Firewall Wizards mailing list archives
Cisco Pix 515E Configuration
From: "Eric Gunnett" <eric () zoovy com>
Date: Fri, 03 Dec 2004 13:32:54 -0800
I am hoping someone can help me with this problem. I have a Cisco 515E with 6.3 on it. I have configured to pix for vpn connections with authenticaiton through a radius. My connections from Client -> Pix -> Internal Network, work great. But we are using a phone switch that is trying to pass of the ip phone connection between two clients that are connected through the pix, such as VPN Client 1 -> Pix -> VPN Client 2, is this possible. I have attached my config below. PIX Version 6.3(3) interface ethernet0 10baset interface ethernet1 10baset nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8eATWrVtoJW4T5CL encrypted passwd BGogFIdB6jmwTyg7 encrypted hostname PIX domain-name example.com clock timezone PDT -8 clock summer-time PDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 no fixup protocol h323 h225 1720 no fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol http 443 fixup protocol http 8080 no fixup protocol rsh 514 no fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 no fixup protocol skinny 2000 no fixup protocol smtp 25 no fixup protocol sqlnet 1521 no fixup protocol tftp 69 names access-list acl_outbound permit tcp any any access-list acl_outbound permit ip any any access-list acl_outbound permit udp any any access-list acl_outbound permit icmp any any access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.50 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.51 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.52 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.53 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.54 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.55 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.56 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.57 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.58 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.59 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.60 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.61 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.62 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.63 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.64 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.65 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.66 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.67 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.68 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.69 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.70 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.71 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.72 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.73 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.74 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.75 access-list 80 permit ip 192.168.99.0 255.255.255.0 192.168.99.0 255.255.255.0 access-list 80 permit ip host 192.168.99.56 host 192.168.99.57 access-list 80 permit ip host 192.168.99.57 host 192.168.99.56 access-list 80 permit ip 192.168.99.0 255.255.255.0 any access-list split permit tcp 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 pager lines 40 logging on logging timestamp logging monitor notifications logging trap notifications icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside 66.67.68.69 255.255.255.224 ip address inside 192.168.99.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VPN 192.168.99.50-192.168.99.75 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no pdm history enable arp timeout 14400 global (outside) 1 63.108.93.25 nat (inside) 0 access-list 80 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 access-group acl_outbound in interface outside route outside 0.0.0.0 0.0.0.0 66.67.68.1 1 route inside 192.168.1.0 255.255.255.0 192.168.99.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server radius-authport 1812 aaa-server radius-acctport 1813 aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 192.168.1.12 secretpass timeout 15 aaa-server LOCAL protocol local aaa-server local protocol radius aaa-server partnerauth protocol radius aaa-server partnerauth (inside) host 192.168.1.12 secretpass timeout 15 ntp server 130.126.24.24 source outside snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-MD5 crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client configuration address initiate crypto map outside_map client authentication partnerauth crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp client configuration address-pool local VPN outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption aes-256 isakmp policy 20 hash md5 isakmp policy 20 group 5 isakmp policy 20 lifetime 86400 vpngroup group idle-time 1800 vpngroup enable idle-time 1800 vpngroup Developers address-pool VPN vpngroup Developers idle-time 1800 vpngroup Developers device-pass-through telnet timeout 1 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 console timeout 15 terminal width 80 Cryptochecksum:c7f91c5bc5fef54edd6d720856a6429f : end _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco Pix 515E Configuration Eric Gunnett (Dec 05)
- RE: Cisco Pix 515E Configuration Bruce Smith (Dec 11)
- Re: Cisco Pix 515E Configuration pmahesh90979 (Dec 11)
- <Possible follow-ups>
- RE: Cisco Pix 515E Configuration Eric Gunnett (Dec 07)
- Re: Cisco Pix 515E Configuration sanford.reed (Dec 07)
- RE: Cisco Pix 515E Configuration Eric Gunnett (Dec 11)
- RE: Cisco Pix 515E Configuration Sanford Reed (Dec 12)
- RE: Cisco Pix 515E Configuration Jason Ostrom (Dec 12)
- RE: Cisco Pix 515E Configuration Sanford Reed (Dec 12)
- RE: Cisco Pix 515E Configuration Joe Mazzotti (Dec 13)