Firewall Wizards mailing list archives
RE: Cisco Pix 515E Configuration
From: "Eric Gunnett" <eric () zoovy com>
Date: Tue, 07 Dec 2004 13:35:33 -0800
That is the exact problem we are having. As I have found out. Our phone switch is a Nortel and I have the admin of it looking in it. Otherwise it looks like we will have to scrap the idea and move to a VPN connectrator or reconfigure a section of our network in order to get the phone switch and vpn working in conjunction. Eric Gunnett System Administrator Zoovy, Inc. eric () zoovy com
"Bruce Smith" <bruce_the_loon () worldonline co za> 12/07/04 01:15PM >>>
Hi Eric As far as I am aware, the PIX will not route out via the same interface the packet came in on. For example if I connect to our VPN from the Internet, I cannot get direct access to the Internet unless I use the proxy server inside the network. If I am wrong on this, can someone tell me what I've misconfigured. So the ability for the two VPN clients to connect via the IP phone switch depends on how the system works. If all traffic is routed explicitly to the phone switch and out, you shouldn't have a problem if all ACLs are set up correctly to allow the IP phone traffic. If the system only uses the switch to setup the call and then the two hosts begin talking directly to each other, as Skype does and a couple of IP phone systems I've seen, then I guess you're buggered. But before you give up if the ip phones talk directly, check whether the software can be configured to route all traffic via the phone switch. Regards Bruce Smith Firewall Administrator Port Elizabeth Technikon -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Eric Gunnett Sent: 03 December 2004 11:33 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Cisco Pix 515E Configuration I am hoping someone can help me with this problem. I have a Cisco 515E with 6.3 on it. I have configured to pix for vpn connections with authenticaiton through a radius. My connections from Client -> Pix -> Internal Network, work great. But we are using a phone switch that is trying to pass of the ip phone connection between two clients that are connected through the pix, such as VPN Client 1 -> Pix -> VPN Client 2, is this possible. I have attached my config below. PIX Version 6.3(3) interface ethernet0 10baset interface ethernet1 10baset nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8eATWrVtoJW4T5CL encrypted passwd BGogFIdB6jmwTyg7 encrypted hostname PIX domain-name example.com clock timezone PDT -8 clock summer-time PDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 no fixup protocol h323 h225 1720 no fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol http 443 fixup protocol http 8080 no fixup protocol rsh 514 no fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 no fixup protocol skinny 2000 no fixup protocol smtp 25 no fixup protocol sqlnet 1521 no fixup protocol tftp 69 names access-list acl_outbound permit tcp any any access-list acl_outbound permit ip any any access-list acl_outbound permit udp any any access-list acl_outbound permit icmp any any access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.50 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.51 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.52 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.53 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.54 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.55 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.56 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.57 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.58 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.59 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.60 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.61 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.62 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.63 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.64 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.65 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.66 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.67 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.68 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.69 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.70 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.71 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.72 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.73 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.74 access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.75 access-list 80 permit ip 192.168.99.0 255.255.255.0 192.168.99.0 255.255.255.0 access-list 80 permit ip host 192.168.99.56 host 192.168.99.57 access-list 80 permit ip host 192.168.99.57 host 192.168.99.56 access-list 80 permit ip 192.168.99.0 255.255.255.0 any access-list split permit tcp 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 pager lines 40 logging on logging timestamp logging monitor notifications logging trap notifications icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside 66.67.68.69 255.255.255.224 ip address inside 192.168.99.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VPN 192.168.99.50-192.168.99.75 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no pdm history enable arp timeout 14400 global (outside) 1 63.108.93.25 nat (inside) 0 access-list 80 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 access-group acl_outbound in interface outside route outside 0.0.0.0 0.0.0.0 66.67.68.1 1 route inside 192.168.1.0 255.255.255.0 192.168.99.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server radius-authport 1812 aaa-server radius-acctport 1813 aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 192.168.1.12 secretpass timeout 15 aaa-server LOCAL protocol local aaa-server local protocol radius aaa-server partnerauth protocol radius aaa-server partnerauth (inside) host 192.168.1.12 secretpass timeout 15 ntp server 130.126.24.24 source outside snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-MD5 crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client configuration address initiate crypto map outside_map client authentication partnerauth crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp client configuration address-pool local VPN outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption aes-256 isakmp policy 20 hash md5 isakmp policy 20 group 5 isakmp policy 20 lifetime 86400 vpngroup group idle-time 1800 vpngroup enable idle-time 1800 vpngroup Developers address-pool VPN vpngroup Developers idle-time 1800 vpngroup Developers device-pass-through telnet timeout 1 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 console timeout 15 terminal width 80 Cryptochecksum:c7f91c5bc5fef54edd6d720856a6429f : end _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco Pix 515E Configuration Eric Gunnett (Dec 05)
- RE: Cisco Pix 515E Configuration Bruce Smith (Dec 11)
- Re: Cisco Pix 515E Configuration pmahesh90979 (Dec 11)
- <Possible follow-ups>
- RE: Cisco Pix 515E Configuration Eric Gunnett (Dec 07)
- Re: Cisco Pix 515E Configuration sanford.reed (Dec 07)
- RE: Cisco Pix 515E Configuration Eric Gunnett (Dec 11)
- RE: Cisco Pix 515E Configuration Sanford Reed (Dec 12)
- RE: Cisco Pix 515E Configuration Jason Ostrom (Dec 12)
- RE: Cisco Pix 515E Configuration Sanford Reed (Dec 12)
- RE: Cisco Pix 515E Configuration Joe Mazzotti (Dec 13)