Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Question regarding PIX - VPN - NAT 0 -----Help!

from [Juan F. Falcon] Network Security [Permanent Link]
Subject: Question regarding PIX - VPN - NAT 0 -----Help!
Date: Thu, 28 Apr 2005 12:56:50 -0300 
Guys,

 

Please, could you help me with this? I am really confused whats going on!

 

This is the scenario:

 

I have

 

 

Network A - PIX A ----------------------------------VPN-------------PIX B -
Network B

Network A - PIX A ----------------------------------VPN-------------PIX C -
Network C

Network A - PIX A ----------------------------------VPN-------------PIX D -
Network D

 

All networks are connected between each other creating a WAN? Or a big LAN

 

On Network A I have:

Internal: 1.1.1.0 255.255.255.0

DMZ: 1.1.10.0 255.255.255.0

 

On Network B I have

Internal: 2.2.2.0 255.255.255.0

DMZ: 2.2.20.0 255.255.255.0

 

On Network C I have

Internal: 3.3.3.0 255.255.255.0

 

On Network D I have

Internal: 4.4.4.0 255.255.255.0

 


From the configuration side, here are the specs:


 

On Network A

Access-list NETWORKB permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

Access-list NETWORKB permit ip 1.1.1.0 255.255.255.0 2.2.20.0 255.255.255.0

Access-list NETWORKC permit ip 1.1.1.0 255.255.255.0 3.3.3.0 255.255.255.0

Access-list NETWORKD permit ip 1.1.1.0 255.255.255.0 4.4.4.0 255.255.255.0

 

Access-list nonat permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

Access-list nonat permit ip 1.1.1.0 255.255.255.0 2.2.20.0 255.255.255.0

Access-list nonat permit ip 1.1.1.0 255.255.255.0 3.3.3.0 255.255.255.0

Access-list nonat permit ip 1.1.1.0 255.255.255.0 4.4.4.0 255.255.255.0

 

Access-list nonatdmz permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

Access-list nonatdmz permit ip 1.1.1.0 255.255.255.0 2.2.20.0 255.255.255.0

Access-list nonatdmz permit ip 1.1.1.0 255.255.255.0 3.3.3.0 255.255.255.0

Access-list nonatdmz permit ip 1.1.1.0 255.255.255.0 4.4.4.0 255.255.255.0

 

Access-list dmz_in permit icmp any any

 

Access-group dmz_in in interface dmz

 

Nat (inside) 0 access-list nonat

Nat (dmz) 0 access-list nonatdmz

 

Sysopt connection permit-ipsec

Crypto ipsec transform-set myset esp-des esp-md5-hmac

Crypto map hello 10 ipsec-isakmp

Crypto map hello 10 match address NETWORKB

Crypto map hello 10 set peer xxx.xxx.xxx.xxx

Crypto map hello 10 set transform-set myset

Crypto map hello 20 ipsec-isakmp

Crypto map hello 20 match address NETWORKC

Crypto map hello 20 set peer xxx.xxx.xxx.xxx

Crypto map hello 20 set transform-set myset

Crypto map hello 30 ipsec-isakmp

Crypto map hello 30 match address NETWORKD

Crypto map hello 30 set peer xxx.xxx.xxx.xxx

Crypto map hello 30 set transform-set myset

Isakmp enable outside

Isakmp key 123 address xxxx.xxx.xx.x netmask 255.255.255.255

Isakmp key 123 address xxxx.xxx.xx.x netmask 255.255.255.255

Isakmp key 123 address xxxx.xxx.xx.x netmask 255.255.255.255

Isakmp identity address 

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

 

 

 

Ok, the same configuration exists in the other pixes (Except for the ones
that do not have DMZ, only the internal part)

 

Now.with the NONAT (NAT (dmz) or (inside) 0 nonat) and the ISAKMP enable
outside I should not be worry and the 

PING command should work on every side.

 

Now, when I ping DMZ from NETWORK D, I have response.. But

When I ping NETWORK D from DMZ A, no response at all

 

BUT

 

If from DMZ A I ping NETWORK B , I have response

 

Any ideas why is the difference?

 

 

In one network, I solved the problem, with a static

 

Static (outside,dmz) 3.3.3.0 3.3.3.0 netmask 255.255.255.0

 

(I did the same with the other network that still is not working.but didn't
succeed)

 

But I understand this should be unnecessary due the NAT 0...

 

Please, any help will be very welcome!

 

Thanks in advance,

 

Juan
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Question regarding PIX - VPN - NAT 0 -----Help!, Juan F. Falcon <=
Previous by Date:  RE: Recommendations for Syslogging software, Robert Synak
Next by Date:  Re: Recommendations for Syslogging software, Spigga
Previous by Thread:  checkpoint & subnet->host NAT, David M. Zendzian
Next by Thread:  PIX and mapi, Roy Stapleton
Indexes:  [Date] [Thread] [Top] [All Lists]