«

Ladies and Gents I need some help. I know Cisco switches, 6500 series,
RSMs, Cisco APs and 3000 series Concentrators pretty well, but this Pix
Firewall/VPN is kicking my butt. I have no experience with firewalls
and very limited experience with ACLs. Please help, I have searched
and read and read but it is just not coming together for me. It is
times like these that I question if I am in the wrong career. Here is
my network and what I am trying to accomplish.

Network:
Cable modem to Pix 501, (outside int DHCP)(running 6.3(1) code)
Pix to my network (inside int 192.168.69.1/24)
Network is 192.168.69.X/24

On said network I have the following:
3 PC's, a Linksys AP, Vonage Router, a XP Pro PC with a FTP server
running, some internet IP cameras and a few other things. I am using a
Cisco VPN client to VPN in.

And this is what I am trying to accomplish:
I travel a little and want to be able to get to my network resources at
home while on the road. I want to be able to VPN into my home network
from any IP, and get to my FTP server, IP cameras, telnet to
AP/Vonage/Pix, and PCs via Remote Assistance/Remote Desktop (basically
just like I were at home). I also would like to keep everything
blocked coming into my network except ICMP requests/replies and of
course a VPN tunnel or two (for family to be able to VPN in for
pictures, etc). As far as outgoing traffic, I am not worried about
blocking anything. I also run a DHCP server (192.168.69.100-120) on
the Pix for everything on the network. It doesn't matter to me what ip
range the tunnels get as long as they can do everything above.

With my current config I am able to get the VPN tunnel up and can get
to my IP cameras but that is it. No ping, telnet, no access to FTP,
nothing else. It is driving me nuts. Below is my current half working
config. Please help me.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
hostname MillsVPN
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip 192.168.69.0 255.255.255.0 172.26.69.0
255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.69.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ipool 172.26.69.10-172.26.69.25
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http 192.168.69.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup MillsVPN address-pool ipool
vpngroup MillsVPN dns-server 24.31.195.63 24.31.195.64
vpngroup MillsVPN idle-time 6000
vpngroup MillsVPN password XXXXXXXX
vpngroup dns-server idle-time 1800
telnet 192.168.69.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.69.100-192.168.69.120 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:1e6e58b0056882b0a6f5580abaf8d33d
: end
MillsVPN#

In article <. com>,
millsusaf <> wrote:
>Network:
>Cable modem to Pix 501, (outside int DHCP)(running 6.3(1) code)

You should upgrade to a 6.3(4) due to security issues. The upgrade
is free even if you have no support contract.

>And this is what I am trying to accomplish:
>I travel a little and want to be able to get to my network resources at
>home while on the road.

How will you deal with the changing IP address of your outside
interface? DHCP'd outside addresses are somewhat incompatible with
acting as a VPN server.

> I want to be able to VPN into my home network
>from any IP, and get to my FTP server, IP cameras, telnet to
>AP/Vonage/Pix, and PCs via Remote Assistance/Remote Desktop (basically
>just like I were at home). I also would like to keep everything
>blocked coming into my network except ICMP requests/replies and of
>course a VPN tunnel or two (for family to be able to VPN in for
>pictures, etc).

In order to implement the restrictions above, you will need to
remove your sysopt connection permit-ipsec statement (which permits
ipsec traffic to connect to everything) and instead add in the
appropriate restrictions to your outside ACL.


>With my current config I am able to get the VPN tunnel up and can get
>to my IP cameras but that is it. No ping, telnet, no access to FTP,
>nothing else.

>ip local pool ipool 172.26.69.10-172.26.69.25

That's possibly the cause of your trouble. Look at the 'mask'
parameter.
http://www.cisco.com/univercd/cc/td/....htm#wp1027172

>crypto ipsec transform-set myset esp-des esp-md5-hmac

>isakmp policy 10 authentication pre-share
>isakmp policy 10 encryption des
>isakmp policy 10 hash md5
>isakmp policy 10 group 2

>vpngroup MillsVPN dns-server 24.31.195.63 24.31.195.64

The dns servers you are setting are in the USA. If you are living
in the USA then unless you are a banned person you are entitled to
a free 3DES / AES license key. [The other encryption provisions about
possibly being a national of an enemy country, have to do with
-exporting- encryption from the USA.] On the other hand, you did not
mention where you travel to... traveling outside USA with your VPN client
is "exporting" for which there are special considerations...
--
"It is important to remember that when it comes to law, computers
never make copies, only human beings make copies. Computers are given
commands, not permission. Only people can be given permission."
-- Brad Templeton

->The only code I can find on Cisco is 6.3(5) and from what I have read
it is the latest code for the Pix 501. Is this right? I would hate to
load the wrong code. Looking for conformation.

http://www.cisco.com/en/US/partner/p...d.html#wp23144

->I know that the DHCP outside int isn't ideal, but my cable modem bill
would more than double for a static so I unfortunately I have to deal
with it. I am getting around it by if I can't connect (once working
totally) I will have the wife check on the IP by telneting to the PIX
and the show IP command, getting that new address and changing it in my
VPN client.

-> >ip local pool ipool 172.26.69.10-172.26.69.25
As for the ip mask, I read the doc and they way I read it; it states
that by default the pix puts a /24 mask if nothing is entered (bases on
class of network). However I have tried to manually add a /24, but it
is not allowing me to.

->As for my ACL, can someone scrub over this attempt? I don't think it
is correct. I tried to go through it on the Pix but the help is
nothing like it is on the switches.
access-list 101 permit icmp 0.0.0.0 0.0.0.0 outside
access-list 101 permit icmp outside 0.0.0.0 0.0.0.0
access-list 101 permit ip 192.168.69.0 255.255.255.0 172.26.69.0
255.255.255.0
access-list 101 permit ip 172.26.69.0 255.255.255.9 192.168.69.0
255.255.255.0
access-list 101 deny any any

global (outside) 1 interface access-list 101

->According to this I have AES, I will just have to figure out how to
turn it on.
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
I do travel outside the US occasionally, but only official DoD
business, and am usually on DoD bases.

Thanks

In article <. com>,
millsusaf <> wrote:
:->The only code I can find on Cisco is 6.3(5) and from what I have read
:it is the latest code for the Pix 501. Is this right?

Yes. But people who stick with x.y(1) often do not have access to
the software downloads, so I reported on the newest version that one
can update to for free. 6.3(5) is a bug-fix release, not a security
release, so it isn't covered by Cisco's free-update policies.


:->I know that the DHCP outside int isn't ideal, but my cable modem bill
:would more than double for a static so I unfortunately I have to deal
:with it. I am getting around it by if I can't connect (once working
:totally) I will have the wife check on the IP by telneting to the PIX
:and the show IP command, getting that new address and changing it in my
:VPN client.

Consider using dyndns


:-> >ip local pool ipool 172.26.69.10-172.26.69.25
:As for the ip mask, I read the doc and they way I read it; it states
:that by default the pix puts a /24 mask if nothing is entered (bases on
:class of network). However I have tried to manually add a /24, but it
:is not allowing me to.

What syntax did you use? PIX 6.x does not accept the slash
notation for masks in any context.


:->As for my ACL, can someone scrub over this attempt? I don't think it
:is correct.

:global (outside) 1 interface access-list 101

You are right, the ACL is mostly wrong, probably because you are
fuzzy on what you are trying to do with it. The 'global' command
does not accept access lists.

Some specific hints for ACLs
- use 'any' instead of '0.0.0.0 0.0.0.0'
- use 'interface outside' instead of 'outside'
- the only place you need to write ACLs to explicitly match both
forward and reverse traffic, is for use with 'capture'. For all other
cases, you write it in one direction only, and the PIX knows how
to read it "backwards" if it needs to.
- every ACL ends with a default deny of everything, so you do not
need to put one in (unless you want hitcounts or want to 'log'
it differently.)

:->According to this I have AES, I will just have to figure out how to
:turn it on.
:VPN-3DES-AES: Enabled

Add another transform set that uses esp-aes-256 hmac-sha and
on your 'crypto map MAP # set transform-set' line give the name of that
transform set first. Also, create an additional isakmp policy with
a lower number than your existing one, that uses aes-256 sha group 5 .
--
Is there any thing whereof it may be said, See, this is new? It hath
been already of old time, which was before us. -- Ecclesiastes

Normally I like to figure these things out, but I am very busy lately
and just don't have any more time to spend on it. In addition I am
going out of town Monday morning for a couple of days and would like to
get this working before I leave, so I am throwing in the towel.

If someone can write me a 100% functional config that does everything I
want from my original post I will give them $50 upon conformation that
the config works. I can paypal the funds or send a money order, your
choice. I am a man of my word, and will send the money. If you are
serious about writing the config, and need a warm fuzzy I will supply
you will my ebay username so you can see my feedback. (it shows my good
character). $50 isn't a lot of money, but I think fair for the 10
minutes it will take someone who knows that the heck they are doing.
Thanks hopefully someone jumps on this soon.

In article < .com>,
millsusaf <> wrote:
:If someone can write me a 100% functional config that does everything I
:want from my original post I will give them $50 upon conformation that
:the config works.

We can't do that without knowing the internal IP addresses.
Without those, the best we could do (without chance) would be a
configuration that worked 100% for some location that remarkably
resembled yours in structure but not in detail.

It's your sentance about keeping everything blocked except for
the things you listed that is the problem: that sentance disallows
the use of sysopt connection permit-ipsec to bypass ACLs for VPNs.
Because we can't bypass them, we need to know the internal details
so we know what to permit them to.
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest

In article < .com>,
millsusaf <> wrote:
:If someone can write me a 100% functional config that does everything I
:want from my original post

Changes from your original configuration are marked with '-->'. On
each of those lines, strip off the '--> ' but if that is followed by
a ':' then leave the ':' -- it is a comment marker.

PIX Version 6.3(1)
--> : this took noticably more than 5 minutes, mostly to write the comments
--> : Adjusting for your DNS issue was the other main complication. Other
--> : than second-guessing what you really wanted to do...
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
hostname MillsVPN
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 101 permit ip 192.168.69.0 255.255.255.0 172.26.69.0 255.255.255.0
--> : Part of your posting implied that VPN traffic should be narrowly
--> : restricted, such as only FTP to the FTP server. We cannot configure
--> : that for you without knowing the inside IP addresses and a complete
--> : list of services you want to each one. Thus this configuration
--> : is not 100% what you asked for, because it allows VPN traffic
--> : to reach everything inside your internal network

--> : you asked for all ICMP request/response to be permitted into your
--> : network. That is not secure so I have only provided for the useful ICMP
--> access-list out2in permit icmp any interface outside echo-reply
--> access-list out2in permit icmp any interface outside unreachable
--> access-list out2in permit icmp any interface outside time-exceeded

--> : you wanted some undefined VPN tunnels for your family but did not
--> : tell us anything about them, and did not tell us whether you
--> : wanted them to terminate on the PIX or on some inside host.
--> : If they are to terminate on an inside host, you would need
--> : to permit in more traffic in out2in, but you would also have
--> : problems in getting the traffic to the correct inside host because
--> : you do not have more than one public IP address and you cannot
--> : forward ESP or GRE from the outside interface to something inside,
--> : at least not gracefully.
--> : Anyhow, this configuration is not 100% what you asked for
--> : because it does not allow for those VPN tunnels that you did
--> : not give us enough information to configure.

--> : your vpngroup sets DNS servers that are outside your local network
--> : but your client cannot normally reach those because normally -all-
--> : traffic goes to the PIX, and PIX 6.x will -never- turn traffic around
--> : and permit it out the same interface it came in on, even if the
--> : traffic came in as VPN traffic and is going out as DNS traffic.
--> : therefor in order for your choice of DNS server to be useful, we
--> : must exclude the DNS servers from going through the tunnel and instead
--> : have the client PC talk directly to those DNS servers and hope that
--> : those DNS servers are willing to answer random DNS queries on our
--> : behalf. If you did not intend that your VPN client should have useful
--> : access to outside DNS, you would not include a vpngroup dns-server
--> : statement. If you do need useful DNS then rather than counting on
--> : your rr.com DNS server and counting on the random local ISP to
--> : pass the packets all the way to rr.com, you would normally install
--> : an internal DNS server and refer to that.
--> : Note: in order to gain the access to the rr.com DNS servers through
--> : the split-tunnel configuration, the VPN client will have to have
--> : the checkbox option ticked to request split tunneling. Both parts
--> : must be in place: the server must be configured for split tunnel
--> : and the client must be configured to ask the server for split tunnel.
--> access-list split_vpn_acl deny ip host 24.31.195.63 any
--> access-list split_vpn_acl deny ip host 24.31.195.64 any
--> : the next statement just means that everything not denied above should
--> : be sent by the VPN client through the VPN tunnel to the PIX. It does
--> : NOT in itself permit any outside traffic to access anything.
--> access-list split_vpn_acl permit ip any any

pager lines 24

--> : you wanted ICMP request/reply into your network. If you want to
--> : be able to ping the PIX itself from outside, uncomment the next statement
--> : icmp permit any echo outside
--> icmp permit any echo-reply outside
--> icmp permit any unreachable outside
--> icmp permit any time-exceeded outside

mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.69.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
--> : the default mask for 172.26 would be 255.255.0.0
--> ip local pool ipool 172.26.69.10-172.26.69.25 mask 255.255.255.0
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
--> : this activates the outside ACL
--> access-group out2in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http 192.168.69.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
--> : you can run into MTU problems if you do not restrict the TCP MSS
--> : because after the VPN layers, the packet can exceed the 1500
--> : bytes of your MTU
--> sysopt connection tcpmss 1348
crypto ipsec transform-set myset esp-des esp-md5-hmac
--> : you do not NEED to allow AES, but we were talking about it...
--> crypto ipsec transform-set mysetAES esp-aes-256 esp-sha-hmac
--> crypto dynamic-map dynmap 10 set transform-set mysetAES myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
--> : if you do not use hostname instead of address, then you will have
--> : difficulties when your ISP changes your IP underneath you
--> isakmp identity hostname
isakmp nat-traversal 20
--> : again you do not need AES, but we were talking about it.
--> isakmp policy 7 authentication pre-share
--> isakmp policy 7 encryption aes-256
--> isakmp policy 7 hash sha
--> isakmp policy 7 group 5
--> : a full day, 86400 seconds, seems a bit much idle time for a VPN
--> : client so I dropped it to one hour
--> isakmp policy 7 lifetime 3600
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
--> : you probably want a shorter lifetime, as per above
isakmp policy 10 lifetime 86400
vpngroup MillsVPN address-pool ipool
vpngroup MillsVPN dns-server 24.31.195.63 24.31.195.64
vpngroup MillsVPN idle-time 6000
vpngroup MillsVPN password XXXXXXXX
--> : this to allow the PC client to reach the DNS server you defined
--> vpngroup MillsVPN split-tunnel split_vpn_acl
--> : you had vpngroup dns-server idle-time at this point, which would
--> : be for a vpngroup named 'dns-server'.
--> vpngroup MillsVPN idle-time 1800
telnet 192.168.69.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.69.100-192.168.69.120 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
--
All is vanity. -- Ecclesiastes

I was also wondering about the DynDNS thing. From what I read on thier
site, it requires a client to be installed on a PC. Obviously this PC
would need to be on constinately to update the system properly. How
would this work in my situation when the IP address I am trying to get
to is the Pix external int? Does the client know that the PC is
resides on is part of a larger network?

Walter,

Thanks for the help, as long as it works the $50 is yours. You are
correct; I wasn't as specific as I should have been, sorry about that.
The DNS servers are my ISP's; that entry was there because I was trying
to follow a Cisco config I found. I did not realize they were not
supposed to be there. I have no reason to get to those DNS server
outside my network. Therefore anything referencing those DNS servers
should be taken out.

I am sorry, I was trying to convey that all VPN tunnels should be wide
open to anything on the network. As for the family accounts, I also
want them to be wide open to the network. Two accounts would be fine,
"FamilyA" and "FamilyB".

As for the ICMP request/reply's, the only thing I want to be able to
ping from the internet is the external int. However I do want the
ability to ping everything on my network once a VPN tunnel is created.


Once I upgrade the Pix to 6.3(5), I definitely want the AES. Is the
policy 7's for AES and the 10's for the old MD5? Let me know if you
need more info. Thanks

Brian

In article <. com>,
millsusaf <> wrote:
:I was also wondering about the DynDNS thing. From what I read on thier
:site, it requires a client to be installed on a PC. Obviously this PC
:would need to be on constinately to update the system properly.

Not -constantly- on -- but the client needs to run at the
frequency of the maximum delay you are willing to tolerate before
the IP is updated. For example, if you don't mind waiting half an
hour for dyndns to catch up with an IP address change, then the client
only needs to run every half an hour.

:How
:would this work in my situation when the IP address I am trying to get
:to is the Pix external int? Does the client know that the PC is
:resides on is part of a larger network?

All the client has to know is your login name and password and the
relevant domain name. The client connects to dyndns.com and says
"I'm here!"... passing through the NAT translation to the outside IP
address as it does that. dyndns.com reads off sender's IP address
from the packet -- which will be the translated IP address. Which is
exactly the address that needs to be registered in the DNS tables.
It doesn't matter how many layers of translation that the client has
to go through, as long as the final translation is the one that
external systems should be using to contact you.
--
Many food scientists have reported chocolate to be the single most
craved food. -- Northwestern University, 2001