static (dmz, outside) XXX.XXX.254.XX
192.168.102.XXX netmask 255.255.255.255 0 0
access-list outside_access_in permit ip any host
XXX.XXX.254.XXX
Question #2
INSIDE, TOLO, and RCS will inherently be able to
contact the DMZ because they are on a higher security interface (higher security
interfaces can contact lower security interfaces without the use of
access-lists).....so no you do not need an access-list.
NAT and Global statements should read:
global (outside) 1 interface
nat (inside) 1 0 0 0 0
nat (RCS) 1 0 0 0 0
nat (TOLO) 1 0 0 0 0
nat (DMZ) 1 0 0 0 0
How do you want to restrict internet access?
If you only want certain hosts to have internet access, just use an
access-list:
access-list tolo_internet_access deny ip
host 192.168.63.XXX any
access-list tolo_internet_access permit
ip 192.168.63.0 255.255.255.0 any
access-list tolo_internet_access deny ip
host 192.168.103.XXX any
access-list rcs_internet_access permit ip
192.168.103.0 255.255.255.0 any
access-list tolo_internet_access deny ip
host 192.168.101.XXX any
access-list inside_internet_access permit ip
192.168.101.0 255.255.255.0 any
NAT and Global statements would then
read:
global (outside) 1 interface
nat (inside) 1 access-list
inside_internet_access
nat (RCS) 1 access-list
rcs_internet_access
nat (TOLO) 1 access-list
tolo_internet_access
Question #3
It is possible to use Windows IAS for VPN
authentication. ; You will need to set up your IAS server as
follows:
The PIX just needs a plain Cisco VPN client
config:
access-list nonat permit ip 192.168.0.0
255.255.0.0 172.16.0.0 255.255.0.0
ip local pool VPN_DHCP_POOL 172.16.0.0
255.255.0.0
nat (inside) 0 access-list nonat
crypto ipsec
transform-set vpnset1 esp-3des esp-sha-hmac
crypto ipsec transform-set
vpnset2 esp-des esp-sha-hmac
crypto dynamic-map DYNMAP 10 set transform-set
vpnset1 vpnset2
crypto map VPNMAP 20 ipsec-isakmp dynamic DYNMAP
crypto
map VPNMAP client configuration address initiate
crypto map VPNMAP client
configuration address respond
crypto map VPNMAP client authentication
<AAA/RADIUS-SERVER>
crypto map VPNMAP interface outside
isakmp
enable outside
isakmp identity address
isakmp keepalive 15 60
isakmp
client configuration address-pool local clients outside
isakmp nat-traversal
15
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption
3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5
lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10
encryption des
isakmp policy 10 hash sha
isakmp policy 10 group
1
isakmp policy 10 lifetime 86400
vpngroup VPNCLIENTS address-pool
VPN_DHCP_POOL
vpngroup VPNCLIENTS dns-server <DNS SERVER
ADDRESS>
vpngroup VPNCLIENTS wins-server <WINS SERVER
ADDRESS>
vpngroup VPNCLIENTS split-tunnel nonat
vpngroup VPNCLIENTS
idle-time 1800
vpngroup VPNCLIENTS password <password>
The VPN clients will have access to the Terminal
Server when they are using the VPN without any additional
configuration.
Let me know if you have any
questions!
Thanks,
Aaron
----- Original Message -----
Sent: Sunday, May 07, 2006 7:40 AM
Subject: [PIX_Firewall] Re: configuration of
PIX515E
> Hi Aaron,
>;
> This was really helpful. Can you please
tell me what
> ROUTE should be added for the network, to get
access
> File server residing in DMZ network, from all other
>
netowrks?
> I also wants to configure VPN for remote access.
>
Please advise what is the best.
>
> Thanks a lot
>
ZIA
>
> --- In PIX_Firewall@yahoogroups.com, "Aaron
Rohyans"
> <aaronr
...> wrote:
>;>
>> You really
shouldn't publish public IP addresses
> like that to a group (for
>> your own protection). This should get you up and
>
running though:
>>
>> PIX(config)#interface ethernet0
100full
>> PIX(config)#interface ethernet1 100full
>>
PIX(config)#interface ethernet2 100full
>> PIX(config)#interface
ethernet3 100full
>> PIX(config)#interface ethernet4
100full
>> PIX(config)#nameif ethernet0 outside security0
>>
PIX(config)#nameif ethernet1 inside security100
>> PIX(config)#nameif
ethernet2 TOLO security 80
>>; PIX(config)#nameif ethernet3 RCS security
60
>> PIX(config)#nameif ethernet4 DMZ security 40
>>;
PIX(config)#ip address outside xx.xx.254.17
> 255.255.255.252
>>
PIX(config)#ip address inside 192.168.101.1
> 255.255.255.0
>>;
PIX(config)#ip address TOLO 192.168.63.2
> 255.255.255.0
>>;
PIX(config)#ip address RCS 192.168.103.2
> 255.255.255.0
>>;
PIX(config)#ip address DMZ 192.168.102.2
>>; PIX(config)#nat (inside) 1
0 0 0 0
>> PIX(config)#global (outside) 1 interface
>>
PIX(config)#domain-name mydomain.com
>> PIX(config)#static
(inside,outside) xx.xx.254.18
> 192.168.101.11 netmask
>>
255.255.255.255 0 0
>> PIX(config)#access-list outside_access_in permit
tcp
> any host 61.16.254.18
>> eq 25
>>; PIX(config)#no
fixup protocol smtp 25
>>;
>> You shouldn't need ACLs for TOLO
or RCS to contact
> the File Server since it
>> resides on an
interface with a lower security level
> (DMZ). TOLO and RCS
>> will not be able to contact your internal LAN, or
> each
other however since
>> they reside on lower security interfaces than
that
> of your LAN interface.
>> Your 2003 Server can be
accessed through a VPN if
> the PIX terminates the
>> VPN.
You didn't provide any info on VPN settings,
> so I am assuming you know
>> how to set that up. If the VPN is terminated
>
elsewhere, you will need to
>> build static NATs and ACLs through the
PIX to allow
> VPN traffic to get to
>> the 2003 Server.
Other than that, you should be all
> set.
>>
>> Hope
this helps!
>;> Aaron
>>
>>
>> -----
Original Message -----
>> From: "Zia Khan"
<zia_khan2k...>
>> To: <PIX_Firewall@yahoogroups.com>
>> Sent: Sunday, March 12, 2006 11:06 AM
>>;
Subject: [PIX_Firewall] configuration of PIX515E
>>
>>
>> > Hi freinds,
>> >
>> > I am new in this
grouop and also new in PIX.
>> >
>> > I want to
configure PIX515E with 5 Interfaces.
>> >
>> > Scenario
is attached.
>> >
>> > Can anybody help me on
this?
>;> >
>> > I have basic understanding of
PIX.
>> >
>> > Thanks a lot
>> >
>>
> __________________________________________________
>;> > Do You
Yahoo!?
>> > Tired of spam? ; Yahoo! Mail has the best
spam
> protection around
>;> > http://mail.yahoo.com
>>
>
>> >
>> > Yahoo! Groups Links
>>
>
>> >
>> >
>> >
>>
>
>> >
>> >
>
______________________________________________________________________
>>
> This email has been scanned by the MessageLabs
> Email Security
System.
>> > For more information please visit
> http://www.messagelabs.com/email
>> >
>
______________________________________________________________________
>>
>
>
> __________________________________________________
>; Do
You Yahoo!?
> Tired of spam? ; Yahoo! Mail has the best spam
protection around
> http://mail.yahoo.com
>
>
>
>
> ------------------------ Yahoo!
Groups Sponsor --------------------~-->
> Home is just a click away.
Make Yahoo! your home page now.
> http://us.click.yahoo.com/DHchtC/3FxNAA/yQLSAA/kgFolB/TM
>
--------------------------------------------------------------------~->
>
> ;
> Yahoo! Groups Links
>
> <*>
To visit your group on the web, go to:
> http://groups.yahoo.com/group/PIX_Firewall/
>
> <*> To unsubscribe from this group, send
an email to:
> PIX_Firewall-unsubscribe@yahoogroups.com
>
> <*> Your use of Yahoo! Groups is subject
to:
> http://docs.yahoo.com/info/terms/
>
>
>
>
>
>
______________________________________________________________________
>
This email has been scanned by the MessageLabs Email Security System.
>
For more information please visit http://www.messagelabs.com/email
>
______________________________________________________________________
>