Baffled...

[WNelson28]

Hi guys...have pasted in my config of a pix 515..we have a wirless ap on the dmz and hosts that connect to it, in order to access internal resources, they have to connect via a vpn concentrator. I have added all the static ip's of the wirless devices on that subnet and think I've restricted it to only those that can make a connection to the concentrator and deny the rest...or that's what I thought! It doesn't matter what IP i give my self, I can still make a connection to the vpn! Help!!!



PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password encrypted

passwd encrypted

hostname oci-pix-01

domain-name

no fixup protocol dns

no fixup protocol ftp 21

no fixup protocol h323 h225 1720

no fixup protocol h323 ras 1718-1719

fixup protocol http 80

no fixup protocol rsh 514

no fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol sip udp 5060

no fixup protocol skinny 2000

no fixup protocol smtp 25

<--- More --->

no fixup protocol sqlnet 1521

no fixup protocol tftp 69

no names

name

access-list external permit tcp any host 217.36.93.51 eq smtp

access-list external permit tcp any host 217.36.93.51 eq https

access-list external permit tcp any host 217.36.93.50 eq 1000

access-list external permit udp any host 217.36.93.50 eq 4500

access-list external permit udp any host 217.36.93.50 eq isakmp

access-list 101 permit ip x.x.x.x.0 255.255.255.0 x.x.x.x 255.255.255.0

access-list outbound permit tcp any any eq www

access-list outbound permit tcp any any eq https

access-list outbound permit tcp host x.x.x.x any eq smtp

access-list outbound permit tcp host x.x.x.x any eq domain

access-list outbound permit udp host x.x.x.x any eq domain

access-list outbound permit tcp host x.x.x.x any

access-list outbound permit tcp host x.x.x.x any

access-list outbound permit tcp host x.x.x.x any

access-list outbound permit tcp host x.x.x.x any

access-list outbound deny tcp any any

access-list outbound deny udp any any

access-list wap permit udp host 172.16.9.60 any eq isakmp

access-list wap permit udp host 172.16.9.60 any eq 4500

access-list wap permit tcp host 172.16.9.60 any eq 1000

<--- More --->

access-list wap permit udp host 172.16.9.50 any eq isakmp

access-list wap permit udp host 172.16.9.50 any eq 4500

access-list wap permit tcp host 172.16.9.50 any eq 1000

access-list wap permit udp host 172.16.9.55 any eq isakmp

access-list wap permit udp host 172.16.9.55 any eq 4500

access-list wap permit tcp host 172.16.9.55 any eq 1000

access-list wap permit udp host 172.16.9.75 any eq isakmp

access-list wap permit udp host 172.16.9.75 any eq 4500

access-list wap permit tcp host 172.16.9.75 any eq 1000

access-list wap permit udp host 172.16.9.65 any eq isakmp

access-list wap permit udp host 172.16.9.65 any eq 4500

access-list wap permit tcp host 172.16.9.65 any eq 1000

access-list wap permit udp host 172.16.9.70 any eq isakmp

access-list wap permit udp host 172.16.9.70 any eq 4500

access-list wap permit tcp host 172.16.9.70 any eq 1000

access-list wap permit udp host 172.16.9.80 any eq isakmp

access-list wap permit udp host 172.16.9.80 any eq 4500

access-list wap permit tcp host 172.16.9.80 any eq 1000

access-list wap deny tcp any any

access-list wap deny udp any any

pager lines 24

icmp deny any outside

mtu outside 1500

mtu inside 1500

<--- More --->

mtu dmz 1500

ip address outside 217.36.93.49 255.255.255.248

ip address inside 192.168.x.x 255.255.255.0

ip address dmz 172.16.9.10 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 217.36.93.51 192.168.1.10 netmask 255.255.255.255 0 0

static (dmz,outside) 217.36.93.50 172.16.9.254 netmask 255.255.255.255 0 0

access-group external in interface outside

access-group outbound in interface inside

access-group wap in interface dmz

route outside 0.0.0.0 0.0.0.0 217.36.93.54 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

<--- More --->

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.x.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 480

dhcpd ping_timeout 750

terminal width 80

 

[jgiacobbe]

I havn't messed with a vpn concentrator but if it works like the vpn client on the pix then are you assigning IPs from a pool on the concentrator? I am not entirely sure on what your setup is here.

Assuming:


AP-->VPN Concentrator--->Pix

If the VPN concentrator hands out IP addresses to it's clients then it dosn't matter what IP the clients get from the AP. The cisco VPN client installs a virtual interface to communicate to devices in the "secure" network.

step 1.
PC connects to wireless AP, gets address via dhcp
step 2. PC uses vpn client to connect to concentrator. PC now has 2 ip addresses. One that is used to acces resources between the AP and the VPN concentrator and another that is used between the vpn concetrator and the PIX. The pix never sees the address from step 1.

Just a guess if I understand your setup.

Jeremy Giacobbe
MCSE, CCNA