PIX VPN to both DMZ and INSIDE segments

Discussion in 'Cisco' started by Tiffany, Oct 18, 2005.

  1. Tiffany

    Tiffany Guest

    Without explaining why we are doing this, I would like to know if it
    can be done.

    I currently have a PIX515E/R and I have a DMZ card that I am about to
    install. What I would like to do is allow some users to VPN in via the
    Cisco client to the DMZ and other users to VPN into the DMZ segment
    using the Cisco Client as well.

    It's ok if the people on the inside interface can access the DMZ but
    I don't want users who VPN into the DMZ segment to be able to reach
    the inside segment (unless we poke holes.)

    Questions:
    1) Can this be done
    2) Do I need two external addresses or just one
    3) If only one IP then how does it know who is destined for which
    segment?
    4) Are there any examples on how to do this ore what is unique about
    the config over normal VPN configs?

    Thanks for any assistance.

    Tiffany
    Inside = 10.10.0.0/24
    DMZ = 192.168.200.0/24
    Outside = Public
    Tiffany, Oct 18, 2005
    #1
    1. Advertising

  2. In article <>,
    Tiffany <> wrote:

    :Without explaining why we are doing this, I would like to know if it
    :can be done.

    :I currently have a PIX515E/R and I have a DMZ card that I am about to
    :install. What I would like to do is allow some users to VPN in via the
    :Cisco client to the DMZ and other users to VPN into the DMZ segment
    :using the Cisco Client as well.

    That looks redundant ;-)


    :It's ok if the people on the inside interface can access the DMZ but
    :I don't want users who VPN into the DMZ segment to be able to reach
    :the inside segment (unless we poke holes.)

    :Questions:
    :1) Can this be done

    More Yes than No.

    :2) Do I need two external addresses or just one
    :3) If only one IP then how does it know who is destined for which
    :segment?

    Your VPN clients can only terminate on the "closest" interface
    to them. If you want to be able to terminate VPN clients on the DMZ
    interface itself, then either they have to be internal clients
    (attached to the DMZ segment), or else you have to have the DMZ
    attached to the outside world with a public IP.

    However, if you want your external VPN clients to be able to
    access DMZ resources but not inside resources, then simply
    don't turn on "sysopt connection permit-ipsec", and use the
    ACL on the outside interface to control access. If you are turning
    off nat for the VPN clients, then it becomes relatively easy: just
    permit the private IP range to the IPs of the defined DMZ resources.

    When you have permit-ipsec turned off, then the IP packets *after
    decapsulation* are run through the normal procedures appropriate for
    the interface they arrived on, the same as if they weren't IPSec.

    If the problem is to permit different groups of users to different
    DMZ resources, then create different vpngroups for them and
    assign them into different private IP pools, and then use the IP pool
    to control where they can go.
    --
    "It is important to remember that when it comes to law, computers
    never make copies, only human beings make copies. Computers are given
    commands, not permission. Only people can be given permission."
    -- Brad Templeton
    Walter Roberson, Oct 19, 2005
    #2
    1. Advertising

  3. Tiffany

    Tiffany Guest

    Walter,

    OK, I think I understood some of this. To clarify my redundant part I
    meant to say that some people need access to the DMZ and some to the
    INSIDE segment.

    My Inside segment is 10.10.0.1/24
    My DMZ area is 192.168.50.1/24 (technically it is not being used as a
    DMZ it's just another interface.

    I want my normal users to VPN to the inside as they do currently, but
    now I want to create a way for the second group to VPN to the DMZ
    Segment only.

    The reason that I am doing this is that I have a group of uncontrolled
    users that need to be able to VPN into me from the outside so that I
    can remotely control their PCs. I can not VPN into them (not an
    option) and it's very important that I isolate them from my Private
    network. I want to avoid buying a second appliance and plugging it
    into my public segment so I was planning to just setup a PC on the DMZ
    and once they VPN in, I can connect to them for remote control.

    If this can not be done, I may just set up a PC in my DMZ running
    Windows Server and RAS and just let them connect all the way into the
    PC using simple PPTP but it's not my first choice.

    Can you explain what you mean by "clients can only terminate on the
    'closest' interface"?

    Thanks
    Tiffany, Oct 19, 2005
    #3
  4. In article <>,
    Tiffany <> wrote:
    :To clarify my redundant part I
    :meant to say that some people need access to the DMZ and some to the
    :INSIDE segment.

    Ah, that's not hard to do.


    :My Inside segment is 10.10.0.1/24
    :My DMZ area is 192.168.50.1/24 (technically it is not being used as a
    :DMZ it's just another interface.

    :I want my normal users to VPN to the inside as they do currently, but
    :now I want to create a way for the second group to VPN to the DMZ
    :Segment only.

    Can do.


    :Can you explain what you mean by "clients can only terminate on the
    :'closest' interface"?

    Suppose your PIX outside IP is 123.45.67.89.

    Suppose you tried to static your PIX DMZ IP to the outside
    world, say as 123.45.67.94, and you wanted users to be able to
    terminate their VPN connection on that IP... i.e., have
    them specify their "peer" as 123.45.67.94. If in order to
    reach that 123.45.67.94 IP, the traffic would have to pass through
    a different PIX interface (on the same PIX) (i.e, the
    outside interface, 123.45.67.89) then the PIX wouldn't allow that.

    Suppose, though, that you had a second LAN 192.168.50/24
    with user machines on that IP address range -- possibly
    because there is a router there and link to another office. In
    that case, where the 192.168.50 interface is the -first- interface
    that the traffic would hit, you could have users VPN from anywhere
    on that LAN to that interface PIX. You might, for example, do this if the
    users didn't exactly trust one another not to snoop on regular
    traffic.

    Third scenario: you have two public IP networks (or subnets),
    and your DMZ interface -and- your outside interface are both
    connected to the Internet. In such a case, which interface the
    user would terminate at would depend on which of the interface IPs they
    specified: as long as you have the cooperation of your WAN router
    in such a case, the traffic would not have to go through the outside
    interface of the PIX to reach the DMZ interface: it could go directly
    from WAN router to DMZ interface.

    VPNs do not need to terminate on the outside interface,
    but they need to terminate on the interface that the relevant
    traffic first enters the PIX.


    Anyhow, as I said, all you need to do is turn off that sysopt,
    and create a second vpn group with a distinct name and password,
    use different IP pools for the different groups, and
    and set up the outside acl as appropriate. For example
    approximately something like this:

    names
    name 192.168.51.0 dmz_pool_net
    name 192.168.49.0 inside_pool_net
    name dmz_vnc_server 192.168.50.2
    name inside_oracle_server 10.10.0.10
    name inside_dns_server 10.10.0.3

    ip address pool dmz_vpn_pool 192.168.51.17-192.168.51.31 netmask 255.255.255.0
    ip address pool inside_vpn_pool 192.168.49.84-192.168.49.105 netmask 255.255.255.0

    vpngroup dmz_vpn_group address pool dmz_vpn_pool
    vpngroup dmz_vpn_group name tiffsdmz password Excaliburr
    vpngroup inside_vpn_group address pool inside_vpn_pool
    vpngroup inside_vpn_group name tiffsclub password KnowsRainDear

    no sysopt connection permit-ipsec

    access-list Out2In permit ip dmz_pool_net 255.255.255.0 host dmz_vnc_server
    access-list Out2In deny ip dmz_pool_net 255.255.255.0 any
    access-list Out2In permit udp inside_pool_net 255.255.255.0 host inside_dns_server eq domain
    access-list Out2In permit tcp inside_pool_net host inside_oracle_server eq 1524

    access-group Out2In in interface outside


    With this configuration, the members of the dmz vpn pool cannot
    reach anything on the inside interface because the IP address range
    they are in (192.168.51/24) is not permitted access to the other
    resources by the controlling access list (Out2In). There is no
    need of anything special to block access between the two VPN groups:
    just don't allow the unwanted accesses and they won't be able to
    get there. All done by discrimination based upon the IP address
    dynamically assigned, which is selected according to which vpn group
    name they log in to.
    --
    If you lie to the compiler, it will get its revenge. -- Eric Sosman
    Walter Roberson, Oct 19, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JammyKat

    VPN from Inside to DMZ of 525 PIX

    JammyKat, Oct 20, 2003, in forum: Cisco
    Replies:
    1
    Views:
    389
    Walter Roberson
    Oct 20, 2003
  2. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,866
    Walter Roberson
    Sep 25, 2005
  3. Replies:
    0
    Views:
    2,341
  4. morten
    Replies:
    4
    Views:
    1,173
    Tilman Schmidt
    Sep 4, 2007
  5. Jack
    Replies:
    0
    Views:
    654
Loading...

Share This Page