Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ACL on the DMZ does not affect VPN Users.

Reply
Thread Tools

ACL on the DMZ does not affect VPN Users.

 
 
Eddie
Guest
Posts: n/a
 
      05-24-2004
Hello.

I am trying setup an ACL so that select VPN clients (most of them) can
only get to the DMZ and only to selected ports. This is with a bunch of PIX
501 and a 515E. (Some 501 will have direct access to the internal network
for work at home users, but I have not got that figure out yet)

I don't want to limit the VPN tunnel because I want full access to the
VPN clients from the internal side of the network.

My config for the 515 is below. Everything seems to match the access-list
80 used to bring up the VPN connection and skips over access-list 70
applied to the dmz port.

Any pointers?
Thanks,
Eddie

################################################## #########
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

hostname RSC
domain-name example.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
names
pager lines 24
no logging on

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto


mtu outside 1500
mtu inside 1500
mtu dmz 1500

ip address outside 200.200.200.215 255.255.255.0
ip address inside 172.16.1.5 255.255.0.0
ip address dmz 172.30.1.1 255.255.0.0


arp timeout 14400

:Store 201
access-list 80 permit ip 172.30.0.0 255.255.0.0 172.20.201.0 255.255.255.0
nat 0 access-list 80


::Needed so the clients on the VPN can talk to the servers on the DMZ
static (dmz,outside) 172.30.0.0 172.30.0.0


:################################################# ####
:ACL for DMZ systems
:We will also need to give the DMZ limited internet access.

:Limited Access from Stores
access-list 70 permit tcp any 172.30.0.0 255.255.0.0 eq 80
access-list 70 permit tcp any 172.30.0.0 255.255.0.0 eq 8080
access-list 70 permit tcp any 172.30.0.0 255.255.0.0 eq 22
access-list 70 permit udp any 172.30.0.0 255.255.0.0 eq 53

:Full Access from office
access-list 70 permit ip 172.16.0.0 255.255.0.0 any

:We do like to ping
access-list 70 permit icmp any any echo-reply

eny everything else
access-list 70 deny ip any any

:Lets try it
access-group 70 in interface dmz
:################################################# #



nat (inside) 1 0 0

global (outside) 1 interface

route outside 0.0.0.0 0.0.0.0 200.200.200.210

no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip dmz passive
no rip dmz default


timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-aes-256

:Store201
crypto map ToStore201 10 ipsec-isakmp
crypto map ToStore201 10 match address 80
crypto map ToStore201 10 set peer 200.200.200.201
crypto map ToStore201 10 set transform-set strong
crypto map ToStore201 interface outside

isakmp enable outside
isakmp key cisco1234 address 200.200.200.201 netmask 255.255.255.255
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption aes-256

logg c 7
logg on
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      05-24-2004
In article <(E-Mail Removed) >,
Eddie <(E-Mail Removed)> wrote:
:I am trying setup an ACL so that select VPN clients (most of them) can
nly get to the DMZ and only to selected ports.

:My config for the 515 is below. Everything seems to match the access-list
:80 used to bring up the VPN connection and skips over access-list 70
:applied to the dmz port.

:access-list 80 permit ip 172.30.0.0 255.255.0.0 172.20.201.0 255.255.255.0
:nat 0 access-list 80

:crypto map ToStore201 10 match address 80

Do not use the same access-list for both nat 0 and for crypto map.
If your nat 0 list happens to have the same contents as your crypto
map access-list, then use two different lists that have the same
entries.

The reason you need to do this is that the access-lists get altered
internally to impliment adaptive security, so your SA's get messed up.
--
Those were borogoves and the momerathsoutgrabe completely mimsy.
 
Reply With Quote
 
 
 
 
Eddie
Guest
Posts: n/a
 
      05-24-2004
On Mon, 24 May 2004 12:47:02 -0700, Walter Roberson wrote:

> In article <(E-Mail Removed) >, Eddie
> <(E-Mail Removed)> wrote:
> :I am trying setup an ACL so that select VPN clients (most of them) can
> nly get to the DMZ and only to selected ports.
>
> :My config for the 515 is below. Everything seems to match the
> :access-list 80 used to bring up the VPN connection and skips over
> :access-list 70 applied to the dmz port.
>
> :access-list 80 permit ip 172.30.0.0 255.255.0.0 172.20.201.0
> :255.255.255.0 nat 0 access-list 80
>
> :crypto map ToStore201 10 match address 80
>
> Do not use the same access-list for both nat 0 and for crypto map. If
> your nat 0 list happens to have the same contents as your crypto map
> access-list, then use two different lists that have the same entries.
>
> The reason you need to do this is that the access-lists get altered
> internally to impliment adaptive security, so your SA's get messed up.



Oh, ok. I got that example from Cisco's site.

Then do I want to put the ACL to control access on the nat 0 then?

Thanks
Eddie
 
Reply With Quote
 
Eddie
Guest
Posts: n/a
 
      05-25-2004
After a bunch of searching, I found out I have to remove "sysopt connection
permit-ipsec" for it to apply the ACL to the VPN interface.

But now I get "No Translation group found" errors and nothing I put for a
static line does anything.

-oh joy




On Mon, 24 May 2004 12:11:47 -0700, Eddie wrote:

> Hello.
>
> I am trying setup an ACL so that select VPN clients (most of them) can
> only get to the DMZ and only to selected ports. This is with a bunch of
> PIX 501 and a 515E. (Some 501 will have direct access to the internal
> network for work at home users, but I have not got that figure out yet)
>
> I don't want to limit the VPN tunnel because I want full access to the
> VPN clients from the internal side of the network.
>
> My config for the 515 is below. Everything seems to match the
> access-list 80 used to bring up the VPN connection and skips over
> access-list 70 applied to the dmz port.
>
> Any pointers?
> Thanks,
> Eddie
>
> ################################################## ######### nameif
> ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz security50
>
> hostname RSC
> domain-name example.com
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol smtp 25
> names
> pager lines 24
> no logging on
>
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
>
>
> mtu outside 1500
> mtu inside 1500
> mtu dmz 1500
>
> ip address outside 200.200.200.215 255.255.255.0 ip address inside
> 172.16.1.5 255.255.0.0 ip address dmz 172.30.1.1 255.255.0.0
>
>
> arp timeout 14400
>
> :Store 201
> access-list 80 permit ip 172.30.0.0 255.255.0.0 172.20.201.0
> 255.255.255.0 nat 0 access-list 80
>
>
> ::Needed so the clients on the VPN can talk to the servers on the DMZ
> static (dmz,outside) 172.30.0.0 172.30.0.0
>
>
> :################################################# #### ACL for DMZ
> :systems
> :We will also need to give the DMZ limited internet access.
>
> :Limited Access from Stores
> access-list 70 permit tcp any 172.30.0.0 255.255.0.0 eq 80 access-list
> 70 permit tcp any 172.30.0.0 255.255.0.0 eq 8080 access-list 70 permit
> tcp any 172.30.0.0 255.255.0.0 eq 22 access-list 70 permit udp any
> 172.30.0.0 255.255.0.0 eq 53
>
> :Full Access from office
> access-list 70 permit ip 172.16.0.0 255.255.0.0 any
>
> :We do like to ping
> access-list 70 permit icmp any any echo-reply
>
> eny everything else
> access-list 70 deny ip any any
>
> :Lets try it
> access-group 70 in interface dmz
> :################################################# #
>
>
>
> nat (inside) 1 0 0
>
> global (outside) 1 interface
>
> route outside 0.0.0.0 0.0.0.0 200.200.200.210
>
> no rip outside passive
> no rip outside default
> no rip inside passive
> no rip inside default
> no rip dmz passive
> no rip dmz default
>
>
> timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> timeout rpc 0:10:00 h323 0:05:00
> timeout uauth 0:05:00 absolute
>
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> sysopt connection permit-ipsec
> crypto ipsec transform-set strong esp-aes-256
>
> :Store201
> crypto map ToStore201 10 ipsec-isakmp crypto map ToStore201 10 match
> address 80 crypto map ToStore201 10 set peer 200.200.200.201 crypto map
> ToStore201 10 set transform-set strong crypto map ToStore201 interface
> outside
>
> isakmp enable outside
> isakmp key cisco1234 address 200.200.200.201 netmask 255.255.255.255
> isakmp policy 8 authentication pre-share isakmp policy 8 encryption
> aes-256
>
> logg c 7
> logg on

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      05-25-2004
In article <(E-Mail Removed) >,
Eddie <(E-Mail Removed)> wrote:
:After a bunch of searching, I found out I have to remove "sysopt connection
ermit-ipsec" for it to apply the ACL to the VPN interface.

:But now I get "No Translation group found" errors and nothing I put for a
:static line does anything.

:> nat (inside) 1 0 0

:> global (outside) 1 interface

I notice you don't have a nat (dmz), and you don't have a global (dmz).
The nat (dmz) is needed to allow the dmz to talk to the outside unless
everything in the dmz is static (dmz,outside) or nat (dmz) 0 access-list'd.
The global (dmz) is needed to allow the inside to talk to the dmz unless
everything on the inside is static (inside,dmz) or
nat (inside) 0 access-list'd
--
Inevitably, someone will flame me about this .signature.
 
Reply With Quote
 
Eddie
Guest
Posts: n/a
 
      05-26-2004
Thaks for the tip. I have not gotten to setting up PAT for the DMZ to
outside yet. Everything else is static with nat 0 and access list.


Eddie



On Tue, 25 May 2004 15:12:00 -0700, Walter Roberson wrote:

> In article <(E-Mail Removed) >, Eddie
> <(E-Mail Removed)> wrote:
> :After a bunch of searching, I found out I have to remove "sysopt
> :connection permit-ipsec" for it to apply the ACL to the VPN interface.
>
> :But now I get "No Translation group found" errors and nothing I put for
> :a static line does anything.
>
> :> nat (inside) 1 0 0
>
> :> global (outside) 1 interface
>
> I notice you don't have a nat (dmz), and you don't have a global (dmz).
> The nat (dmz) is needed to allow the dmz to talk to the outside unless
> everything in the dmz is static (dmz,outside) or nat (dmz) 0
> access-list'd. The global (dmz) is needed to allow the inside to talk to
> the dmz unless everything on the inside is static (inside,dmz) or nat
> (inside) 0 access-list'd

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
Allow smtp traffic from DMZ to Inside, without DMZ loosing Internet connection? morten Cisco 4 09-04-2007 01:48 PM
Cisco PIX DMZ to DMZ Access Network-Guy Cisco 7 09-25-2005 08:28 PM
how to config 515-e-dmz dmz routes & ACL? JohnC Cisco 9 12-07-2004 09:14 AM
Pix: DMZ has access to Inside with ACL defined for outside! wineguyatl@hotmail.com Cisco 1 11-18-2003 09:10 PM



Advertisments