RE: [fw-wiz] Cisco Pix 515E Configuration

From: Bruce Smith (bruce_the_loon_at_worldonline.co.za)
Date: 12/07/04

  • Next message: Eric Gunnett: "RE: [fw-wiz] Cisco Pix 515E Configuration"
    To: "'Eric Gunnett'" <eric@zoovy.com>, <firewall-wizards@honor.icsalabs.com>
    Date: Tue, 7 Dec 2004 23:15:55 +0200
    
    

    Hi Eric

    As far as I am aware, the PIX will not route out via the same interface the
    packet came in on. For example if I connect to our VPN from the Internet, I
    cannot get direct access to the Internet unless I use the proxy server
    inside the network. If I am wrong on this, can someone tell me what I've
    misconfigured.

    So the ability for the two VPN clients to connect via the IP phone switch
    depends on how the system works. If all traffic is routed explicitly to the
    phone switch and out, you shouldn't have a problem if all ACLs are set up
    correctly to allow the IP phone traffic. If the system only uses the switch
    to setup the call and then the two hosts begin talking directly to each
    other, as Skype does and a couple of IP phone systems I've seen, then I
    guess you're buggered. But before you give up if the ip phones talk
    directly, check whether the software can be configured to route all traffic
    via the phone switch.

    Regards

    Bruce Smith
    Firewall Administrator
    Port Elizabeth Technikon

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Eric Gunnett
    Sent: 03 December 2004 11:33 PM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] Cisco Pix 515E Configuration

            I am hoping someone can help me with this problem. I have a Cisco
    515E with 6.3 on it. I have configured to pix for vpn connections with
    authenticaiton through a radius. My connections from Client -> Pix ->
    Internal Network, work great. But we are using a phone switch that is trying
    to pass of the ip phone connection between two clients that are connected
    through the pix, such as VPN Client 1 -> Pix -> VPN Client 2, is this
    possible. I have attached my config below.

    PIX Version 6.3(3)
    interface ethernet0 10baset
    interface ethernet1 10baset
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8eATWrVtoJW4T5CL encrypted
    passwd BGogFIdB6jmwTyg7 encrypted
    hostname PIX
    domain-name example.com
    clock timezone PDT -8
    clock summer-time PDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    no fixup protocol h323 h225 1720
    no fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol http 443
    fixup protocol http 8080
    no fixup protocol rsh 514
    no fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    no fixup protocol skinny 2000
    no fixup protocol smtp 25
    no fixup protocol sqlnet 1521
    no fixup protocol tftp 69
    names
    access-list acl_outbound permit tcp any any
    access-list acl_outbound permit ip any any
    access-list acl_outbound permit udp any any
    access-list acl_outbound permit icmp any any
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.50
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.51
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.52
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.53
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.54
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.55
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.56
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.57
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.58
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.59
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.60
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.61
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.62
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.63
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.64
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.65
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.66
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.67
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.68
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.69
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.70
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.71
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.72
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.73
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.74
    access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.75
    access-list 80 permit ip 192.168.99.0 255.255.255.0 192.168.99.0
    255.255.255.0 access-list 80 permit ip host 192.168.99.56 host 192.168.99.57
    access-list 80 permit ip host 192.168.99.57 host 192.168.99.56 access-list
    80 permit ip 192.168.99.0 255.255.255.0 any access-list split permit tcp
    192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 pager lines 40 logging on
    logging timestamp logging monitor notifications logging trap notifications
    icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside
    1500 ip address outside 66.67.68.69 255.255.255.224 ip address inside
    192.168.99.1 255.255.255.0 ip audit info action alarm ip audit attack action
    alarm ip local pool VPN 192.168.99.50-192.168.99.75 no failover failover
    timeout 0:00:00 failover poll 15 no failover ip address outside no failover
    ip address inside no pdm history enable arp timeout 14400 global (outside) 1
    63.108.93.25 nat (inside) 0 access-list 80 nat (inside) 1 192.168.1.0
    255.255.255.0 0 0 access-group acl_outbound in interface outside route
    outside 0.0.0.0 0.0.0.0 66.67.68.1 1 route inside 192.168.1.0 255.255.255.0
    192.168.99.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed
    0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp
    0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute
    aaa-server radius-authport 1812 aaa-server radius-acctport 1813 aaa-server
    TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server RADIUS
    (inside) host 192.168.1.12 secretpass timeout 15 aaa-server LOCAL protocol
    local aaa-server local protocol radius aaa-server partnerauth protocol
    radius aaa-server partnerauth (inside) host 192.168.1.12 secretpass timeout
    15 ntp server 130.126.24.24 source outside snmp-server enable traps
    floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set
    ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto dynamic-map outside_dyn_map
    20 set transform-set ESP-AES-256-MD5 crypto map outside_map 20 ipsec-isakmp
    dynamic outside_dyn_map crypto map outside_map client configuration address
    initiate crypto map outside_map client authentication partnerauth crypto map
    outside_map interface outside isakmp enable outside isakmp key ********
    address 0.0.0.0 netmask 0.0.0.0 isakmp client configuration address-pool
    local VPN outside isakmp policy 20 authentication pre-share isakmp policy 20
    encryption aes-256 isakmp policy 20 hash md5 isakmp policy 20 group 5 isakmp
    policy 20 lifetime 86400 vpngroup group idle-time 1800 vpngroup enable
    idle-time 1800 vpngroup Developers address-pool VPN vpngroup Developers
    idle-time 1800 vpngroup Developers device-pass-through telnet timeout 1 ssh
    192.168.1.0 255.255.255.0 inside ssh timeout 5 console timeout 15 terminal
    width 80 Cryptochecksum:c7f91c5bc5fef54edd6d720856a6429f
    : end

    _______________________________________________
    firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Eric Gunnett: "RE: [fw-wiz] Cisco Pix 515E Configuration"

    Relevant Pages

    • [fw-wiz] Pix to Pix VPN Help
      ... I am looking for help in setting up a Pix to Pix VPN. ... fixup protocol dns maximum-length 512 ... access-list 100 permit ip any host 192.168.5.1 ... access-group OUTSIDE-IN in interface outside ...
      (Firewall-Wizards)
    • Re: Remote VPN users access to site to site networks (mostly configured)
      ... interface ethernet0 auto ... fixup protocol dns maximum-length 512 fixup protocol ftp 21 ... gre any any access-list outside_access_in permit tcp any any eq www ... access-list access1 permit ip 192.168.4.0 255.255.255.0 colo-vpns ...
      (comp.dcom.sys.cisco)
    • Re: PIX to PIX VPN problem
      ... crypto map CRYPTO_MAP 5 match address CHICAGO ... vpngroup VPN split-tunnel VPNSPLIT ... fixup protocol dns maximum-length 700 ... access-list PERMIT_IN permit tcp any host vpn-evn eq ssh ...
      (comp.dcom.sys.cisco)
    • RE: [fw-wiz] Cisco Pix 515E Configuration
      ... fixup protocol dns maximum-length 512 ... access-list acl_outbound permit tcp any any ... failover timeout 0:00:00 ... aaa-server radius-authport 1812 ...
      (Firewall-Wizards)
    • Re: Lose internet access when vpn enabled cisco 501
      ... access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 ... fixup protocol dns maximum-length 512 ... access-group outside_access_in in interface outside ... aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable ...
      (comp.dcom.sys.cisco)