Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Cisco PIX 515e Multiple VPN Question

from [Gould, Scott] Network Security [Permanent Link]
Subject: RE: Cisco PIX 515e Multiple VPN Question
Date: Fri, 7 Jan 2005 22:32:02 -0500 
Cisco has a great doc on their website about doing this with Windows
2003 or 2000 server.  

http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html

-----Original Message-----
From: loloinfo@free.fr [mailto:loloinfo@free.fr] 
Sent: Monday, January 03, 2005 6:48 AM
To: David Taylor
Cc: Meidinger Chris; firewalls@securityfocus.com
Subject: RE: Cisco PIX 515e Multiple VPN Question

just do that:

aaa-server RADIUS (inside) host 10.10.10.10 password124 timeout 10

crypto map companymap client authentication RADIUS
vpngroup testgroup authentication-server RADIUS


with a radius like IAS windows 2K for example....


Selon David Taylor <David.Taylor@austrac.gov.au>:


It's simple really, you just add more elements to the one crypto map,
the only caveat is a wildcard entry must be the highest number because
it matches anything, the match is made on the endpoint address that's
what the sequence numbers are for top define order of operations.


Regards
David Taylor

-----Original Message-----
From: Meidinger Chris [mailto:chris.meidinger@badenit.de]
Sent: Saturday, 18 December 2004 3:40 AM
To: firewalls@securityfocus.com
Subject: Cisco PIX 515e Multiple VPN Question

Hello List,

i have a question that is probably fairly simple. I have a PIX which
should
accept VPN connections from Cisco VPN Clients as well as tunnel to
various
other devices. This works partly, but i can't figure out how to add

more

than one crypto map to an interface (seems impossible from
documentation/faq's) or how to add authentication to just one part of

a

crypto map.

Config is (sanitized):

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set companytransform esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address
outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map companymap 21 ipsec-isakmp
crypto map companymap 21 match address outside_cryptomap_1
crypto map companymap 21 set peer 10.1.1.1
crypto map companymap 21 set transform-set badenovatransform
crypto map companymap 22 ipsec-isakmp dynamic outside_dyn_map
crypto map companymap interface outside

vpngroup testgroup address-pool client-pool
vpngroup testgroup idle-time 1800
vpngroup testgroup password ********

With this config everyting works, but VPN Clients authenticate only on
Group/PSK and do not require a user password. I would like to require

a

user
password.

So, i need to add something like the following command:

crypto map companymap client authentication LOCAL

in order to get the VPN-Clients to require a password. That would,
however,
kill the PSK-Based tunnel.

Originally i wanted to use 2 crypto-maps, but that doesn't seem to

work

on
one interface.

Does anyone have a tip? I'm probably missing something obvious, but
maybe if
someone could point it out ...

Thanks,

Chris


**********************************************************************
Please  note  that  your  email address  is known to  AUSTRAC  for the
purposes  of  communicating with you.  The information  transmitted in
this  e-mail is  for the  use of  the intended  recipient only and may
contain confidential and/or legally  privileged  material. If you have
received  this information  in error you must not disseminate, copy or
take  any  action on  it and we  request that you delete all copies of
this transmission together with attachments and notify the sender.

This footnote also confirms that this email message has been swept for
the presence of computer viruses.
**********************************************************************
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Security Information Management versus Security Network Management applications, Mark Teicher
Next by Date:  RE: VPN Device Recommendations, David Taylor
Previous by Thread:  RE: Cisco PIX 515e Multiple VPN Question, loloinfo
Next by Thread:  VPN Device Recommendations, Shabbar Arsiwala
Indexes:  [Date] [Thread] [Top] [All Lists]