terminate an IPSec tunnel between two VPN accelerated routers? (They don't need to be accelerated, but depending upon the projected bandwidth utilization they might need to be). There are many routers that can be used to fit any number of requirements. It all just depends upon that famous quote "what problem are we trying to solve". As my father always said.."the right tool for the right job" :-) So, where was I? Oh..right...Austin...here is the link you are looking for: http://www.cisco.com/warp/public/110/38.html HTH, AQ At 11:40 AM 1/2/01, gwakin wrote: >I feel led to tell you that, unless IOS or PIX software has been enhanced >since last I >dealt with this issue, you will need to ensure that you're running >different IP schemas >on each PIX, and preferably non-translated schemas at that. Also, if >you're planning to >run a routing protocol such as OSPF across the VPN link, you will need to >look at >setting up a GRE tunnel to accomplish that purpose. Needless to say, >Cisco needs to do >a better job of due diligence on this VPN solution. > >GWA > >Austin wrote: > > > I am looking for sample configs on PIX to PIX VPNs. > > > > _ > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > >_ >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ** Adam Quiggle Senior Network Engineer MCI Worldcom/NOC/BP Amoco [EMAIL PROTECTED] ** _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX VPNs
Try looking here: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/ Rik -Original Message- From: Austin [mailto:[EMAIL PROTECTED]] Sent: Monday, November 20, 2000 2:55 PM To: [EMAIL PROTECTED] Subject: PIX VPNs I am looking for sample configs on PIX to PIX VPNs. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX VPNs
Take a look at the various sample configs listed below. Hopefully, one will suit your needs: http://www.cisco.com/warp/public/700/configsec.html -Austin W. Troxell CCNP MCNE MCSE
RE: PIX VPNs
Austin, Try this http://www.cisco.com/warp/customer/110/38.html -Original Message- From: Austin [mailto:[EMAIL PROTECTED]] Sent: Monday, November 20, 2000 2:55 PM To: [EMAIL PROTECTED] Subject: PIX VPNs I am looking for sample configs on PIX to PIX VPNs. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX VPNs
Gentlemen, You guys rock!!! Many thanks! ""Austin"" <[EMAIL PROTECTED]> wrote in message 8vc00g$j71$[EMAIL PROTECTED]">news:8vc00g$j71$[EMAIL PROTECTED]... > I am looking for sample configs on PIX to PIX VPNs. > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX, VPNs, Novell
Is the Cisco client capable of NDS authentication ? Why eliminate BM at all? BorderManager will work through a PIX, it depends on what BorderManager Services you would need. If you want to run BorderManager Proxy the Cisco will need to pass traffic on port 80. If you want to run VPN Services through the Cisco the Bordermanager Server would have to have a Routable, Valid IP address and the Cisco Firewall can not be running NAT - though this restriction may not apply with BM 3.6 due soon. For Client to site VPN the Cisco needs to be able to pass UPD and TCP port 353, UDP port 2010 and TCP port 213 with a protocol ID of 57. W Kelly [EMAIL PROTECTED] wrote: > I am so very glad someone wrote a post concerning VPNs and Novell. I would > like to add to it by inserting the Cisco PIX into the mix. I would like to > bring in a Cisco PIX Firewall and use it primarily as a 'VPN access server' > using Cisco Secure VPN 1.1 as client software. However, here at corporate > we are using Novell NetWare 5.1 and BorderManager VPN software. I would > like to eliminate the BorderMangler in favor of the PIX. How do I > effectively establish VPN access through the PIX to this Novell network? > How would authentication to the Novell Tree be accomplished throught the > PIX over a VPN tunnel? > > Any suggestions and/or tips anyone may have concerning this project would > be most appreciated. > > Thank you, > Raul De La Garza III > CCNA NNCSS MCSE CNE > Senior Network Engineer > EmCare Incorporated > Work 214.712.2085 > Mobile 817.991.7889 > FAX 214.712.2444 > Pager 877.270.9755 > e-mail: [EMAIL PROTECTED] > "There is a disturbance in the force." -The Emperor > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
