Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Cisco PIX 515e Multiple VPN Question

from [sisone] Network Security [Permanent Link]
Subject: RE: Cisco PIX 515e Multiple VPN Question
Date: Tue, 21 Dec 2004 09:26:04 +0100 
Excuse me for my English.
the problem that you have is simple.
You must set up VPN client crypto map ID before the tunnel site to site.
The configuration shuld be like this

crypto map companymap 20 ipsec-isakmp dynamic outside_dyn_map

crypto map companymap 21 ipsec-isakmp
crypto map companymap 21 match address outside_cryptomap_1
crypto map companymap 21 set peer 10.1.1.1
crypto map companymap 21 set transform-set badenovatransform





-- Messaggio Originale --
From: Meidinger Chris <chris.meidinger@badenit.de>
To: firewalls@securityfocus.com
Subject: Cisco PIX 515e Multiple VPN Question
Date: Fri, 17 Dec 2004 17:40:08 +0100


Hello List,

i have a question that is probably fairly simple. I have a PIX which should
accept VPN connections from Cisco VPN Clients as well as tunnel to various
other devices. This works partly, but i can't figure out how to add more
than one crypto map to an interface (seems impossible from
documentation/faq's) or how to add authentication to just one part of a
crypto map.

Config is (sanitized):

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set companytransform esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map companymap 21 ipsec-isakmp
crypto map companymap 21 match address outside_cryptomap_1
crypto map companymap 21 set peer 10.1.1.1
crypto map companymap 21 set transform-set badenovatransform
crypto map companymap 22 ipsec-isakmp dynamic outside_dyn_map
crypto map companymap interface outside

vpngroup testgroup address-pool client-pool
vpngroup testgroup idle-time 1800
vpngroup testgroup password ********

With this config everyting works, but VPN Clients authenticate only on
Group/PSK and do not require a user password. I would like to require a

user

password.

So, i need to add something like the following command:

crypto map companymap client authentication LOCAL 

in order to get the VPN-Clients to require a password. That would, however,
kill the PSK-Based tunnel.

Originally i wanted to use 2 crypto-maps, but that doesn't seem to work

on

one interface.

Does anyone have a tip? I'm probably missing something obvious, but maybe
if
someone could point it out ...

Thanks,

Chris



__________________________________________________________________
Tiscali Adsl 2 Mega Free: l'adsl piu' veloce e' gratis!
Naviga libero dai costi fissi con Tiscali Adsl 2 Mega Free, l'adsl Free
piu' veloce in Italia. In piu', se ti abboni entro il 7 gennaio 2005,
navighi gratis fino al 31 marzo. E il costo di adesione e' GRATIS.
http://abbonati.tiscali.it/adsl/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Tools to check LDAP server connectivity, Soi, Dhruv
Next by Date:  Re: Tools to check LDAP server connectivity, Fabrice Aubry
Previous by Thread:  Re: Cisco PIX 515e Multiple VPN Question, Matt Ostiguy
Next by Thread:  Re: Cisco PIX 515e Multiple VPN Question, Dan Tesch
Indexes:  [Date] [Thread] [Top] [All Lists]