|
Question : How to configure Cisco PIX VPN Configuration And IAS Integration?
|
|
Hi Everyone,
I have a problem with the configuration of a Cisco PIX 515e firewall. The Cisco VPN client is used by mobile users to establish connectivity with the corporate network. The PIX has been configured so that the users connection requests are authenticated against the IAS service running on the Windows domain controllers. If the users active directory accounts are members of a particular active directory group then the IAS policy authenticates them and allows access to the corporate network.
The problem i have is that i now have to create some site to site VPN connections with the PIX firewall, i have found that the IAS server is interfering with users connecting via the site to site VPNs. I need to alter the configuration so that the users connecting via site to site VPNs dont have to be associated with any IAS policies. The mobile users still need to authenticate against using the IAS policies. I have copied what i believe to be the relevant section of the PIX configuration below.
Can you please confirm that this is possbile? and if it is what changes to the PIX configuration would be required?
Thanks for your assistance with this, as it is an urgent problem (arent they always!) i have assigned this 500 points.
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server MYIAS protocol radius
aaa-server MYIAS max-failed-attempts 3
aaa-server MYIAS deadtime 10
aaa-server MYIAS (inside) host 10.0.0.4 c1sc0p1x timeout 10
aaa-server MYIAS (inside) host 10.0.0.5 c1sc0p1x timeout 10
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map ExternalMap 50 ipsec-isakmp
crypto map ExternalMap 50 match address VPN-Traffic
crypto map ExternalMap 50 set peer 22.89.161.103
crypto map ExternalMap 50 set transform-set ESP-3DES-SHA
crypto map ExternalMap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map ExternalMap client configuration address initiate
crypto map ExternalMap client configuration address respond
crypto map ExternalMap client authentication MYIAS
crypto map ExternalMap interface outside
isakmp enable outside
isakmp key ******** address 22.89.161.103 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPNGroup address-pool VPNIPPool-temp
vpngroup VPNGroup dns-server 10.0.0.4 10.0.0.5
vpngroup VPNGroup default-domain my.local
vpngroup VPNGroup split-tunnel VPNGroup_splitTunnelAcl
vpngroup VPNGroup idle-time 1800
vpngroup VPNGroup password ********
|
Answer : How to configure Cisco PIX VPN Configuration And IAS Integration?
|
|
I gotta believe this is possible to fix this, however just to clarify a bit. Lets say we have a user at site A and a server at site B.
When the user pings the server, it refuses to connect, correct? Do you have any logs that could help.
Also, is the vpn tunnel built, in pre-7.x the SAs are always up. run the following
sh crypto sa
do you get an SA at each site that properly corresponds to the acl for that site
Also, since its a site to site, what does the other end look like. We just need more information to go off of. Also, the IP layout could be helpful as sometimes its a simple acl mixup as well
|
|
|
|
|
