PIX VPN ATTRIBUTI
Inviato: gio 17 apr , 2008 4:48 pm
Ciao a tutti!
Ho un pix 525 versione 6.3 che ho configurato come concentratore di vpn.
Dal mio pc lancio il vpn client, si chiude il tunnel ipsec sul pix e navigo in internet ( di default senza lanciare il vpn client non si navigherebbe) ed è giusto così!
Ora nasce l'esigenza di disciplinare i traffico verso internet. Ad esempio l'utente USER1 che si collega in vpn sul pix riceve il suo bell' ip assegnato da un pool dal pix e naviga ovunque. Vorrei invece che l'utente USER1 potesse fare per esempio solo "www" negandogli tutto il resto. L'utente USER2 potesse fare per esempio solo "https" e così via.
Premetto che il tutto dovrebbe essere configurato sul pix stesso senza l'ausilio di database esterni tipo radius o ias.
E' possibile definire in sintesi utenti con privilegi e/ attributi differenti ???Allego la configurazione minima che ho partorito e che vorrei grazie al vostro aiuto arricchire.
pix# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
hostname pix
domain-name domain.it
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging on
logging timestamp
logging standby
logging buffered debugging
logging trap notifications
logging host inside 172.20.1.157
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside X.X.X.X 255.255.255.224
ip address inside 172.20.1.129 255.255.255.192
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool clients_ipsec 105.105.105.129-105.105.105.254 mask 255.255.255.128
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 105.105.105.128 255.255.255.128 0 0
route outside 0.0.0.0 0.0.0.0 Y.Y.Y.Y 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set come_cripto esp-aes esp-sha-hmac
crypto dynamic-map dinamica 10 set transform-set come_cripto
crypto map pippo 10 ipsec-isakmp dynamic dinamica
crypto map pippo interface inside
isakmp enable inside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup USER1 address-pool clients_ipsec
vpngroup USER1 dns-server 151.99.125.2
vpngroup USER1 split-tunnel 101
vpngroup USER1 idle-time 1800
vpngroup USER1 password ********
vpngroup USER2 address-pool clients_ipsec
vpngroup USER2 dns-server 151.99.125.2
vpngroup USER2 split-tunnel 101
vpngroup USER2 idle-time 1800
vpngroup USER2 password ********
telnet timeout 30
ssh 172.20.1.128 255.255.255.192 inside
ssh 105.105.105.128 255.255.255.128 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:859422331800e80f0c7782fd79db8263
: end
Ho un pix 525 versione 6.3 che ho configurato come concentratore di vpn.
Dal mio pc lancio il vpn client, si chiude il tunnel ipsec sul pix e navigo in internet ( di default senza lanciare il vpn client non si navigherebbe) ed è giusto così!
Ora nasce l'esigenza di disciplinare i traffico verso internet. Ad esempio l'utente USER1 che si collega in vpn sul pix riceve il suo bell' ip assegnato da un pool dal pix e naviga ovunque. Vorrei invece che l'utente USER1 potesse fare per esempio solo "www" negandogli tutto il resto. L'utente USER2 potesse fare per esempio solo "https" e così via.
Premetto che il tutto dovrebbe essere configurato sul pix stesso senza l'ausilio di database esterni tipo radius o ias.
E' possibile definire in sintesi utenti con privilegi e/ attributi differenti ???Allego la configurazione minima che ho partorito e che vorrei grazie al vostro aiuto arricchire.
pix# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
hostname pix
domain-name domain.it
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging on
logging timestamp
logging standby
logging buffered debugging
logging trap notifications
logging host inside 172.20.1.157
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside X.X.X.X 255.255.255.224
ip address inside 172.20.1.129 255.255.255.192
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool clients_ipsec 105.105.105.129-105.105.105.254 mask 255.255.255.128
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 105.105.105.128 255.255.255.128 0 0
route outside 0.0.0.0 0.0.0.0 Y.Y.Y.Y 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set come_cripto esp-aes esp-sha-hmac
crypto dynamic-map dinamica 10 set transform-set come_cripto
crypto map pippo 10 ipsec-isakmp dynamic dinamica
crypto map pippo interface inside
isakmp enable inside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup USER1 address-pool clients_ipsec
vpngroup USER1 dns-server 151.99.125.2
vpngroup USER1 split-tunnel 101
vpngroup USER1 idle-time 1800
vpngroup USER1 password ********
vpngroup USER2 address-pool clients_ipsec
vpngroup USER2 dns-server 151.99.125.2
vpngroup USER2 split-tunnel 101
vpngroup USER2 idle-time 1800
vpngroup USER2 password ********
telnet timeout 30
ssh 172.20.1.128 255.255.255.192 inside
ssh 105.105.105.128 255.255.255.128 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:859422331800e80f0c7782fd79db8263
: end