PIX Firewall |
---|
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 nat (inside) 0 access-list 101 |
A complete configuration for a 3-interface setup would be:
PIX Firewall |
---|
pixfirewall(config)# write terminal Building configuration... : Saved : PIX Version 6.1(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security90 enable password YouReallyWish encrypted passwd YouWish encrypted hostname pixfirewall domain-name mycompanydomain.dk fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names name 14.36.100.30 mywebserver name 14.36.100.31 mymailserver access-list acl_out permit icmp any any access-list acl_out permit tcp any host mywebserver eq www access-list acl_out permit tcp any host mymailserver eq smtp access-list acl_out permit tcp any host mymailserver eq pop3 access-list acl_dmz permit icmp any any access-list acl_dmz ip any any !--- Access-list to avoid Network Address Translation (NAT) !--- on the IPSec packets to host on inside-interface. access-list acl_nonat2inside permit ip 172.18.124.0 255.255.255.0 10.1.2.0 255.255.255.0 !--- Access-list to avoid Network Address Translation (NAT) !--- on the IPSec packets to host on dmz-interface. access-list acl_nonat2dmz permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0 !--- Access-list to use split-tunneling (NAT). access-list acl_vpnclient_split permit ip 172.18.124.0 255.255.255.0 10.1.2.0 255.255.255.0 access-list acl_vpnclient_split permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0 !--- Access-list for access rights for the VPN Client. access-list acl_vpnclient permit 10.1.2.0 255.255.255.0 172.18.124.0 255.255.255.0 access-list acl_vpnclient permit 10.1.2.0 255.255.255.0 192.168.1.0 255.255.255.0 pager lines 24 logging on logging timestamp logging buffered informational !--- Remember NOT to set interfaces to autosense. interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 14.36.100.1 255.255.0.0 ip address inside 172.18.124.1 255.255.255.0 ip address dmz 192.168.1.1 255.255.255.0 !--- Some extra instrusion detection taken from a !--- book from Cisco. ip audit name idsattack attack action alarm drop reset ip audit name idsinfo info action alarm ip audit interface outside idsinfo ip audit interface outside idsattack ip audit info action alarm ip audit attack action alarm ip local pool ippool 10.1.2.1-10.1.2.254 pdm history enable arp timeout 14400 global (outside) 1 14.36.100.51 global (dmz) 1 192.168.1.253 nat (inside) 0 access-list acl_nonat2inside nat (inside) 1 172.18.124.0 255.255.255.0 0 0 nat (dmz) 0 access-list acl_nonat2dmz nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 static (dmz,outside) 14.36.100.0 192.168.1.0 netmask 255.255.255.0 0 0 static (inside,dmz) 172.18.124.0 172.18.124.0 netmask 255.255.255.0 0 0 access-group acl_out in interface outside access-group acl_dmz in interface dmz route outside 0.0.0.0 0.0.0.0 14.36.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ AAA-server RADIUS protocol radius !--- Defining the AAA server as a RADIUS server and identifying !--- the IP address. AAA-server partnerauth protocol radius AAA-server partnerauth (inside) host 172.18.124.196 cisco123 timeout 5 no snmp-server location no snmp-server contact no snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set transsetdyn esp-3des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set transsetdyn crypto map vpnmap 10 ipsec-isakmp dynamic dynmap !--- Enables the PIX to launch the Xauth application on the VPN !--- Client. crypto map vpnmap client configuration address initiate crypto map vpnmap client authentication partnerauth crypto map vpnmap interface outside isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup vpn3000 address-pool ippool vpngroup vpn3000 dns-server 10.1.1.2 vpngroup vpn3000 wins-server 10.1.1.2 vpngroup vpn3000 default-domain mycompanydomain.dk vpngroup vpn3000 split-tunnel acl_vpnclient_split vpngroup vpn3000 idle-time 1800 vpngroup vpn3000 password ******** telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:3f9e31533911b8a6bb5c0f06900c2dbc : end [OK] pixfirewall(config)# |
This is a very basic setup to use a Windows 2000 IAS server for RADIUS authentication of VPN users. If you require a more complex design, please contact Microsoft for assistance.
Note: These steps assume that IAS has already been installed on the local machine. If not, please add this through Control Panel > Add/Remove Programs.
AAA-server partnerauth (inside) host 172.18.124.196 cisco123 timeout 5
Note:
cisco123
is the shared secret in this case.
Note: The VPN Client can only use this method for authentication.
Troubleshooting: If the user authentication fails try to add the domain in front of the user name ie. MYDOM\myusername in stead of just myusername. This can be the case if the IAS server is on another domain than the user account or if the IAS server is a member of a domain and you are using a local user from the IAS server.
If you have any questions or comment, please email me at ciscosupport@saltbaek.dk.
God luck!
Some contents are Copyright © 2002 Cisco Systems, Inc. The rest: Bjarne Saltbaek, Kraks Forlag AS.