Configure PIX/ASA as both Internet Firewall and VPN Concentrator Cisco Forum FAQ

			Search:
	login · register

FAQs

how-to block ads

	Search for: in all FAQs
All FAQs » Cisco Forum FAQ » 40.2 Security Sample Configurations » 8420


Configure PIX/ASA as both Internet Firewall and VPN Concentrator (#8420)
Suggested prerequisite reading: »Cisco Forum FAQ »Site-to-Site IPSec VPN: Cisco to Cisco and Cisco to Non-Cisco Sample Configuration of IPSec VPN Concentrator When you plan to have a PIX or ASA firewall to act as both firewall and VPN concentrator, following is the sample configuration. Assumptions: * The 1st LAN subnet is 192.168.0.0/24 with 192.168.0.1 (the PIX inside interface) as the default gateway * There is also 10.0.0.0/8 as 2nd LAN subnet, where from PIX or ASA firewall is reachable via 192.168.0.2 * There will be remote users VPN into the PIX using Cisco VPN Client software, creating ESP-based IPSec VPN tunnel * No default gateway to access the LAN subnet will be received by VPN users once the IPSec VPN tunnel is established; which will set the VPN users' PC to proxy arp to reach the LAN subnet 1. Single VPN User Group without external AAA Server * The remote users will VPN in using specific Group Authentication credential, which in this sample configuration is Admin as the Group Name and is ****** as the Group Password as indicated on the vpngroup Admin password ****** command * The VPN users log in as Admin receive IP address within the admin range from 192.168.1.1 to 192.168.1.254. * No external AAA (Authentication, Authorization, and Accounting) server as the TACACS+/RADIUS server * Telnet attempt to the PIX/ASA itself is not authenticated PIX Firewall configuration PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ** encrypted passwd encrypted hostname pixfirewall domain-name yournetwork.com fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names object-group network VPN-Admin network-object 192.168.1.0 255.255.255.0 access-list 10 remark Split Tunnel for VPN Admin access-list 10 permit ip any object-group VPN-Admin access-list nonat remark No NAT within VPN tunnel access-list nonat permit ip any object-group VPN-Admin pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 2.2.2.2 255.255.255.0 ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool admin 192.168.1.1-192.168.1.254 pdm history enable arp timeout 14400 global (outside) 1 2.2.2.3 nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 2.2.2.1 1 route inside 10.0.0.0 255.0.0.0 192.168.0.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap client configuration address initiate crypto map mymap client configuration address respond crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 30 isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 vpngroup Admin address-pool admin vpngroup Admin dns-server 192.168.0.2 vpngroup Admin wins-server 192.168.0.3 vpngroup Admin default-domain yournetwork.com vpngroup Admin split-tunnel 10 vpngroup Admin idle-time 1800 vpngroup Admin password **** telnet 192.168.0.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 2. Multiple VPN User Groups with external AAA Server** * The remote users will VPN in using specific Group Authentication credential, which in this sample configuration is either Admin or Sales * The VPN users log in as Admin receive IP address within the admin range from 192.168.1.1 to 192.168.1.254. Similarly, the VPN users log in as Sales receive IP address within the sales range from 192.168.2.1 to 192.168.2.254. * There is a TACACS+/RADIUS server at 192.168.0.204 to serve the AAA (Authentication, Authorization, and Accounting) functionality for all remote users * The TACACS+ service is used to provide PIX/ASA configuration management access, such as telnet and ssh to the PIX/ASA itself * The RADIUS service is used to provide production access (the LAN) to remote VPN users * The aaa authentication match command will authenticate remote user login attempts according to the RADIUS credential that are being used to log in * The aaa authorization match command will authorize remote user access to only specific subnets according to the authenticated RADIUS credential that are acknowledged * The aaa accounting match command will record all activities done by all remote users according to their RADIUS credential PIX Firewall configuration PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ** encrypted passwd encrypted hostname pixfirewall domain-name yournetwork.com fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names object-group network VPN-Admin network-object 192.168.1.0 255.255.255.0 object-group network VPN-Sales network-object 192.168.2.0 255.255.255.0 object-group network Sales-Network network-object 10.0.0.0 255.255.254.0 access-list 10 remark Split Tunnel for VPN Admin access-list 10 permit ip any object-group VPN-Admin access-list 20 remark Split Tunnel for VPN Sales access-list 20 permit ip any object-group VPN-Sales access-list nonat remark No NAT within VPN tunnel access-list nonat permit ip any object-group VPN-Admin access-list nonat permit ip any object-group VPN Sales access-list admin remark Permitable Subnet for Admin to access access-list admin permit ip object-group VPN-Admin any access-list sales remark Permitable Subnet for Sales to access access-list sales permit ip object-group VPN-Sales object-group Sales-Network pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 2.2.2.2 255.255.255.0 ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool admin 192.168.1.1-192.168.1.254 ip local pool sales 192.168.2.1-192.168.2.254 pdm history enable arp timeout 14400 global (outside) 1 2.2.2.3 nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 2.2.2.1 1 route inside 10.0.0.0 255.0.0.0 192.168.0.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server TACACS+ (inside) host 192.168.0.204 cisco timeout 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server RADIUS (inside) host 192.168.0.204 cisco timeout 10 aaa-server LOCAL protocol local aaa authentication telnet console TACACS+ aaa authentication ssh console TACACS+ aaa authentication enable console TACACS+ aaa authentication match admin inbound RADIUS aaa authentication match sales inbound RADIUS aaa authorization command TACACS+ aaa authorization match admin inbound RADIUS aaa authorization match sales inbound RADIUS aaa accounting match admin inbound RADIUS aaa accounting match sales inbound RADIUS no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap client configuration address initiate crypto map mymap client configuration address respond crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 30 isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 vpngroup Admin address-pool admin vpngroup Admin dns-server 192.168.0.2 vpngroup Admin wins-server 192.168.0.3 vpngroup Admin default-domain yournetwork.com vpngroup Admin split-tunnel 10 vpngroup Admin idle-time 1800 vpngroup Admin password **** vpngroup Sales address-pool sales vpngroup Sales dns-server 192.168.0.2 vpngroup Sales wins-server 192.168.0.3 vpngroup Sales default-domain yournetwork.com vpngroup Sales split-tunnel 20 vpngroup Sales idle-time 1800 vpngroup Sales password ****** telnet 192.168.0.0 255.255.255.0 inside telnet timeout 5 ssh 192.168.0.0 255.255.255.0 inside ssh timeout 5 console timeout 0 terminal width 80 Notes: * Since the PIX or ASA firewall acts as both firewall and VPN concentrator, the isakmp nat-traversal is necessary to simultaneously serve VPN users accessing the LAN subnet and to keep LAN subnet machines able to access the Internet * When the PIX or ASA firewall is dedicated to only serve as VPN Concentrator, then the isakmp nat-traversal, the global 1-nat 1 pair commands might not be necessary * Remote users can opt to either enable transparent tunneling or not when using the Cisco VPN Client software. When transparent tunneling is enabled, the ESP protocol is encapsulated within UDP (UDP port 4500) by default, which then makes the VPN traffic able to pass through any NAT/PAT device in between. This encapsulation feature is useful when either there is any NAT/PAT device in between or ESP protocol is not permitted to pass through. * As you may notice, the 2nd sample configuration is more secure and accountable since there is an AAA (TACACS+/RADIUS) server into play * When your network currently does not have AAA server, you can setup one for free. Check out this FAQ for details. »Cisco Forum FAQ »Are there Free authentication packages for TACACS or RADIUS to secure my router? * If specific remote users must authenticate with specific AAA server, then you can simply modify the AAA command to do so. Following is illustration aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server TACACS+ (inside) host 192.168.0.203 cisco timeout 10 aaa-server RADIUS-ADMIN protocol radius aaa-server RADIUS-ADMIN max-failed-attempts 3 aaa-server RADIUS-ADMIN deadtime 10 aaa-server RADIUS-ADMIN (inside) host 192.168.0.204 cisco timeout 10 aaa-server RADIUS-SALES protocol radius aaa-server RADIUS-SALES max-failed-attempts 3 aaa-server RADIUS-SALES deadtime 10 aaa-server RADIUS-SALES (inside) host 192.168.0.205 cisco timeout 10 aaa-server LOCAL protocol local aaa authentication telnet console TACACS+ aaa authentication ssh console TACACS+ aaa authentication enable console TACACS+ aaa authentication match admin inbound RADIUS-ADMIN aaa authentication match sales inbound RADIUS-SALES aaa authorization command TACACS+ aaa authorization match admin inbound RADIUS-ADMIN aaa authorization match sales inbound RADIUS-SALES aaa accounting match admin inbound RADIUS-ADMIN aaa accounting match sales inbound RADIUS-SALES Sample Configuration of PPTP Windows VPN Concentrator and Others »Cisco Forum FAQ »Remote User VPN Connection To Office Network show feedback form


Friday, 04-Jul 16:23:59	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact 8th year online! © 1999-2008 dslreports.com.

All FAQs » Cisco Forum FAQ » 40.2 Security Sample Configurations » 8420

Configure PIX/ASA as both Internet Firewall and VPN Concentrator (#8420)