Hi Everyone, Perhaps someone in the group can help me with this problem. I have Cisco Pix515-UR (128MB RAM/16MB Flash) running PIX code 6.1(1) with Pix Device Manager (PDM) version 1.1(2). This PIX is connected to my cable modem with STATIC IP address 129.174.1.13 on the outside interface. The inside interface (which is my internal network) has an IP of 192.168.1.1 with a netmask of 255.255.255.0. On the internal network, I have a BSD box (IP 192.168.1.10), a Linux box (192.168.1.20), a Solarisx86 (IP 192.168.1.30) and a SCO Unix with IP 192.168.1.40
I have successfully implemented VPN connection for remote users using Cisco VPN client 3.1.1 running on Win98, NT, 2000 and Linux to connect to the internal network. Once these remote users are successfully connected, they can access all the devices on the internal network. I have 2 questions: 1) Let say that I just want remote users to access just the BSD box and the Linux box but not the Solaris and SCO, how can I make this happen? I know how to do that with Checkpoint Secure Remote (Checkpoint use Encryption domain which specify which devices remote user is allowed to access). How can I accomplish this in PIX? For example, I just want remote users to ping the BSD and Linux boxes but not Solaris and SCO boxes. 2) I have 4 different remote users who connect to the internal network via VPN IPSec connection. All of these users are using the same account (vpn3000) to connect back to the network. From a Security stand point, this is bad practices. How can I assign each of these users different account in the configuration? Again, I know how to do this with Checkpoint; however, I don't know how to get it done in PIX. Below is the configuration. Please help. thanks. PIX Version 6.1(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password OnTrBUG1Tp0edmkr encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname goss-d3-pix515b domain-name micronetsolution.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names ! !--- Access-list to avoid Network Address Translation (NAT) on the IPSec packets access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ! !--- IP addresses on the interfaces ip address outside 129.174.1.13 255.255.240.0 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool ippool 192.168.2.1-192.168.2.254 no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 pdm history enable arp timeout 14400 ! !--- Binding ACL 101 to the NAT statement to avoid NAT on the IPSec packets nat (inside) 0 access-list 101 ! !--- Default route to the Internet route outside 0.0.0.0 0.0.0.0 129.174.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable ! !--- The sysopt command avoids conduit on the IPSec encrypted traffic sysopt connection permit-ipsec no sysopt route dnat ! !--- Phase 2 encryption type crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap ! !--- Binding the IPSec engine on the outside interface crypto map mymap interface outside ! !--- Enabling ISAKMP key-exchange isakmp enable outside isakmp identity address ! !--- ISAKMP Policy for 3000 VPN client running 3.0 or higher code isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 ! !--- IPSec group configuration for either VPN client vpngroup vpn3000 address-pool ippool vpngroup vpn3000 dns-server 192.168.1.10 vpngroup vpn3000 default-domain micronetsolution.com vpngroup vpn3000 idle-time 1800 vpngroup vpn3000 password ******** telnet timeout 5 ssh timeout 5 terminal width 80 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27759&t=27759 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
