PIX 515, DMZ, VPN, what a mess. Need Help.

Discussion in 'Cisco' started by Eddie, Jun 17, 2004.

  1. Eddie

    Eddie Guest

    Hello.

    I don't see a way around this problem and I am hoping someone can point
    me in the right direction.

    I want the VPN users to only access the systems in the DMZ. I have to add
    this line for them to do so.

    static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0

    But with that line, the servers in the DMZ can not access the internet.
    Everything else is working perfect and the ACLs are working great.

    How can I go about doing this?

    Full config below.

    Thanks for any and all help
    Eddie

    ------------------------------
    enable

    config term

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50

    hostname RSC
    domain-name example.com
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol smtp 25
    names
    pager lines 24
    enable

    config term

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50

    hostname RSC
    domain-name example.com
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol smtp 25
    names
    pager lines 24
    no logging on

    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto


    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500

    ip address outside 11.146.146.151 255.255.255.240
    ip address inside 172.16.1.5 255.255.0.0
    ip address dmz 172.30.1.1 255.255.0.0


    arp timeout 14400

    :No NAT for inside host to access the DMZ
    access-list 60 permit ip 172.30.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    access-list 60 permit ip 172.16.0.0 255.255.0.0 172.30.0.0 255.255.0.0

    :No NAT for any store
    access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0 255.255.0.0
    access-list 60 permit ip 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
    access-list 60 permit ip 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0
    access-list 60 permit ip 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    nat 0 access-list 60


    ::Needed so the clients on the VPN can talk to the servers on the DMZ
    static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0


    :############################################
    :Limited Access from Stores
    access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 80
    access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 8080
    :access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 22
    access-list 71 permit udp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 53
    access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
    access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 echo-reply

    access-list 71 deny ip any any
    access-group 71 in interface outside
    :#############################################


    :#######################################################
    :Limit Access from the office to the stores to select systems.

    access-list 100 permit ip 172.16.1.0 255.255.255.0 172.20.0.0 255.255.0.0
    access-list 100 deny ip any 172.20.0.0 255.255.0.0

    :Stuff to limit office access to web here
    access-list 100 permit ip any any

    access-group 100 in interface inside
    :########################################################


    :#####################################################
    :ACL for DMZ systems
    :We will also need to give the DMZ limited internet access.

    :We do like to ping
    access-list 70 permit icmp any any echo-reply

    :Ban acess to inside networks.
    access-list 70 deny ip any 172.16.0.0 255.255.0.0
    :May also need to ban access to stores.

    :Internet Access to the DMZ
    access-list 70 permit ip any any

    :Deny everything else
    :access-list 70 deny ip any any

    :Lets try it
    access-group 70 in interface dmz
    :##################################################


    nat (inside) 1 0 0
    nat (dmz) 1 0 0

    global (outside) 1 interface
    route outside 0.0.0.0 0.0.0.0 12.145.146.145

    no rip outside passive
    no rip outside default
    no rip inside passive
    no rip inside default
    no rip dmz passive
    no rip dmz default


    timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    timeout rpc 0:10:00 h323 0:05:00
    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    crypto ipsec transform-set strong esp-aes-256


    :Store201
    access-list 201_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.201.0 255.255.255.0
    access-list 201_ipsec permit ip 172.16.0.0 255.255.0.0 172.20.201.0 255.255.255.0
    crypto map ToStore 10 ipsec-isakmp
    crypto map ToStore 10 match address 201_ipsec
    crypto map ToStore 10 set peer 11.146.146.152
    crypto map ToStore 10 set transform-set strong
    crypto map ToStore interface outside

    :Store212
    access-list 212_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.212.0 255.255.255.0
    access-list 212_ipsec permit ip 172.16.0.0 255.255.0.0 172.20.212.0 255.255.255.0
    crypto map ToStore 12 ipsec-isakmp
    crypto map ToStore 12 match address 212_ipsec
    crypto map ToStore 12 set peer 11.146.146.153
    crypto map ToStore 12 set transform-set strong
    crypto map ToStore interface outside

    isakmp enable outside
    isakmp key cisco1234 address 11.146.146.152 netmask 255.255.255.255
    isakmp key cisco1234 address 11.146.146.153 netmask 255.255.255.255
    isakmp policy 8 authentication pre-share
    isakmp policy 8 encryption aes-256
    isakmp policy 8 lifetime 120
    isakmp policy 8 hash md5

    http 172.16.0.0 255.255.0.0
    http server enable

    logg c 7
    logg on


    no logging on

    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto


    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500

    ip address outside 11.146.146.151 255.255.255.240
    ip address inside 172.16.1.5 255.255.0.0
    ip address dmz 172.30.1.1 255.255.0.0


    arp timeout 14400

    :No NAT for inside host to access the DMZ
    access-list 60 permit ip 172.30.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    access-list 60 permit ip 172.16.0.0 255.255.0.0 172.30.0.0 255.255.0.0

    :No NAT for any store
    access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0 255.255.0.0
    access-list 60 permit ip 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
    access-list 60 permit ip 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0
    access-list 60 permit ip 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    nat 0 access-list 60


    ::Needed so the clients on the VPN can talk to the servers on the DMZ
    static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0


    :############################################
    :Limited Access from Stores. We only want the stores accessing select
    things on the DMZ
    access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 80
    access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 8080
    :access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 22
    access-list 71 permit udp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 53
    access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
    access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 echo-reply

    access-list 71 deny ip any any
    access-group 71 in interface outside
    :#############################################


    :#######################################################
    Limit Access from the office to the stores to select systems on the
    inside interface.

    access-list 100 permit ip 172.16.1.0 255.255.255.0 172.20.0.0 255.255.0.0
    access-list 100 deny ip any 172.20.0.0 255.255.0.0

    :Stuff to limit office access to web here
    access-list 100 permit ip any any

    access-group 100 in interface inside
    :########################################################


    :#####################################################
    :ACL for DMZ systems
    :We will also need to give the DMZ limited internet access.

    :We do like to ping
    access-list 70 permit icmp any any echo-reply

    :Ban acess to inside networks.
    access-list 70 deny ip any 172.16.0.0 255.255.0.0
    :May also need to ban access to stores.

    :Internet Access to the DMZ. Temp
    access-list 70 permit ip any any

    :Deny everything else
    :access-list 70 deny ip any any

    :Lets try it
    access-group 70 in interface dmz
    :##################################################

    :NAT the inside
    nat (inside) 1 0 0

    :NAT the dmz
    nat (dmz) 1 0 0

    :pAT the bunny
    global (outside) 1 interface
    route outside 0.0.0.0 0.0.0.0 11.146.146.145

    :We don't use RIP so turn it off.
    no rip outside passive
    no rip outside default
    no rip inside passive
    no rip inside default
    no rip dmz passive
    no rip dmz default


    timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    timeout rpc 0:10:00 h323 0:05:00
    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    crypto ipsec transform-set strong esp-aes-256


    :Store201
    access-list 201_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.201.0 255.255.255.0
    access-list 201_ipsec permit ip 172.16.0.0 255.255.0.0 172.20.201.0 255.255.255.0
    crypto map ToStore 10 ipsec-isakmp
    crypto map ToStore 10 match address 201_ipsec
    crypto map ToStore 10 set peer 11.146.146.152
    crypto map ToStore 10 set transform-set strong
    crypto map ToStore interface outside

    :Store212
    access-list 212_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.212.0 255.255.255.0
    access-list 212_ipsec permit ip 172.16.0.0 255.255.0.0 172.20.212.0 255.255.255.0
    crypto map ToStore 12 ipsec-isakmp
    crypto map ToStore 12 match address 212_ipsec
    crypto map ToStore 12 set peer 11.146.146.153
    crypto map ToStore 12 set transform-set strong
    crypto map ToStore interface outside

    :General IPSEC stuff for all stores
    isakmp enable outside
    isakmp key cisco1234 address 11.146.146.152 netmask 255.255.255.255
    isakmp key cisco1234 address 11.146.146.153 netmask 255.255.255.255
    isakmp policy 8 authentication pre-share
    isakmp policy 8 encryption aes-256
    isakmp policy 8 lifetime 120
    isakmp policy 8 hash md5


    http 172.16.0.0 255.255.0.0
    http server enable

    logg c 7
    logg on
     
    Eddie, Jun 17, 2004
    #1
    1. Advertising

  2. Eddie

    Bill F Guest


    >
    > :No NAT for inside host to access the DMZ
    > access-list 60 permit ip 172.30.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    > access-list 60 permit ip 172.16.0.0 255.255.0.0 172.30.0.0 255.255.0.0
    >


    this is accomplished as follows

    static (inside,dmz) 172.16.0.0 172.16.0.0 255.255.0.0

    > :No NAT for any store
    > access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0 255.255.0.0
    > access-list 60 permit ip 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 # don't need this
    > access-list 60 permit ip 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0
    > access-list 60 permit ip 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 # don't need this
    > nat 0 access-list 60


    You only need to do the remote, local acl entries for nat 0

    >
    >
    > ::Needed so the clients on the VPN can talk to the servers on the DMZ
    > static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0
    >

    Nope. In this case, something LIKE acl 71 takes care of that - I say
    like because you have the syntax reverse. It should be of the type:

    access-list 71 permit tcp 172.30.0.0 255.255.0.0 172.20.0.0 255.255.0.0
    eq 80

    in other words, local net traffic to remote net will be tunneled
    And the other side would have the mirror image. Same thing goes for any
    other vpn peer nets.

    >
    > :############################################
    > :Limited Access from Stores
    > access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 80
    > access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 8080
    > :access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 22
    > access-list 71 permit udp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 53
    > access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
    > access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 echo-reply
    >
    > access-list 71 deny ip any any
    > access-group 71 in interface outside
    > :#############################################
    >
    >
    > :#######################################################
    > :Limit Access from the office to the stores to select systems.
    >
    > access-list 100 permit ip 172.16.1.0 255.255.255.0 172.20.0.0 255.255.0.0
    > access-list 100 deny ip any 172.20.0.0 255.255.0.0
    >
    > :Stuff to limit office access to web here
    > access-list 100 permit ip any any
    >
    > access-group 100 in interface inside
    > :########################################################
    >
    >
    > :#####################################################
    > :ACL for DMZ systems
    > :We will also need to give the DMZ limited internet access.
    >
    > :We do like to ping
    > access-list 70 permit icmp any any echo-reply
    >
    > :Ban acess to inside networks.
    > access-list 70 deny ip any 172.16.0.0 255.255.0.0
    > :May also need to ban access to stores.
    >
    > :Internet Access to the DMZ
    > access-list 70 permit ip any any
    >
    > :Deny everything else
    > :access-list 70 deny ip any any
    >
    > :Lets try it
    > access-group 70 in interface dmz
    > :##################################################
    >
    >
    > nat (inside) 1 0 0
    > nat (dmz) 1 0 0
    >
    > global (outside) 1 interface
    > route outside 0.0.0.0 0.0.0.0 12.145.146.145
    >
    > no rip outside passive
    > no rip outside default
    > no rip inside passive
    > no rip inside default
    > no rip dmz passive
    > no rip dmz default
    >
    >
    > timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    > timeout rpc 0:10:00 h323 0:05:00
    > timeout uauth 0:05:00 absolute
    >
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > crypto ipsec transform-set strong esp-aes-256
    >
    >
    > :Store201
    > access-list 201_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.201.0 255.255.255.0
    > access-list 201_ipsec permit ip 172.16.0.0 255.255.0.0 172.20.201.0 255.255.255.0
    > crypto map ToStore 10 ipsec-isakmp
    > crypto map ToStore 10 match address 201_ipsec
    > crypto map ToStore 10 set peer 11.146.146.152
    > crypto map ToStore 10 set transform-set strong
    > crypto map ToStore interface outside
    >
    > :Store212
    > access-list 212_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.212.0 255.255.255.0
    > access-list 212_ipsec permit ip 172.16.0.0 255.255.0.0 172.20.212.0 255.255.255.0
    > crypto map ToStore 12 ipsec-isakmp
    > crypto map ToStore 12 match address 212_ipsec
    > crypto map ToStore 12 set peer 11.146.146.153
    > crypto map ToStore 12 set transform-set strong
    > crypto map ToStore interface outside
    >
    > isakmp enable outside
    > isakmp key cisco1234 address 11.146.146.152 netmask 255.255.255.255
    > isakmp key cisco1234 address 11.146.146.153 netmask 255.255.255.255
    > isakmp policy 8 authentication pre-share
    > isakmp policy 8 encryption aes-256
    > isakmp policy 8 lifetime 120
    > isakmp policy 8 hash md5
    >
    > http 172.16.0.0 255.255.0.0
    > http server enable
    >
    > logg c 7
    > logg on
    >
    >
    > no logging on
    >
    > interface ethernet0 auto
    > interface ethernet1 auto
    > interface ethernet2 auto
    >
    >
    > mtu outside 1500
    > mtu inside 1500
    > mtu dmz 1500
    >
    > ip address outside 11.146.146.151 255.255.255.240
    > ip address inside 172.16.1.5 255.255.0.0
    > ip address dmz 172.30.1.1 255.255.0.0
    >
    >
    > arp timeout 14400
    >
    > :No NAT for inside host to access the DMZ
    > access-list 60 permit ip 172.30.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    > access-list 60 permit ip 172.16.0.0 255.255.0.0 172.30.0.0 255.255.0.0
    >
    > :No NAT for any store
    > access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0 255.255.0.0
    > access-list 60 permit ip 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
    > access-list 60 permit ip 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0
    > access-list 60 permit ip 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    > nat 0 access-list 60
    >
    >
    > ::Needed so the clients on the VPN can talk to the servers on the DMZ
    > static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0
    >
    >
    > :############################################
    > :Limited Access from Stores. We only want the stores accessing select
    > things on the DMZ
    > access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 80
    > access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 8080
    > :access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 22
    > access-list 71 permit udp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 53
    > access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
    > access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 echo-reply
    >
    > access-list 71 deny ip any any
    > access-group 71 in interface outside
    > :#############################################
    >
    >
    > :#######################################################
    > Limit Access from the office to the stores to select systems on the
    > inside interface.
    >
    > access-list 100 permit ip 172.16.1.0 255.255.255.0 172.20.0.0 255.255.0.0
    > access-list 100 deny ip any 172.20.0.0 255.255.0.0
    >
    > :Stuff to limit office access to web here
    > access-list 100 permit ip any any
    >
    > access-group 100 in interface inside
    > :########################################################
    >
    >
    > :#####################################################
    > :ACL for DMZ systems
    > :We will also need to give the DMZ limited internet access.
    >
    > :We do like to ping
    > access-list 70 permit icmp any any echo-reply
    >
    > :Ban acess to inside networks.
    > access-list 70 deny ip any 172.16.0.0 255.255.0.0
    > :May also need to ban access to stores.
    >
    > :Internet Access to the DMZ. Temp
    > access-list 70 permit ip any any
    >
    > :Deny everything else
    > :access-list 70 deny ip any any
    >
    > :Lets try it
    > access-group 70 in interface dmz
    > :##################################################
    >
    > :NAT the inside
    > nat (inside) 1 0 0
    >
    > :NAT the dmz
    > nat (dmz) 1 0 0
    >
    > :pAT the bunny
    > global (outside) 1 interface
    > route outside 0.0.0.0 0.0.0.0 11.146.146.145
    >
    > :We don't use RIP so turn it off.
    > no rip outside passive
    > no rip outside default
    > no rip inside passive
    > no rip inside default
    > no rip dmz passive
    > no rip dmz default
    >
    >
    > timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    > timeout rpc 0:10:00 h323 0:05:00
    > timeout uauth 0:05:00 absolute
    >
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > crypto ipsec transform-set strong esp-aes-256
    >
    >
    > :Store201
    > access-list 201_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.201.0 255.255.255.0
    > access-list 201_ipsec permit ip 172.16.0.0 255.255.0.0 172.20.201.0 255.255.255.0
    > crypto map ToStore 10 ipsec-isakmp
    > crypto map ToStore 10 match address 201_ipsec
    > crypto map ToStore 10 set peer 11.146.146.152
    > crypto map ToStore 10 set transform-set strong
    > crypto map ToStore interface outside
    >
    > :Store212
    > access-list 212_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.212.0 255.255.255.0
    > access-list 212_ipsec permit ip 172.16.0.0 255.255.0.0 172.20.212.0 255.255.255.0
    > crypto map ToStore 12 ipsec-isakmp
    > crypto map ToStore 12 match address 212_ipsec
    > crypto map ToStore 12 set peer 11.146.146.153
    > crypto map ToStore 12 set transform-set strong
    > crypto map ToStore interface outside
    >
    > :General IPSEC stuff for all stores
    > isakmp enable outside
    > isakmp key cisco1234 address 11.146.146.152 netmask 255.255.255.255
    > isakmp key cisco1234 address 11.146.146.153 netmask 255.255.255.255
    > isakmp policy 8 authentication pre-share
    > isakmp policy 8 encryption aes-256
    > isakmp policy 8 lifetime 120
    > isakmp policy 8 hash md5
    >
    >
    > http 172.16.0.0 255.255.0.0
    > http server enable
    >
    > logg c 7
    > logg on
     
    Bill F, Jun 18, 2004
    #2
    1. Advertising

  3. Eddie

    Bill F Guest

    oops caught one mistake in my response. should read...

    >> :No NAT for any store
    >> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0
    >> 255.255.0.0 # don't need this

    >
    >> access-list 60 permit ip 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
    >> access-list 60 permit ip 172.16.0.0 255.255.0.0 172.20.0.0
    >> 255.255.0.0 # don't need this
    >> access-list 60 permit ip 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    >> nat 0 access-list 60

    >

    You only need to do the remote, local acl entries for nat 0
     
    Bill F, Jun 18, 2004
    #3
  4. Eddie

    Bill F Guest

    Jeez!! I was right the first time. It is actually local net then remote
    net for the nat 0 acl
     
    Bill F, Jun 18, 2004
    #4
  5. Eddie

    eddie Guest

    Thanks for trying to help. I made you changes, but all I get now is the no
    translation group found errors when a client on the vpn trys to ping a
    server on the dmz.

    Eddie


    Bill F <> wrote in
    news::

    >
    >>
    >> :No NAT for inside host to access the DMZ
    >> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.16.0.0
    >> 255.255.0.0 access-list 60 permit ip 172.16.0.0 255.255.0.0
    >> 172.30.0.0 255.255.0.0
    >>

    >
    > this is accomplished as follows
    >
    > static (inside,dmz) 172.16.0.0 172.16.0.0 255.255.0.0
    >
    >> :No NAT for any store
    >> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0
    >> 255.255.0.0 access-list 60 permit ip 172.20.0.0 255.255.0.0
    >> 172.30.0.0 255.255.0.0 # don't need this access-list 60 permit ip
    >> 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0 access-list 60 permit
    >> ip 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 # don't need this
    >> nat 0 access-list 60

    >
    > You only need to do the remote, local acl entries for nat 0
    >
    >>
    >>
    >> ::Needed so the clients on the VPN can talk to the servers on the DMZ
    >> static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0
    >>

    > Nope. In this case, something LIKE acl 71 takes care of that - I say
    > like because you have the syntax reverse. It should be of the type:
    >
    > access-list 71 permit tcp 172.30.0.0 255.255.0.0 172.20.0.0
    > 255.255.0.0 eq 80
    >
    > in other words, local net traffic to remote net will be tunneled
    > And the other side would have the mirror image. Same thing goes for
    > any other vpn peer nets.
    >
    >>
    >> :############################################
    >> :Limited Access from Stores
    >> access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0
    >> 255.255.0.0 eq 80 access-list 71 permit tcp 172.20.0.0 255.255.0.0
    >> 172.30.0.0 255.255.0.0 eq 8080
    >> :access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0
    >> :255.255.0.0 eq 22
    >> access-list 71 permit udp 172.20.0.0 255.255.0.0 172.30.0.0
    >> 255.255.0.0 eq 53 access-list 71 permit icmp 172.20.0.0 255.255.0.0
    >> 172.30.0.0 255.255.0.0 access-list 71 permit icmp 172.20.0.0
    >> 255.255.0.0 172.16.0.0 255.255.0.0 echo-reply
    >>
    >> access-list 71 deny ip any any
    >> access-group 71 in interface outside
    >> :#############################################
    >>
    >>
    >> :#######################################################
    >> :Limit Access from the office to the stores to select systems.
    >>
    >> access-list 100 permit ip 172.16.1.0 255.255.255.0 172.20.0.0
    >> 255.255.0.0 access-list 100 deny ip any 172.20.0.0 255.255.0.0
    >>
    >> :Stuff to limit office access to web here
    >> access-list 100 permit ip any any
    >>
    >> access-group 100 in interface inside
    >> :########################################################
    >>
    >>
    >> :#####################################################
    >> :ACL for DMZ systems
    >> :We will also need to give the DMZ limited internet access.
    >>
    >> :We do like to ping
    >> access-list 70 permit icmp any any echo-reply
    >>
    >> :Ban acess to inside networks.
    >> access-list 70 deny ip any 172.16.0.0 255.255.0.0
    >> :May also need to ban access to stores.
    >>
    >> :Internet Access to the DMZ
    >> access-list 70 permit ip any any
    >>
    >> :Deny everything else
    >> :access-list 70 deny ip any any
    >>
    >> :Lets try it
    >> access-group 70 in interface dmz
    >> :##################################################
    >>
    >>
    >> nat (inside) 1 0 0
    >> nat (dmz) 1 0 0
    >>
    >> global (outside) 1 interface
    >> route outside 0.0.0.0 0.0.0.0 12.145.146.145
    >>
    >> no rip outside passive
    >> no rip outside default
    >> no rip inside passive
    >> no rip inside default
    >> no rip dmz passive
    >> no rip dmz default
    >>
    >>
    >> timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    >> timeout rpc 0:10:00 h323 0:05:00
    >> timeout uauth 0:05:00 absolute
    >>
    >> aaa-server TACACS+ protocol tacacs+
    >> aaa-server RADIUS protocol radius
    >> crypto ipsec transform-set strong esp-aes-256
    >>
    >>
    >> :Store201
    >> access-list 201_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.201.0
    >> 255.255.255.0 access-list 201_ipsec permit ip 172.16.0.0 255.255.0.0
    >> 172.20.201.0 255.255.255.0 crypto map ToStore 10 ipsec-isakmp
    >> crypto map ToStore 10 match address 201_ipsec
    >> crypto map ToStore 10 set peer 11.146.146.152
    >> crypto map ToStore 10 set transform-set strong
    >> crypto map ToStore interface outside
    >>
    >> :Store212
    >> access-list 212_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.212.0
    >> 255.255.255.0 access-list 212_ipsec permit ip 172.16.0.0 255.255.0.0
    >> 172.20.212.0 255.255.255.0 crypto map ToStore 12 ipsec-isakmp
    >> crypto map ToStore 12 match address 212_ipsec
    >> crypto map ToStore 12 set peer 11.146.146.153
    >> crypto map ToStore 12 set transform-set strong
    >> crypto map ToStore interface outside
    >>
    >> isakmp enable outside
    >> isakmp key cisco1234 address 11.146.146.152 netmask 255.255.255.255
    >> isakmp key cisco1234 address 11.146.146.153 netmask 255.255.255.255
    >> isakmp policy 8 authentication pre-share
    >> isakmp policy 8 encryption aes-256
    >> isakmp policy 8 lifetime 120
    >> isakmp policy 8 hash md5
    >>
    >> http 172.16.0.0 255.255.0.0
    >> http server enable
    >>
    >> logg c 7
    >> logg on
    >>
    >>
    >> no logging on
    >>
    >> interface ethernet0 auto
    >> interface ethernet1 auto
    >> interface ethernet2 auto
    >>
    >>
    >> mtu outside 1500
    >> mtu inside 1500
    >> mtu dmz 1500
    >>
    >> ip address outside 11.146.146.151 255.255.255.240
    >> ip address inside 172.16.1.5 255.255.0.0
    >> ip address dmz 172.30.1.1 255.255.0.0
    >>
    >>
    >> arp timeout 14400
    >>
    >> :No NAT for inside host to access the DMZ
    >> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.16.0.0
    >> 255.255.0.0 access-list 60 permit ip 172.16.0.0 255.255.0.0
    >> 172.30.0.0 255.255.0.0
    >>
    >> :No NAT for any store
    >> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0
    >> 255.255.0.0 access-list 60 permit ip 172.20.0.0 255.255.0.0
    >> 172.30.0.0 255.255.0.0 access-list 60 permit ip 172.16.0.0
    >> 255.255.0.0 172.20.0.0 255.255.0.0 access-list 60 permit ip
    >> 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 nat 0 access-list 60
    >>
    >>
    >> ::Needed so the clients on the VPN can talk to the servers on the DMZ
    >> static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0
    >>
    >>
    >> :############################################
    >> :Limited Access from Stores. We only want the stores accessing select
    >> things on the DMZ
    >> access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0
    >> 255.255.0.0 eq 80 access-list 71 permit tcp 172.20.0.0 255.255.0.0
    >> 172.30.0.0 255.255.0.0 eq 8080
    >> :access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0
    >> :255.255.0.0 eq 22
    >> access-list 71 permit udp 172.20.0.0 255.255.0.0 172.30.0.0
    >> 255.255.0.0 eq 53 access-list 71 permit icmp 172.20.0.0 255.255.0.0
    >> 172.30.0.0 255.255.0.0 access-list 71 permit icmp 172.20.0.0
    >> 255.255.0.0 172.16.0.0 255.255.0.0 echo-reply
    >>
    >> access-list 71 deny ip any any
    >> access-group 71 in interface outside
    >> :#############################################
    >>
    >>
    >> :#######################################################
    >> Limit Access from the office to the stores to select systems on the
    >> inside interface.
    >>
    >> access-list 100 permit ip 172.16.1.0 255.255.255.0 172.20.0.0
    >> 255.255.0.0 access-list 100 deny ip any 172.20.0.0 255.255.0.0
    >>
    >> :Stuff to limit office access to web here
    >> access-list 100 permit ip any any
    >>
    >> access-group 100 in interface inside
    >> :########################################################
    >>
    >>
    >> :#####################################################
    >> :ACL for DMZ systems
    >> :We will also need to give the DMZ limited internet access.
    >>
    >> :We do like to ping
    >> access-list 70 permit icmp any any echo-reply
    >>
    >> :Ban acess to inside networks.
    >> access-list 70 deny ip any 172.16.0.0 255.255.0.0
    >> :May also need to ban access to stores.
    >>
    >> :Internet Access to the DMZ. Temp
    >> access-list 70 permit ip any any
    >>
    >> :Deny everything else
    >> :access-list 70 deny ip any any
    >>
    >> :Lets try it
    >> access-group 70 in interface dmz
    >> :##################################################
    >>
    >> :NAT the inside
    >> nat (inside) 1 0 0
    >>
    >> :NAT the dmz
    >> nat (dmz) 1 0 0
    >>
    >> :pAT the bunny
    >> global (outside) 1 interface
    >> route outside 0.0.0.0 0.0.0.0 11.146.146.145
    >>
    >> :We don't use RIP so turn it off.
    >> no rip outside passive
    >> no rip outside default
    >> no rip inside passive
    >> no rip inside default
    >> no rip dmz passive
    >> no rip dmz default
    >>
    >>
    >> timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    >> timeout rpc 0:10:00 h323 0:05:00
    >> timeout uauth 0:05:00 absolute
    >>
    >> aaa-server TACACS+ protocol tacacs+
    >> aaa-server RADIUS protocol radius
    >> crypto ipsec transform-set strong esp-aes-256
    >>
    >>
    >> :Store201
    >> access-list 201_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.201.0
    >> 255.255.255.0 access-list 201_ipsec permit ip 172.16.0.0 255.255.0.0
    >> 172.20.201.0 255.255.255.0 crypto map ToStore 10 ipsec-isakmp
    >> crypto map ToStore 10 match address 201_ipsec
    >> crypto map ToStore 10 set peer 11.146.146.152
    >> crypto map ToStore 10 set transform-set strong
    >> crypto map ToStore interface outside
    >>
    >> :Store212
    >> access-list 212_ipsec permit ip 172.30.0.0 255.255.0.0 172.20.212.0
    >> 255.255.255.0 access-list 212_ipsec permit ip 172.16.0.0 255.255.0.0
    >> 172.20.212.0 255.255.255.0 crypto map ToStore 12 ipsec-isakmp
    >> crypto map ToStore 12 match address 212_ipsec
    >> crypto map ToStore 12 set peer 11.146.146.153
    >> crypto map ToStore 12 set transform-set strong
    >> crypto map ToStore interface outside
    >>
    >> :General IPSEC stuff for all stores
    >> isakmp enable outside
    >> isakmp key cisco1234 address 11.146.146.152 netmask 255.255.255.255
    >> isakmp key cisco1234 address 11.146.146.153 netmask 255.255.255.255
    >> isakmp policy 8 authentication pre-share
    >> isakmp policy 8 encryption aes-256
    >> isakmp policy 8 lifetime 120
    >> isakmp policy 8 hash md5
    >>
    >>
    >> http 172.16.0.0 255.255.0.0
    >> http server enable
    >>
    >> logg c 7
    >> logg on

    >
    >
     
    eddie, Jun 18, 2004
    #5
  6. Eddie

    Bill F Guest

    Let's cut through the possible confusion I caused with the back and
    forth. Using the acl 60 example it should be as follows.

    nat 0 access-list 60

    access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0 255.255.0.0
    access-list 60 permit ip 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0

    is that what you tried?
     
    Bill F, Jun 19, 2004
    #6
  7. Eddie

    Bill F Guest


    > arp timeout 14400
    >
    > :No NAT for inside host to access the DMZ
    > access-list 60 permit ip 172.30.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    > access-list 60 permit ip 172.16.0.0 255.255.0.0 172.30.0.0 255.255.0.0


    ok i think i already addressed the above issue. Remove these two lines.
    the way you accomplish this is:

    static (inside,dmz) 172.16.0.0 172.16.0.0 255.255.0.0


    >
    > :No NAT for any store
    > access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0 255.255.0.0
    > :access-list 60 permit ip 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 # remove
    > access-list 60 permit ip 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0
    > :access-list 60 permit ip 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 # remove
    >
    >
    >
    > nat 0 access-list 60
    >
    >
    > ::Needed so the clients on the VPN can talk to the servers on the DMZ
    > static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0


    This allows dmz hosts to send traffic to the outside untranslated which
    doesn't make sense. Remember vpn users are logically on the inside net.

    >
    >
    > :############################################
    > :Limited Access from Stores
    > access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 80
    > access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 8080
    > :access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 22
    > access-list 71 permit udp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0 eq 53
    > access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
    > access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0 echo-reply
    >
    > access-list 71 deny ip any any
    > access-group 71 in interface outside
    > :#############################################


    Again, vpn hosts are logically on the inside. You don't use
    access-group commands to filter vpn traffic. The only acls you need for
    vpn access are the nonat acl and it's essential for the crypto map match
    address acls.You control vpn peer network access purely through these
    acls. And it's essential that the peer acls exactly mirror the local pix
    acl per crypto map entry/peer. Placing an acl on the outside interface
    only filters traffic to the outside subnet addresses.
     
    Bill F, Jun 20, 2004
    #7
  8. Eddie

    Eddie Guest

    On Sun, 20 Jun 2004 03:35:10 -0700, Bill F wrote:


    >> arp timeout 14400
    >>
    >> :No NAT for inside host to access the DMZ
    >> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    >> access-list 60 permit ip 172.16.0.0 255.255.0.0 172.30.0.0 255.255.0.0

    >
    > ok i think i already addressed the above issue. Remove these two lines.
    > the way you accomplish this is:
    >
    > static (inside,dmz) 172.16.0.0 172.16.0.0 255.255.0.0
    >


    Tried that. It didn't work. The inside network could not access the DMZ.


    >
    >> :No NAT for any store
    >> access-list 60 permit ip 172.30.0.0 255.255.0.0 172.20.0.0 255.255.0.0
    >> :access-list 60 permit ip 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
    >> :# remove
    >> access-list 60 permit ip 172.16.0.0 255.255.0.0 172.20.0.0 255.255.0.0
    >> :access-list 60 permit ip 172.20.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    >> :# remove
    >>
    >>
    >>
    >> nat 0 access-list 60
    >>
    >>
    >> ::Needed so the clients on the VPN can talk to the servers on the DMZ
    >> static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0

    >
    > This allows dmz hosts to send traffic to the outside untranslated which
    > doesn't make sense. Remember vpn users are logically on the inside net.
    >


    You sure? From everything I have read and my thinking behind this config,
    is tha the VPN connections land on the outside interface, unless I have
    "sysopt connection permit-ipsec" and then the vpn users are on the inside
    network, but with that line, I can't apply ACLs to the VPN users.


    >
    >> :############################################ Limited Access from
    >> :Stores
    >> access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
    >> eq 80 access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0
    >> 255.255.0.0 eq 8080
    >> :access-list 71 permit tcp 172.20.0.0 255.255.0.0 172.30.0.0
    >> :255.255.0.0 eq 22
    >> access-list 71 permit udp 172.20.0.0 255.255.0.0 172.30.0.0 255.255.0.0
    >> eq 53 access-list 71 permit icmp 172.20.0.0 255.255.0.0 172.30.0.0
    >> 255.255.0.0 access-list 71 permit icmp 172.20.0.0 255.255.0.0
    >> 172.16.0.0 255.255.0.0 echo-reply
    >>
    >> access-list 71 deny ip any any
    >> access-group 71 in interface outside
    >> :#############################################

    >
    > Again, vpn hosts are logically on the inside. You don't use
    > access-group commands to filter vpn traffic. The only acls you need for
    > vpn access are the nonat acl and it's essential for the crypto map match
    > address acls.You control vpn peer network access purely through these
    > acls. And it's essential that the peer acls exactly mirror the local pix
    > acl per crypto map entry/peer. Placing an acl on the outside interface
    > only filters traffic to the outside subnet addresses.



    You may be right about the ACL on the VPN and the cyrpto map. I think I
    had problems applying an ACL as a crypto map with a port number. However,
    I have been working on this for a month now and I don't recall what the
    problem is. But everything seems to work and all the ACLs do what they
    should. This main problem is this line.


    ::Needed so the clients on the VPN can talk to the servers on the DMZ
    static (dmz,outside) 172.30.0.0 172.30.0.0 netmask 255.255.0.0 0 0


    Because the VPN connections come from the outside interface, thay are
    from a lower security level then the DMZ. It's my understanding you need
    a static route to allow packets to flow from a lower level to a higher
    one. This line does work and the VPN users can access servers on the DMZ
    without a problem. However, it stops the servers in the DMZ from
    accessing the internet by turning off NAT.

    So with that line, VPN users can access DMZ.
    Without it, DMZ can access internet.

    Problem is, I need both to happen at the same time.


    Thanks
    Eddie
     
    Eddie, Jun 20, 2004
    #8
  9. Eddie

    Bill F Guest


    >
    > You sure? From everything I have read and my thinking behind this config,
    > is tha the VPN connections land on the outside interface, unless I have
    > "sysopt connection permit-ipsec"


    Argh! That's crucial. I didn't know you were missing this?

    and then the vpn users are on the inside
    > network, but with that line, I can't apply ACLs to the VPN users.
    >


    I'm not familiar with this approach. The conventional use of acls is a)
    to control global traffic from hitting inside or dmz hosts OR for use
    the crypto map match address acl to control access for vpn users. I've
    never heard of an instance when acls were placed on interfaces to
    control vpn access. Please forward the documentation links you're
    referring to.
     
    Bill F, Jun 20, 2004
    #9
  10. Eddie

    Eddie Guest

    On Sun, 20 Jun 2004 11:57:07 -0700, Bill F wrote:



    >
    >> You sure? From everything I have read and my thinking behind this
    >> config, is tha the VPN connections land on the outside interface,
    >> unless I have "sysopt connection permit-ipsec"

    >
    > Argh! That's crucial. I didn't know you were missing this?
    >
    > and then the vpn users are on the inside
    >> network, but with that line, I can't apply ACLs to the VPN users.
    >>
    >>

    > I'm not familiar with this approach. The conventional use of acls is a)
    > to control global traffic from hitting inside or dmz hosts OR for use
    > the crypto map match address acl to control access for vpn users. I've
    > never heard of an instance when acls were placed on interfaces to
    > control vpn access. Please forward the documentation links you're
    > referring to.



    I would have to look at my huge list of bookmarks for the info. But some
    of it came from post I found on this group. One of witch was not to put
    ACL with ports on the crypto map as it would put extra load on the pix.

    I don't want to limit access to the VPN users by using the crypto map. I
    will need to pull data from the vpn users.

    The way I want is this.

    1) VPN users can only access servers in the DMZ. Only on select ports if I
    can, but I can firewall the servers if I need to.

    2) The DMZ has full access to any of the VPN users. No restriction on ports.

    3) Select systems on the internal interface have full access to the VPN
    users. As much as I would like too, I can't have all systems in the DMZ.

    4) DMZ has full access to the internet.


    Everything works, but I can't seem to have option 1,2 and 4 at the same
    time.

    If I set the DMZ to the same security level as the outside interface,
    will I need the static line?

    Thank you
    Eddie
     
    Eddie, Jun 20, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Roland
    Replies:
    3
    Views:
    716
    Roland
    Jan 21, 2004
  2. JohnC
    Replies:
    9
    Views:
    927
    Walter Roberson
    Dec 7, 2004
  3. Scott Townsend
    Replies:
    8
    Views:
    760
    Roman Nakhmanson
    Feb 22, 2006
  4. gdelrio

    VPN users DMZ access pix 515

    gdelrio, Sep 25, 2006, in forum: Cisco
    Replies:
    1
    Views:
    2,270
    swapnendu
    Sep 26, 2006
  5. Jack
    Replies:
    0
    Views:
    745
Loading...

Share This Page