[fw-wiz] Cisco Pix 515E Configuration

From: Eric Gunnett (eric_at_zoovy.com)
Date: 12/03/04

  • Next message: Mark Teicher: "RE: [fw-wiz] Antivirus vendor conspiracy theories"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Fri, 03 Dec 2004 13:32:54 -0800
    
    

            I am hoping someone can help me with this problem. I have a Cisco 515E with 6.3 on it. I have configured to pix for vpn connections with authenticaiton through a radius. My connections from Client -> Pix -> Internal Network, work great. But we are using a phone switch that is trying to pass of the ip phone connection between two clients that are connected through the pix, such as VPN Client 1 -> Pix -> VPN Client 2, is this possible. I have attached my config below.

    PIX Version 6.3(3)
    interface ethernet0 10baset
    interface ethernet1 10baset
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8eATWrVtoJW4T5CL encrypted
    passwd BGogFIdB6jmwTyg7 encrypted
    hostname PIX
    domain-name example.com
    clock timezone PDT -8
    clock summer-time PDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    no fixup protocol h323 h225 1720
    no fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol http 443
    fixup protocol http 8080
    no fixup protocol rsh 514
    no fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    no fixup protocol skinny 2000
    no fixup protocol smtp 25
    no fixup protocol sqlnet 1521
    no fixup protocol tftp 69
    names
    access-list acl_outbound permit tcp any any
    access-list acl_outbound permit ip any any
    access-list acl_outbound permit udp any any
    access-list acl_outbound permit icmp any any
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.50
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.51
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.52
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.53
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.54
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.55
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.56
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.57
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.58
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.59
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.60
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.61
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.62
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.63
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.64
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.65
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.66
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.67
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.68
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.69
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.70
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.71
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.72
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.73
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.74
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.75
    access-list 80 permit ip 192.168.99.0 255.255.255.0 192.168.99.0 255.255.255.0
    access-list 80 permit ip host 192.168.99.56 host 192.168.99.57
    access-list 80 permit ip host 192.168.99.57 host 192.168.99.56
    access-list 80 permit ip 192.168.99.0 255.255.255.0 any
    access-list split permit tcp 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
    pager lines 40
    logging on
    logging timestamp
    logging monitor notifications
    logging trap notifications
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 66.67.68.69 255.255.255.224
    ip address inside 192.168.99.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPN 192.168.99.50-192.168.99.75
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no pdm history enable
    arp timeout 14400
    global (outside) 1 63.108.93.25
    nat (inside) 0 access-list 80
    nat (inside) 1 192.168.1.0 255.255.255.0 0 0
    access-group acl_outbound in interface outside
    route outside 0.0.0.0 0.0.0.0 66.67.68.1 1
    route inside 192.168.1.0 255.255.255.0 192.168.99.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server radius-authport 1812
    aaa-server radius-acctport 1813
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 192.168.1.12 secretpass timeout 15
    aaa-server LOCAL protocol local
    aaa-server local protocol radius
    aaa-server partnerauth protocol radius
    aaa-server partnerauth (inside) host 192.168.1.12 secretpass timeout 15
    ntp server 130.126.24.24 source outside
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-MD5
    crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client configuration address initiate
    crypto map outside_map client authentication partnerauth
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp client configuration address-pool local VPN outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption aes-256
    isakmp policy 20 hash md5
    isakmp policy 20 group 5
    isakmp policy 20 lifetime 86400
    vpngroup group idle-time 1800
    vpngroup enable idle-time 1800
    vpngroup Developers address-pool VPN
    vpngroup Developers idle-time 1800
    vpngroup Developers device-pass-through
    telnet timeout 1
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 15
    terminal width 80
    Cryptochecksum:c7f91c5bc5fef54edd6d720856a6429f
    : end

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Mark Teicher: "RE: [fw-wiz] Antivirus vendor conspiracy theories"

    Relevant Pages

    • Re: Remote VPN users access to site to site networks (mostly configured)
      ... interface ethernet0 auto ... fixup protocol dns maximum-length 512 fixup protocol ftp 21 ... gre any any access-list outside_access_in permit tcp any any eq www ... access-list access1 permit ip 192.168.4.0 255.255.255.0 colo-vpns ...
      (comp.dcom.sys.cisco)
    • Re: PIX to PIX VPN problem
      ... crypto map CRYPTO_MAP 5 match address CHICAGO ... vpngroup VPN split-tunnel VPNSPLIT ... fixup protocol dns maximum-length 700 ... access-list PERMIT_IN permit tcp any host vpn-evn eq ssh ...
      (comp.dcom.sys.cisco)
    • RE: [fw-wiz] Cisco Pix 515E Configuration
      ... As far as I am aware, the PIX will not route out via the same interface the ... fixup protocol dns maximum-length 512 ... access-list acl_outbound permit tcp any any ... aaa-server radius-authport 1812 aaa-server radius-acctport 1813 aaa-server ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Cisco Pix 515E Configuration
      ... As far as I am aware, the PIX will not route out via the same interface the ... fixup protocol dns maximum-length 512 ... access-list acl_outbound permit tcp any any ... aaa-server radius-authport 1812 aaa-server radius-acctport 1813 aaa-server ...
      (Firewall-Wizards)
    • Re: Lose internet access when vpn enabled cisco 501
      ... access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 ... fixup protocol dns maximum-length 512 ... access-group outside_access_in in interface outside ... aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable ...
      (comp.dcom.sys.cisco)