Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access Lists in a nutshell

Status
Not open for further replies.
DrGreen26

DrGreen26

MIS
Feb 23, 2000
430
US
Ok, I am learning how to setup and amnage a PIX 515 E, and I understand access lists but on the PIX it seems a bit more challenging. I have a configuration like this:

Outside Interface, Inside Interface, a DMZ and a VPNDMZ

I have a device on the VPN DMZ that needs to use a radius server for authentication on the inside network on port 1645.

access-list permit udp vpndmz to host 10.15.200.20 eq 1645

would this be the correct way to set this up or does it need to be different?

Thanks for your help and input in advance..

Mark

Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.
 
Sort by date Sort by votes
So long as you have a static for the radius server between your INSIDW and VPNDMZ using that address on the VPNDMZ, and you have applied the access list with correct syntax to the interface, then it is pretty much the same as passing in SMTP traffic from the outside to your DMZ.



access-l vpndmz permit udp host the.vpn.server.ip host 10.15.200.20 eq 1645
access-g vpndmz in interface vpndmz
static (inside,vpndmz) 10.15.200.20 inside.address.y.z
 
Upvote 0 Downvote
Surely 10.15.200.20 is the address of the RADIUS server off the inside interface? In which case the static statement should be

static (inside, vpndmz) the.vpn.server.ip 10.15.200.20

Yes/no?

CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Ok just so I have this right let me describe my network in greater detail.

I have a VPN Concentrator who's inside address is 192.168.2.10 and has a name defined for it on this pix. This concentrator has a VPN Pool which has an IP range of 192.168.200.# though .100. This also has a name defined for in on the PIX

The VPNDMZ ip on the perimeter PIX interface is 192.168.2.1
The Inside interface is 10.15.200.1 on the pix and this connects to everything internal.

The public interface on the concentrator connects to the ISP.

Thanks again



Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.
 
Upvote 0 Downvote
So assign an IP address to the radius server on the VPNDMZ.
say 192.168.2.9
The static becomes:
static (inside, vpndmz) 192.168.2.9 10.15.200.20
and the access list:
access-l vpndmz permit udp host 192.168.2.10 host 192.168.2.9 eq 1645

As for the vpn assigned addresses being 192.168.200.#, Your pix is 192.168.2.1. Am I missing something? How does the VPN traffic get routed from the 200 network to the 2 network so it can get through your firewall?
 
Upvote 0 Downvote
I have a route on my core (6513) switch which points back to the inside interface of the PIX which is a 10.15.200.1 for the 192.168.200.#







Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Miluis
  • Question
How necessary is an antivirus?
Replies
3
Views
266
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
982
Shmid
Shmid
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
435
AllenH12
AllenH12
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
631
Sparrow4
Sparrow4

Part and Inventory Search

Sponsor

Back
Top