Pix VPN : Différence entre versions

De Wiki_DR13
Aller à : navigation, rechercher
(Nouvelle page : n.brote@st-r.com // Upgrade failover PIX interface ethernet1 auto nameif ethernet1 inside security100 ip address inside 192.168.50.100 255.255.255.0 failover ip address inside 1...)
 
 
(Une révision intermédiaire par le même utilisateur non affichée)
Ligne 1 : Ligne 1 :
 +
n.brote@st-r.com
  
n.brote@st-r.com
 
  
 +
[[Image:PIX firewall - v2.1- str.ppt]]
  
  
Ligne 7 : Ligne 8 :
  
 
interface ethernet1 auto
 
interface ethernet1 auto
 +
 
nameif ethernet1 inside security100
 
nameif ethernet1 inside security100
 +
 
ip address inside 192.168.50.100 255.255.255.0
 
ip address inside 192.168.50.100 255.255.255.0
 +
 
failover ip address inside 192.168.50.101
 
failover ip address inside 192.168.50.101
 +
 
copy tftp://192.168.50.81/pix723.bin flash:image
 
copy tftp://192.168.50.81/pix723.bin flash:image
  
Ligne 29 : Ligne 34 :
  
 
vlan 101 = normal
 
vlan 101 = normal
 +
 
vlan 105 = admin
 
vlan 105 = admin
  
Ligne 52 : Ligne 58 :
  
 
193.49.133.208
 
193.49.133.208
 +
 
dc=ad,dc=dr13,dc=cnrs,dc=fr
 
dc=ad,dc=dr13,dc=cnrs,dc=fr
 +
 
sAMAccountName
 
sAMAccountName
 +
 
CN=pixdr,OU=DR13,DC=ad,DC=dr13,DC=cnrs,DC=fr
 
CN=pixdr,OU=DR13,DC=ad,DC=dr13,DC=cnrs,DC=fr
 +
 
password
 
password
  
 
193.49.133.2
 
193.49.133.2
 +
 
ou=people,dc=cnrs,dc=fr
 
ou=people,dc=cnrs,dc=fr
 +
 
mail
 
mail
  
 
groupe=testAD
 
groupe=testAD
 +
 
secret-partagé=ciscoAD2008
 
secret-partagé=ciscoAD2008
 +
 
poolIPAD=192.168.221.1-254
 
poolIPAD=192.168.221.1-254
 +
  
 
groupe=testOPENLDAP
 
groupe=testOPENLDAP
 +
 
secret-partagé=ciscoOPENLDAP2008
 
secret-partagé=ciscoOPENLDAP2008
 +
 
poolIPAD=192.168.222.1-254
 
poolIPAD=192.168.222.1-254
 +
  
 
groupe=LAB-TEST
 
groupe=LAB-TEST
 +
 
secret-partagé=ciscoLABTEST2008
 
secret-partagé=ciscoLABTEST2008
 +
 
poolIPAD=192.168.223.1-254
 
poolIPAD=192.168.223.1-254
  
Ligne 81 : Ligne 101 :
 
// ACLs
 
// ACLs
 
// source = VPN, destination = LAN
 
// source = VPN, destination = LAN
 +
  
 
access-list restrict-user-rd13 deny tcp any host 193.49.133.2 eq 22
 
access-list restrict-user-rd13 deny tcp any host 193.49.133.2 eq 22
 +
 
access-list restrict-user-rd13 permit ip any any
 
access-list restrict-user-rd13 permit ip any any
 +
 +
  
 
group-policy testAD attributes
 
group-policy testAD attributes
 
     vpn-filter value restrict-user-rd13
 
     vpn-filter value restrict-user-rd13
 +
  
  
 
// Attribution de paramètres
 
// Attribution de paramètres
 
Radius-Filter-ID
 
Radius-Filter-ID
 +
 
Radius-Framed-IP
 
Radius-Framed-IP
 +
 
Radius-Framùed-Netmask
 
Radius-Framùed-Netmask
 +
 
Tunnel-Group-Lock
 
Tunnel-Group-Lock
 +
 +
  
 
// Réécriture attributs
 
// Réécriture attributs
 +
  
 
ldap attribute-map TUNNEL-GROUP-LOCK
 
ldap attribute-map TUNNEL-GROUP-LOCK
Ligne 187 : Ligne 218 :
  
 
193.49.132.226
 
193.49.132.226
 +
 
255.255.255.192
 
255.255.255.192
  
Ligne 246 : Ligne 278 :
  
 
failover lan unit primary
 
failover lan unit primary
 +
 
failover lan enable
 
failover lan enable
 +
 
failover lan interface PIX-FAILOVER Ethernet0
 
failover lan interface PIX-FAILOVER Ethernet0
 +
 
failover key iletaitunefoisCNRS
 
failover key iletaitunefoisCNRS
 +
 
failover link PIX-FAILOVER Ethernet0
 
failover link PIX-FAILOVER Ethernet0
 +
 
failover interface ip PIX-FAILOVER 10.55.254.254 255.255.255.0 standby 10.55.254.253
 
failover interface ip PIX-FAILOVER 10.55.254.254 255.255.255.0 standby 10.55.254.253
  
Ligne 256 : Ligne 293 :
  
 
failover lan unit secondary
 
failover lan unit secondary
 +
 
failover lan enable
 
failover lan enable
 +
 
failover lan interface PIX-FAILOVER Ethernet0
 
failover lan interface PIX-FAILOVER Ethernet0
 +
 
failover key iletaitunefoisCNRS
 
failover key iletaitunefoisCNRS
 +
 
failover link PIX-FAILOVER Ethernet0
 
failover link PIX-FAILOVER Ethernet0
 +
 
failover interface ip PIX-FAILOVER 10.55.254.254 255.255.255.0 standby 10.55.254.253
 
failover interface ip PIX-FAILOVER 10.55.254.254 255.255.255.0 standby 10.55.254.253
  

Version actuelle datée du 30 octobre 2008 à 11:13

n.brote@st-r.com


Fichier:PIX firewall - v2.1- str.ppt


// Upgrade failover PIX

interface ethernet1 auto

nameif ethernet1 inside security100

ip address inside 192.168.50.100 255.255.255.0

failover ip address inside 192.168.50.101

copy tftp://192.168.50.81/pix723.bin flash:image



// Création d'un groupe VPN IPSec // GR DR13 admin // GR DR13 user // 1 GR par labo



// Annuaire LDAP

Tunnel-Group-Lock 92 String Single Name of the tunnel group or "none"

vlan 101 = normal

vlan 105 = admin

int eth1.101 

vlan 101
nameif dr13-normal
security-level 100
ip add 193.49.133.100 255.255.255.0
no shut

int eth1.105 

vlan 105
nameif dr13-admin
security-level 100
ip add 172.19.13.23 255.255.255.0 standby 172.19.13.24
no shut

int eth0 nameif outside security-level 0 ip add 193.49.132.225 255.255.255.192 no shut

193.49.133.208

dc=ad,dc=dr13,dc=cnrs,dc=fr

sAMAccountName

CN=pixdr,OU=DR13,DC=ad,DC=dr13,DC=cnrs,DC=fr

password

193.49.133.2

ou=people,dc=cnrs,dc=fr

mail

groupe=testAD

secret-partagé=ciscoAD2008

poolIPAD=192.168.221.1-254


groupe=testOPENLDAP

secret-partagé=ciscoOPENLDAP2008

poolIPAD=192.168.222.1-254


groupe=LAB-TEST

secret-partagé=ciscoLABTEST2008

poolIPAD=192.168.223.1-254


route add -net



// ACLs // source = VPN, destination = LAN


access-list restrict-user-rd13 deny tcp any host 193.49.133.2 eq 22

access-list restrict-user-rd13 permit ip any any


group-policy testAD attributes 

   vpn-filter value restrict-user-rd13


// Attribution de paramètres Radius-Filter-ID

Radius-Framed-IP

Radius-Framùed-Netmask

Tunnel-Group-Lock


// Réécriture attributs


ldap attribute-map TUNNEL-GROUP-LOCK 

 map-name  ACMO Tunnel-Group-Lock
 map-value ACMO MOY1300 LAB-TEST

MOY1300 - (1) - D..l..gation Languedoc-Roussillon

OpenLDAP => indexé il mappe pas


// Regarder générer / ajouter certificat


10.55.x.x


// NAT 

     global (dr13-normal) 1 interface
     global (dr13-admin) 1 interface
     global (lab-test) 1 interface
     nat (outside) 1 0.0.0.0 0.0.0.0 outside tcp 0 0 udp 0


JXplorer 

   // Créer l'interface
   int eth1.<vlan-id>
       vlan <vlan-id>
       nameif <nom-interface>
       security-level 100
       ip add 172.19.13.23 255.255.255.0
       no shut

   // No nat du LAN vers le VPN
     access-list dr13-admin_nat0_outbound line 1 extended permit ip 193.49.133.0 255.255.255.0 192.168.221.0 255.255.255.0 
     access-list dr13-admin_nat0_outbound line 2 extended permit ip 172.19.13.0 255.255.255.0 192.168.221.0 255.255.255.0 
       nat (dr13-admin) 0 access-list dr13-admin_nat0_outbound  tcp 0 0 udp 0
   
   // Création du pool d'adresses
     ip local pool poolIPAD 192.168.221.1-192.168.221.254 mask 255.255.255.0
   
   // Création du groupe de rstriction
     
     // Définit les réseaux à sécuriser
     access-list testAD_splitTunnelAcl standard permit 193.49.133.0 255.255.255.0
     access-list testAD_splitTunnelAcl standard permit 172.19.13.0 255.255.255.0
   
     group-policy testAD internal
     group-policy testAD attributes
       vpn-tunnel-protocol IPSec
       split-tunnel-policy   tunnelspecified
       split-tunnel-network-list value testAD_splitTunnelAcl
       dns-server value 193.49.133.208 193.49.133.112
       default-domain value dr13.cnrs.fr
     
   // Création du groupe
     tunnel-group testAD type remote-access
     tunnel-group testAD general-attributes
       default-group-policy testAD
       authentication-server-group AD 
       address-pool  poolIPAD
     tunnel-group testAD ipsec-attributes
       pre-shared-key **********


// La première fois 

     crypto isakmp enable outside
     crypto isakmp policy 10 authen pre-share
     crypto isakmp policy 10 encrypt 3des
     crypto isakmp policy 10 hash sha
     crypto isakmp policy 10 group 2
     crypto isakmp policy 10 lifetime 86400
     crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
     crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
     crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
     crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
     crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
     crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
     crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
     crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
     crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
     crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
     crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  pfs group2
     crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
     crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
     crypto map outside_map interface  outside


193.49.132.226

255.255.255.192


// connexion rejected 713060

// connexion établie 713120

// connexion terminé 713050

maybe

// stats fin de session 113019

// mauvaise authentification utilisateur 713167


// ouverture connexion tcp 302013

// fermeture connexion tcp 302014

// ouverture connexion udp 302016

// Assignement adresse 713204

ou moins bien 713228



// Génération certificat

C=FR,O=CNRS,OU=MOY1300,CN=vpn.montp.cnrs.fr,EA=ssi@dr13.cnrs.fr

+ supprimer fqdn

Email=ssi@dr13.cnrs.fr

mappage ou vers tunnel-group


openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile demoCA/cacert.pem -name "MY CERTIFICATE" -out mycert.p12


int eth0


failover lan unit primary

failover lan enable

failover lan interface PIX-FAILOVER Ethernet0

failover key iletaitunefoisCNRS

failover link PIX-FAILOVER Ethernet0

failover interface ip PIX-FAILOVER 10.55.254.254 255.255.255.0 standby 10.55.254.253

failover


failover lan unit secondary

failover lan enable

failover lan interface PIX-FAILOVER Ethernet0

failover key iletaitunefoisCNRS

failover link PIX-FAILOVER Ethernet0

failover interface ip PIX-FAILOVER 10.55.254.254 255.255.255.0 standby 10.55.254.253

failover

route outside 0.0.0.0 0.0.0.0 193.49.132.254


// pour action depuis l'actif failover exec standby

Récupérée de « https://wiki.dr13.cnrs.fr/wiki/index.php?title=Pix_VPN&oldid=2596 »