Firewall Wizards mailing list archives

RE: Cisco Pix 515E Configuration

From: "Eric Gunnett" <eric () zoovy com>
Date: Tue, 07 Dec 2004 13:35:33 -0800

        That is the exact problem we are having. As I have found out. Our phone switch is a Nortel and I have the admin 
of it looking in it. Otherwise it looks like we will have to scrap the idea and move to a VPN connectrator or 
reconfigure a section of our network in order to get the phone switch and vpn working in conjunction.



Eric Gunnett
System Administrator
Zoovy, Inc.
eric () zoovy com

"Bruce Smith" <bruce_the_loon () worldonline co za> 12/07/04 01:15PM >>>

Hi Eric

As far as I am aware, the PIX will not route out via the same interface the
packet came in on. For example if I connect to our VPN from the Internet, I
cannot get direct access to the Internet unless I use the proxy server
inside the network. If I am wrong on this, can someone tell me what I've
misconfigured.

So the ability for the two VPN clients to connect via the IP phone switch
depends on how the system works. If all traffic is routed explicitly to the
phone switch and out, you shouldn't have a problem if all ACLs are set up
correctly to allow the IP phone traffic. If the system only uses the switch
to setup the call and then the two hosts begin talking directly to each
other, as Skype does and a couple of IP phone systems I've seen, then I
guess you're buggered. But before you give up if the ip phones talk
directly, check whether the software can be configured to route all traffic
via the phone switch.

Regards

Bruce Smith
Firewall Administrator
Port Elizabeth Technikon

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com 
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Eric Gunnett
Sent: 03 December 2004 11:33 PM
To: firewall-wizards () honor icsalabs com 
Subject: [fw-wiz] Cisco Pix 515E Configuration


        I am hoping someone can help me with this problem. I have a Cisco
515E with 6.3 on it. I have configured to pix for vpn connections with
authenticaiton through a radius. My connections from Client -> Pix ->
Internal Network, work great. But we are using a phone switch that is trying
to pass of the ip phone connection between two clients that are connected
through the pix, such as VPN Client 1 -> Pix -> VPN Client 2, is this
possible. I have attached my config below.

PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8eATWrVtoJW4T5CL encrypted
passwd BGogFIdB6jmwTyg7 encrypted
hostname PIX
domain-name example.com
clock timezone PDT -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 443
fixup protocol http 8080
no fixup protocol rsh 514
no fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
access-list acl_outbound permit tcp any any
access-list acl_outbound permit ip any any
access-list acl_outbound permit udp any any
access-list acl_outbound permit icmp any any
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.50
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.51
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.52
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.53
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.54
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.55
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.56
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.57
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.58
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.59
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.60
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.61
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.62
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.63
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.64
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.65
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.66
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.67
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.68
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.69
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.70
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.71
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.72
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.73
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.74
access-list 80 permit ip 192.168.1.0 255.255.255.0 host 192.168.99.75
access-list 80 permit ip 192.168.99.0 255.255.255.0 192.168.99.0
255.255.255.0 access-list 80 permit ip host 192.168.99.56 host 192.168.99.57
access-list 80 permit ip host 192.168.99.57 host 192.168.99.56 access-list
80 permit ip 192.168.99.0 255.255.255.0 any access-list split permit tcp
192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 pager lines 40 logging on
logging timestamp logging monitor notifications logging trap notifications
icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside
1500 ip address outside 66.67.68.69 255.255.255.224 ip address inside
192.168.99.1 255.255.255.0 ip audit info action alarm ip audit attack action
alarm ip local pool VPN 192.168.99.50-192.168.99.75 no failover failover
timeout 0:00:00 failover poll 15 no failover ip address outside no failover
ip address inside no pdm history enable arp timeout 14400 global (outside) 1
63.108.93.25 nat (inside) 0 access-list 80 nat (inside) 1 192.168.1.0
255.255.255.0 0 0 access-group acl_outbound in interface outside route
outside 0.0.0.0 0.0.0.0 66.67.68.1 1 route inside 192.168.1.0 255.255.255.0
192.168.99.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed
0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp
0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812 aaa-server radius-acctport 1813 aaa-server
TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server RADIUS
(inside) host 192.168.1.12 secretpass timeout 15 aaa-server LOCAL protocol
local aaa-server local protocol radius aaa-server partnerauth protocol
radius aaa-server partnerauth (inside) host 192.168.1.12 secretpass timeout
15 ntp server 130.126.24.24 source outside snmp-server enable traps
floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set
ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto dynamic-map outside_dyn_map
20 set transform-set ESP-AES-256-MD5 crypto map outside_map 20 ipsec-isakmp
dynamic outside_dyn_map crypto map outside_map client configuration address
initiate crypto map outside_map client authentication partnerauth crypto map
outside_map interface outside isakmp enable outside isakmp key ********
address 0.0.0.0 netmask 0.0.0.0 isakmp client configuration address-pool
local VPN outside isakmp policy 20 authentication pre-share isakmp policy 20
encryption aes-256 isakmp policy 20 hash md5 isakmp policy 20 group 5 isakmp
policy 20 lifetime 86400 vpngroup group idle-time 1800 vpngroup enable
idle-time 1800 vpngroup Developers address-pool VPN vpngroup Developers
idle-time 1800 vpngroup Developers device-pass-through telnet timeout 1 ssh
192.168.1.0 255.255.255.0 inside ssh timeout 5 console timeout 15 terminal
width 80 Cryptochecksum:c7f91c5bc5fef54edd6d720856a6429f
: end

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com 
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Cisco Pix 515E Configuration Eric Gunnett (Dec 05)
- RE: Cisco Pix 515E Configuration Bruce Smith (Dec 11)
- Re: Cisco Pix 515E Configuration pmahesh90979 (Dec 11)
- <Possible follow-ups>
- RE: Cisco Pix 515E Configuration Eric Gunnett (Dec 07)
- Re: Cisco Pix 515E Configuration sanford.reed (Dec 07)
- RE: Cisco Pix 515E Configuration Eric Gunnett (Dec 11)
  - RE: Cisco Pix 515E Configuration Sanford Reed (Dec 12)
    - RE: Cisco Pix 515E Configuration Jason Ostrom (Dec 12)
- RE: Cisco Pix 515E Configuration Joe Mazzotti (Dec 13)