Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Cisco PIX 515e Multiple VPN Question

from [paul . richmond] Network Security [Permanent Link]
Subject: RE: Cisco PIX 515e Multiple VPN Question
Date: Wed, 22 Dec 2004 09:46:14 -0500 
If I may add to this discussion...
 
As noted below, if one is terminating multiple Site to Site and Remote Client 
VPNs on one interface, they are all specified in a single static crypto map 
which is then applied to your appropriate interface. Within the single static 
crypto map, the individual Site to Sites and the dynamic crypto map for the 
Remote Clients are separated by index numbers from 1 to 65535. 
 
Although associating the dynamic crypto map to the static map with a lower 
index number than the site to sites(20 in the previous email's example) will 
work, for two basic reasons, I would suggest that the dynamic crypto map be 
associated to the static crypto map with one of the higher index numbers such 
as 65530, with the Site to Sites applied in the lower numbers. For example,
 
crypto map OutsideCryptoMap 10 ipsec-isakmp
     (site to site #1 config truncated)
crypto map OutsideCryptoMap 20 ipsec-isakmp
     (site to site #2 config truncated)
crypto map OutsideCryptoMap 30 ipsec-isakmp
     (site to site #3 config truncated)
crypto map OutsideCryptoMap 65530 ipsec-isakmp dynamic RemoteVpnClientDynMap


crypto map OutsideCryptoMap interface outside
 
The first reason for the above is that PIX Device Manager prefers to see the 
dynamic crypto mapping applied at the end of the static crypto map.  The second 
reason is that the site to site VPNs typically will see more activity and 
ordering them first promotes efficient processing. You may note that the 
example is leaving plenty of options to in-line order additional site to sites 
through the gaps in the index numbers.
 
For you consideration,
 
Paul
 

________________________________

From: sisone@tiscali.it [mailto:sisone@tiscali.it]
Sent: Tue 21/12/2004 03:26
To: Meidinger Chris; firewalls@securityfocus.com
Subject: RE: Cisco PIX 515e Multiple VPN Question



Excuse me for my English.
the problem that you have is simple.
You must set up VPN client crypto map ID before the tunnel site to site.
The configuration shuld be like this

crypto map companymap 20 ipsec-isakmp dynamic outside_dyn_map

crypto map companymap 21 ipsec-isakmp
crypto map companymap 21 match address outside_cryptomap_1
crypto map companymap 21 set peer 10.1.1.1
crypto map companymap 21 set transform-set badenovatransform





-- Messaggio Originale --
From: Meidinger Chris <chris.meidinger@badenit.de>
To: firewalls@securityfocus.com
Subject: Cisco PIX 515e Multiple VPN Question
Date: Fri, 17 Dec 2004 17:40:08 +0100


Hello List,

i have a question that is probably fairly simple. I have a PIX which should
accept VPN connections from Cisco VPN Clients as well as tunnel to various
other devices. This works partly, but i can't figure out how to add more
than one crypto map to an interface (seems impossible from
documentation/faq's) or how to add authentication to just one part of a
crypto map.

Config is (sanitized):

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set companytransform esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map companymap 21 ipsec-isakmp
crypto map companymap 21 match address outside_cryptomap_1
crypto map companymap 21 set peer 10.1.1.1
crypto map companymap 21 set transform-set badenovatransform
crypto map companymap 22 ipsec-isakmp dynamic outside_dyn_map
crypto map companymap interface outside

vpngroup testgroup address-pool client-pool
vpngroup testgroup idle-time 1800
vpngroup testgroup password ********

With this config everyting works, but VPN Clients authenticate only on
Group/PSK and do not require a user password. I would like to require a

user

password.

So, i need to add something like the following command:

crypto map companymap client authentication LOCAL

in order to get the VPN-Clients to require a password. That would, however,
kill the PSK-Based tunnel.

Originally i wanted to use 2 crypto-maps, but that doesn't seem to work

on

one interface.

Does anyone have a tip? I'm probably missing something obvious, but maybe
if
someone could point it out ...

Thanks,

Chris



__________________________________________________________________
Tiscali Adsl 2 Mega Free: l'adsl piu' veloce e' gratis!
Naviga libero dai costi fissi con Tiscali Adsl 2 Mega Free, l'adsl Free
piu' veloce in Italia. In piu', se ti abboni entro il 7 gennaio 2005,
navighi gratis fino al 31 marzo. E il costo di adesione e' GRATIS.
http://abbonati.tiscali.it/adsl/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Checkpoint FW-1 -> Cisco VPN error, Ivan Coric
Next by Date:  RE: HOTBrick LB2vpn update 2, Eric McCarty
Previous by Thread:  RE: Cisco PIX 515e Multiple VPN Question, David Taylor
Next by Thread:  RE: Tools to check LDAP server connectivity, Wu, Jason
Indexes:  [Date] [Thread] [Top] [All Lists]