Art,
Ah, but how many VPN sessions have you manged to get out of your
configuration?
We have been scratching our heads for weeks trying to find out why we can't
get any more than 2 or 3 VPN connections at any one time!! and we think it
may have to do with the way PIX's handle NAT. I have provided the complete
way in which we have configured the two firewalls and I hope it is useful.
May be someone out there can see where the problem lies.
Basically, our 7 VPN licensed GB1000 connects to our PIX, as follows:
GB1000 Firewall IP Addresse (examples ofcourse!):
GB External Interface: 199.120.225.76
GB Protected Network: 192.168.1.0/24
Pix IP Addresses:
External Interface: 199.120.225.90
Protected Network: 10.10.11.0/24
Supported Encryption:
Mode: IKE
ESP: DES or 3DES (Triple DES)
Hash: Sha-1 or MD5
Key Group: Diffie-hellman group 1 or 2.
****************************
***** GB-1000 Settings *****
****************************
Create VPN Object (Objects -> VPN Objects) -
Name: GB -> Cisco Pix
Description: GNAT Box to Cisco Pix IKE VPN
Local Gateway: EXTERNAL 199.120.225.76
Local Network: Protected Network 192.168.1.0/24
Mobile Authentication: Unchecked
Force Mobile Protocol: Unchecked
Phase 1
Exchange Mode: Main
Encryption (ESP): DES
Hash: MD5
Key Group: Diffie-hellman group 2
Phase 2
Encryption (ESP): DES
Hash: MD5
Key Group: Diffie-hellman group 2
Create VPN (Authorization -> VPN)
Key Exchange: IKE
Description: GNAT Box to Cisco PIX VPN
Identity Leave Blank
VPN Object: GB -> Cisco Pix
Remote Gateway: 199.120.225.90 (Cisco Pix External Interface)
Remote Network: 10.10.11.0/24 (Cisco Pix Protected Network)
Create default Remote Access filters -
1 #DEFAULT: VPN: Allow ESP connections (GNAT Box -> Cisco Pix VPN).
Type: Accept Priority: notice Interface: ANY Protocol: 50 (ESP)
Source IP: 199.120.225.90
Port: Blank or 0
Destination IP: 199.120.225.76
Port: Blank or 0
2 #DEFAULT: VPN: Allow IKE connections (GNAT Box -> Cisco Pix VPN).
Type: Accept Priority: notice Interface: ANY Protocol: UDP
Source IP: 199.120.225.90
Port: Blank or 0
Destination IP: 199.120.225.76
Port: 500
Create IP Pass-Through filters
Example filters below allow all access between the Cisco Pix and the GTA
Firewall networks. Set these filters according to your corporate security
policy.
1. Description: VPN, inbound connections (GNAT Box -> Cisco Pix VPN).
Type: Accept Priority: notice Interface: External Protocol: ANY
Source IP: 10.10.11.0/24
Port: Blank or 0
Source IP: 192.168.1.0/24
Port: Blank or 0
2. Description: VPN, outbound connections (GNAT Box -> Cisco Pix VPN).
Type: Accept Priority: notice Interface: Protected Protocol: ANY
Source IP: 192.168.1.0/24
Port: Blank or 0
Source IP: 10.10.11.0/24
Port: Blank or 0
************************
***** PIX Settings *****
************************
! Add access list to pass local traffic from local network to remote network
access-list 160 permit ip 10.10.11.0 255.255.255.0 192.168.1.0 255.255.255.0
!
! Disables NAT for connections bound for remote network. Matches same
accesslist as
! vpn, vpn WILL NOT WORK without this
nat (inside) 0 access-list 160
! Tells the PIX to trust ipsec information
sysopt connection permit-ipsec
!
crypto ipsec transform-set gb-set esp-des esp-md5-hmac
crypto map gb-map 1 ipsec-isakmp
crypto map gb-map 1 match address 160
! sets VPN peer to Address, external interface of the GNAT Box system.
crypto map gb-map 1 set peer 199.120.225.76
crypto map gb-map 1 set transform-set gb-set
!set lifetime to a max of 3600 seconds
crypto map gb-map 1 set security-association lifetime 3600
crypto map gb-map interface outside
!
isakmp enable outside
! set pre-shared keys for VPN
isakmp key 12345678 address 199.120.225.76 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 3600
! access list to pass local traffic (xxx.111.xxx.xxx to remote vpn
! network, xxx.222.xxx.xxx)
access-list 160 permit ip XXX.111.XXX.XXX 255.255.255.0 XXX.222.XXX.XXX
255.255.255.0
!
! disables NAT for connections bound for VPN. matches same accesslist as
! vpn, vpn WILL NOT WORK without this
nat (inside) 0 access-list 160
! tells the PIX to trust ipsec information
sysopt connection permit-ipsec
!
crypto ipsec transform-set gb-set esp-des esp-md5-hmac
crypto map gb-map 1 ipsec-isakmp
crypto map gb-map 1 match address 160
! sets VPN peer to xxx.xxx.xxx.xxx
crypto map gb-map 1 set peer XXX.XXX.XXX.XXX
crypto map gb-map 1 set transform-set gb-set
crypto map gb-map 1 set security-association lifetime 3600
crypto map gb-map interface outside
!
isakmp enable outside
! using preshared keys, sets key ******** for peer xxx.xxx.xxx.xxx
isakmp key ******** address XXX.XXX.XXX.XXX netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 3600
regards,
Rezz
-----Original Message-----
From: Kalli [mailto:[EMAIL PROTECTED]]
Sent: 11 October 2002 10:50
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [gb-users] vpn with other firewalls
Works fine with Cisco. At least VPN concentrator and Gnatbox works
perfectly. Make the VPN similarily as a Gnatbox-Gnatbox VPN.
Arttu Kalli
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
To subscribe to the digest version first unsubscribe, then
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archive of the last 1000 messages:
http://www.mail-archive.com/[email protected]
