Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Cisco PIX VPN question...

from [Michael Diana] Network Security [Permanent Link]
Subject: RE: Cisco PIX VPN question...
Date: Thu, 24 May 2007 10:41:47 -0400 


Sorry, I do not have a PDM v7 to try and talk you through the easy VPN
setup.  However, it is fairly straight forward to set up a Pix to Pix
VPN tunnel in the PDM using the VPN Wizard (EASY VPN is a little less
straight forward than the wizard).

Under Wizards >>VPN >> Peer to Peer.  It's very straight forward and
should be the same in 6.3 or 7.0.  Below is the long handed VPN setup
with the PDM just so you can see what's going on a little bit.  

IPSEC--
    IPSEC rules tab to define the protected network segments.

    Tunnel Policy Tab to define peers and pick a transform set.

    *Transform sets tab -- if you want to create a custom set of
encryption algorithms... otherwise use one that's already there*

IKE--
    Policies Tab to set up how the peer's negotiate.  I generally pick
pre-shared key.

    Pre-shared key -- to wset up which key belongs to which peer.

Finally, here is the command line version, which can appear to be in
Chinese but it's really English.

http://www.cisco.com/warp/public/110/38.html

As long as everything matches, your tunnel should come up.  Make sure
that there are networks listed under "Translation Exemption rules"
matching the networks you put in the IPSEC rules list.

You need to use split tunneling in the VPN client policy so that the
tunnel knows not to pass traffic not destined for a protected network.
You can manage that under the VPN client tab "Manage Split tunnelling"
where you define IP nets that the VPN client should tunnel... the rest
will go out their local connection.

Good luck and Keep us posted,

Michael

-----Original Message-----
From: Dan Denton [mailto:info@plot.uz] 
Sent: Wednesday, May 23, 2007 2:36 PM
To: Michael Diana
Cc: firewalls@securityfocus.com
Subject: RE: Cisco PIX VPN question...

I've read through Cisco's docs on creating remote access VPN's and L2L
VPN's
and they do seem really straight forward, but I've ran into a few
sticking
points. I'm using ASDM/PDM on the two firewalls to set this up, and
since
the two versions (firewall software and management software) are
different,
it creates more questions.

1. During the guided setup (on the first page actually...) of the L2L
VPN on
the PIX running 6.3, there's no place to specify the Tunnel Group,
whereas
on the 7.0 there is. Also the commands seem to be slightly different
(vpngroup versus tunnel-group). Are these the same?
2. That leads to point two, which is, since I can't specify a
tunnel-group
name on the 6.3 firewall, how will it know which tunnel to use? The
existing
remote access VPN, or whatever the guided setup names it?
3. Also, I've read a lot about 6.3 having the limitation that traffic
from
VPN clients can't be routed back out the same interface it entered. This
will be a problem if true, because firewall in question only has 1
external
interface. I've read that the same-interface-security and split-tunnel
commands can mitigate that problem. Is this true?. I think it may be
true
that is does work, since I can access the internet unhindered when
connected
by VPN client, but I'll have to trace it and verify that. 

Thanks to all who have replied, and your further input is greatly
appreciated...

-----Original Message-----
From: Michael Diana [mailto:MDiana@npr.org] 
Sent: Wednesday, May 23, 2007 12:45 PM
To: Dan Denton
Subject: RE: Cisco PIX VPN question...

You can easily have both VPN clients and Multiple PIX to PIX tunnels on
the same appliance.  The easiest way is to go through the easy VPN set
up within the PDM on both ends.  Be aware though that when you add a new
VPN instance, the IPSEC is reset and clients might be bounced.  So I
tend to add new tunnels after hours and notifying the clients.  Hope
this helps,

Michael

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Dan Denton
Sent: Tuesday, May 22, 2007 4:33 PM
To: firewalls@securityfocus.com
Subject: Cisco PIX VPN question...



-----Original Message-----
From: Dan Denton [mailto:ddenton@remitpro.com] 
Sent: Monday, May 21, 2007 1:47 PM
To: 'firewalls@security-focus.com'
Subject: Cisco PIX VPN question...

Hello list...

I have a PIX 506E and a PIX515E, each at a different location. Each
firewall
has a remote access VPN set up. I'd like to set up a point-to-point VPN
connection between the two so users at one location won't have to use
their
VPN clients unless they're off site. Each firewall only has one outside
and
one inside interface. The 515E is running 7.0 and the 506E is running
6.3. 

Does anyone out there have experience on setting up the two vpn
technologies
simultaneously? I don't want to break the existing remote access vpn's.

Dan Denton
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Cisco PIX VPN question..., Dan Denton
Next by Date:  PIX Firewall routing, Trond Kringstad
Previous by Thread:  RE: Cisco PIX VPN question..., Dan Denton
Next by Thread:  Re: Cisco PIX VPN question..., Prabhu Gurumurthy
Indexes:  [Date] [Thread] [Top] [All Lists]