Pix VPN
n.brote@st-r.com
// Upgrade failover PIX
interface ethernet1 auto
nameif ethernet1 inside security100
ip address inside 192.168.50.100 255.255.255.0
failover ip address inside 192.168.50.101
copy tftp://192.168.50.81/pix723.bin flash:image
// Création d'un groupe VPN IPSec
// GR DR13 admin
// GR DR13 user
// 1 GR par labo
// Annuaire LDAP
Tunnel-Group-Lock 92 String Single Name of the tunnel group or "none"
vlan 101 = normal
vlan 105 = admin
int eth1.101
vlan 101 nameif dr13-normal security-level 100 ip add 193.49.133.100 255.255.255.0 no shut
int eth1.105
vlan 105 nameif dr13-admin security-level 100 ip add 172.19.13.23 255.255.255.0 standby 172.19.13.24 no shut
int eth0 nameif outside security-level 0 ip add 193.49.132.225 255.255.255.192 no shut
193.49.133.208
dc=ad,dc=dr13,dc=cnrs,dc=fr
sAMAccountName
CN=pixdr,OU=DR13,DC=ad,DC=dr13,DC=cnrs,DC=fr
password
193.49.133.2
ou=people,dc=cnrs,dc=fr
groupe=testAD
secret-partagé=ciscoAD2008
poolIPAD=192.168.221.1-254
groupe=testOPENLDAP
secret-partagé=ciscoOPENLDAP2008
poolIPAD=192.168.222.1-254
groupe=LAB-TEST
secret-partagé=ciscoLABTEST2008
poolIPAD=192.168.223.1-254
route add -net
// ACLs
// source = VPN, destination = LAN
access-list restrict-user-rd13 deny tcp any host 193.49.133.2 eq 22
access-list restrict-user-rd13 permit ip any any
group-policy testAD attributes
vpn-filter value restrict-user-rd13
// Attribution de paramètres Radius-Filter-ID
Radius-Framed-IP
Radius-Framùed-Netmask
Tunnel-Group-Lock
// Réécriture attributs
ldap attribute-map TUNNEL-GROUP-LOCK
map-name ACMO Tunnel-Group-Lock map-value ACMO MOY1300 LAB-TEST
MOY1300 - (1) - D..l..gation Languedoc-Roussillon
OpenLDAP => indexé il mappe pas
// Regarder générer / ajouter certificat
10.55.x.x
// NAT
global (dr13-normal) 1 interface
global (dr13-admin) 1 interface
global (lab-test) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0 outside tcp 0 0 udp 0
JXplorer
// Créer l'interface
int eth1.<vlan-id>
vlan <vlan-id>
nameif <nom-interface>
security-level 100
ip add 172.19.13.23 255.255.255.0
no shut
// No nat du LAN vers le VPN
access-list dr13-admin_nat0_outbound line 1 extended permit ip 193.49.133.0 255.255.255.0 192.168.221.0 255.255.255.0
access-list dr13-admin_nat0_outbound line 2 extended permit ip 172.19.13.0 255.255.255.0 192.168.221.0 255.255.255.0
nat (dr13-admin) 0 access-list dr13-admin_nat0_outbound tcp 0 0 udp 0
// Création du pool d'adresses
ip local pool poolIPAD 192.168.221.1-192.168.221.254 mask 255.255.255.0
// Création du groupe de rstriction
// Définit les réseaux à sécuriser
access-list testAD_splitTunnelAcl standard permit 193.49.133.0 255.255.255.0
access-list testAD_splitTunnelAcl standard permit 172.19.13.0 255.255.255.0
group-policy testAD internal
group-policy testAD attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testAD_splitTunnelAcl
dns-server value 193.49.133.208 193.49.133.112
default-domain value dr13.cnrs.fr
// Création du groupe
tunnel-group testAD type remote-access
tunnel-group testAD general-attributes
default-group-policy testAD
authentication-server-group AD
address-pool poolIPAD
tunnel-group testAD ipsec-attributes
pre-shared-key **********
// La première fois
crypto isakmp enable outside
crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
193.49.132.226
255.255.255.192
// connexion rejected 713060
// connexion établie 713120
// connexion terminé 713050
maybe
// stats fin de session 113019
// mauvaise authentification utilisateur 713167
// ouverture connexion tcp
302013
// fermeture connexion tcp 302014
// ouverture connexion udp 302016
// Assignement adresse 713204
ou moins bien 713228
// Génération certificat
C=FR,O=CNRS,OU=MOY1300,CN=vpn.montp.cnrs.fr,EA=ssi@dr13.cnrs.fr
+ supprimer fqdn
Email=ssi@dr13.cnrs.fr
mappage ou vers tunnel-group
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile demoCA/cacert.pem -name "MY CERTIFICATE" -out mycert.p12
int eth0
failover lan unit primary
failover lan enable
failover lan interface PIX-FAILOVER Ethernet0
failover key iletaitunefoisCNRS
failover link PIX-FAILOVER Ethernet0
failover interface ip PIX-FAILOVER 10.55.254.254 255.255.255.0 standby 10.55.254.253
failover
failover lan unit secondary
failover lan enable
failover lan interface PIX-FAILOVER Ethernet0
failover key iletaitunefoisCNRS
failover link PIX-FAILOVER Ethernet0
failover interface ip PIX-FAILOVER 10.55.254.254 255.255.255.0 standby 10.55.254.253
failover
route outside 0.0.0.0 0.0.0.0 193.49.132.254
// pour action depuis l'actif
failover exec standby
