Re: [fw-wiz] Cisco Pix 515E Configuration
sanford.reed_at_cox.net
Date: 12/06/04
- Previous message: Chris Pugrud: "RE: [fw-wiz] Defense in Depth to the Desktop"
- Maybe in reply to: Eric Gunnett: "[fw-wiz] Cisco Pix 515E Configuration"
- Next in thread: Bruce Smith: "RE: [fw-wiz] Cisco Pix 515E Configuration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Eric Gunnett" <eric@zoovy.com>, <firewall-wizards@honor.icsalabs.com> Date: Mon, 6 Dec 2004 12:59:49 -0500
I have used the PIX VPN Client/tunnel to support Avaya IP Softphone clients. IN that case the client user had to configure his IP softphone to specifically use the IP assigned to the VPN tunnel.
Comparing that config with yours, I suggest some changes:
1. Re-enable the fixup on the h323 - that is the VOIP standard and is probably being used by your IP phones.
2. You may have to re-enable the sip udp fixup. Some IP phones use it for control signaling.
Sanford Reed
(V) 757.406.7067
(mailto: sanford.reed@cox.net)
>
> From: "Eric Gunnett" <eric@zoovy.com>
> Date: 2004/12/03 Fri PM 04:32:54 EST
> To: <firewall-wizards@honor.icsalabs.com>
> Subject: [fw-wiz] Cisco Pix 515E Configuration
>
> I am hoping someone can help me with this problem. I have a Cisco 515E with 6.3 on it. I have configured to pix for vpn connections with authenticaiton through a radius. My connections from Client -> Pix -> Internal Network, work great. But we are using a phone switch that is trying to pass of the ip phone connection between two clients that are connected through the pix, such as VPN Client 1 -> Pix -> VPN Client 2, is this possible. I have attached my config below.
>
> PIX Version 6.3(3)
> interface ethernet0 10baset
> interface ethernet1 10baset
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password 8eATWrVtoJW4T5CL encrypted
> passwd BGogFIdB6jmwTyg7 encrypted
> hostname PIX
> domain-name example.com
> clock timezone PDT -8
> clock summer-time PDT recurring
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> no fixup protocol h323 h225 1720
> no fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol http 443
> fixup protocol http 8080
> no fixup protocol rsh 514
> no fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> no fixup protocol skinny 2000
> no fixup protocol smtp 25
> no fixup protocol sqlnet 1521
> no fixup protocol tftp 69
> names
> access-list acl_outbound permit tcp any any
> access-list acl_outbound permit ip any any
> access-list acl_outbound permit udp any any
> access-list acl_outbound permit icmp any any
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.50
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.51
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.52
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.53
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.54
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.55
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.56
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.57
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.58
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.59
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.60
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.61
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.62
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.63
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.64
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.65
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.66
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.67
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.68
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.69
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.70
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.71
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.72
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.73
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.74
> access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.75
> access-list 80 permit ip 192.168.99.0 255.255.255.0 192.168.99.0 255.255.255.0
> access-list 80 permit ip host 192.168.99.56 host 192.168.99.57
> access-list 80 permit ip host 192.168.99.57 host 192.168.99.56
> access-list 80 permit ip 192.168.99.0 255.255.255.0 any
> access-list split permit tcp 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
> pager lines 40
> logging on
> logging timestamp
> logging monitor notifications
> logging trap notifications
> icmp permit any outside
> icmp permit any inside
> mtu outside 1500
> mtu inside 1500
> ip address outside 66.67.68.69 255.255.255.224
> ip address inside 192.168.99.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool VPN 192.168.99.50-192.168.99.75
> no failover
> failover timeout 0:00:00
> failover poll 15
> no failover ip address outside
> no failover ip address inside
> no pdm history enable
> arp timeout 14400
> global (outside) 1 63.108.93.25
> nat (inside) 0 access-list 80
> nat (inside) 1 192.168.1.0 255.255.255.0 0 0
> access-group acl_outbound in interface outside
> route outside 0.0.0.0 0.0.0.0 66.67.68.1 1
> route inside 192.168.1.0 255.255.255.0 192.168.99.1 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server radius-authport 1812
> aaa-server radius-acctport 1813
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server RADIUS (inside) host 192.168.1.12 secretpass timeout 15
> aaa-server LOCAL protocol local
> aaa-server local protocol radius
> aaa-server partnerauth protocol radius
> aaa-server partnerauth (inside) host 192.168.1.12 secretpass timeout 15
> ntp server 130.126.24.24 source outside
> snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-MD5
> crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map client configuration address initiate
> crypto map outside_map client authentication partnerauth
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
> isakmp client configuration address-pool local VPN outside
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption aes-256
> isakmp policy 20 hash md5
> isakmp policy 20 group 5
> isakmp policy 20 lifetime 86400
> vpngroup group idle-time 1800
> vpngroup enable idle-time 1800
> vpngroup Developers address-pool VPN
> vpngroup Developers idle-time 1800
> vpngroup Developers device-pass-through
> telnet timeout 1
> ssh 192.168.1.0 255.255.255.0 inside
> ssh timeout 5
> console timeout 15
> terminal width 80
> Cryptochecksum:c7f91c5bc5fef54edd6d720856a6429f
> : end
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Chris Pugrud: "RE: [fw-wiz] Defense in Depth to the Desktop"
- Maybe in reply to: Eric Gunnett: "[fw-wiz] Cisco Pix 515E Configuration"
- Next in thread: Bruce Smith: "RE: [fw-wiz] Cisco Pix 515E Configuration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
