TACACS+ and PIX FIREWALL
am 20.11.2006 17:26:18 von vreyesiiHello,
I am installed TACACS+ on a Windows Server I defined two users to test
the configuration. On the PIX firewall I have a VPN configured for
PPTP. I want the PIX to authenticate the user for the VPN against the
TACACS+ server. I also want the PIX firewall to authenticate any
connection which is made to the PIX firewall from the outside against
the TACACS+ server. When I try to iniate a connection to the VPN
server. I get an error, and I am not able to connect to the VPN server.
Below is a copy of the PIX config.
Thank You,
vreyesii
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXX encrypted
passwd XXXXXXXX encrypted
hostname pixfirewall
domain-name XXXXXX.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list allow_inbound deny ip 59.124.0.0 255.252.0.0 any
access-list allow_inbound deny ip host 24.71.105.183 any
access-list allow_inbound deny ip host 163.27.116.133 any
access-list allow_inbound deny ip host 218.189.179.82 any
access-list allow_inbound deny ip host 84.60.164.161 any
access-list allow_inbound deny ip host 222.128.34.89 any
access-list allow_inbound deny ip host 202.64.47.108 any
access-list allow_inbound deny ip host 87.162.179.31 any
access-list allow_inbound deny ip host 70.255.106.164 any
access-list allow_inbound permit tcp any interface outside eq smtp
access-list allow_inbound permit tcp any interface outside eq pop3
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit tcp any host B.X.X.236 eq www
access-list allow_inbound permit tcp any host B.X.X.236 eq h323
access-list allow_inbound permit tcp any host B.X.X.236 eq 5060
access-list allow_inbound permit gre any interface outside
access-list allow_inbound permit tcp any interface outside eq 3000
access-list allow_inbound permit udp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 49153
access-list allow_inbound permit tcp any interface outside eq 10240
access-list allow_inbound permit tcp any interface outside eq 10241
access-list allow_inbound permit tcp any interface outside eq 10242
access-list allow_inbound permit udp any interface outside eq 10240
access-list allow_inbound permit udp any interface outside eq 10241
access-list allow_inbound permit udp any interface outside eq 10242
access-list allow_inbound permit tcp any interface outside eq 41170
access-list allow_inbound permit udp any interface outside eq 41170
access-list allow_inbound permit tcp any interface outside eq 4662
access-list allow_inbound permit tcp any interface outside eq 4000
access-list deny_outbound deny tcp any host 63.236.240.73 eq https
access-list deny_outbound deny tcp any host 209.202.9.7 eq https
access-list deny_outbound deny tcp any host 63.236.240.73 eq www
access-list deny_outbound deny tcp any host 66.28.235.59 eq www
access-list deny_outbound deny tcp any host 204.245.86.77 eq www
access-list deny_outbound deny tcp any host 69.18.151.78 eq www
access-list deny_outbound permit ip any any
access-list do_not_nat permit ip 10.1.1.0 255.255.255.0 10.1.2.0
255.255.255.0
no pager
logging on
logging timestamp
logging monitor debugging
logging trap notifications
logging queue 24
logging host inside 10.1.1.23
icmp permit any unreachable outside
icmp deny any echo outside
icmp deny any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside A.X.X.85 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name POLICY1 attack action alarm reset
ip audit name InfoPolicy info action alarm drop
ip audit interface outside InfoPolicy
ip audit interface outside POLICY1
ip audit info action alarm drop
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm location 10.1.1.6 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
pdm location 10.1.1.7 255.255.255.255 inside
pdm location 10.1.1.23 255.255.255.255 inside
pdm location 59.124.0.0 255.252.0.0 outside
pdm location 63.236.240.73 255.255.255.255 outside
pdm location 84.60.164.161 255.255.255.255 outside
pdm location 163.27.116.133 255.255.255.255 outside
pdm location 209.202.9.7 255.255.255.255 outside
pdm location 218.189.179.82 255.255.255.255 outside
pdm location 10.1.1.8 255.255.255.255 inside
pdm location 10.1.1.30 255.255.255.255 inside
pdm location 10.1.1.251 255.255.255.255 inside
pdm location 10.1.1.252 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 24.71.105.183 255.255.255.255 outside
pdm location 66.28.235.59 255.255.255.255 outside
pdm location 202.64.47.108 255.255.255.255 outside
pdm location 216.178.32.48 255.255.255.255 outside
pdm location 216.178.32.49 255.255.255.255 outside
pdm location 216.178.32.50 255.255.255.255 outside
pdm location 216.178.32.51 255.255.255.255 outside
pdm location 222.128.34.89 255.255.255.255 outside
pdm location 69.18.151.78 255.255.255.255 outside
pdm location 70.255.106.164 255.255.255.255 outside
pdm location 87.162.179.31 255.255.255.255 outside
pdm location 204.245.86.77 255.255.255.255 outside
pdm location 10.1.1.253 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 inside
pdm location 64.61.25.171 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list do_not_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pop3 10.1.1.23 pop3 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.1.1.23 smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 3000 10.1.1.23 3000 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 1000 10.1.1.23 1000 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 4662 10.1.1.8 4662 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 49153 10.1.1.2 49153 netmask
255.255.255.255 0 0
static (inside,outside) udp interface 49153 10.1.1.2 49153 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 4000 10.1.1.251 telnet netmask
255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.6 www netmask
255.255.255.255 0 0
static (inside,outside) B.X.X.236 10.1.1.7 netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group deny_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 A.X.X.1 1
route inside 192.168.2.0 255.255.255.0 10.1.1.30 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol tacacs+
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host 10.1.1.23 nyc4u2me timeout 10
aaa authentication ssh console LOCAL
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0
0.0.0.0 AuthInbound
aaa authorization include ftp inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
AuthInbound
aaa accounting include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
AuthInbound
http server enable
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.23
snmp-server host inside 10.1.1.252
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXX
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 default-domain pix.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup vmr2 address-pool ippool
vpngroup vmr2 default-domain pix.com
vpngroup vmr2 split-tunnel 101
vpngroup vmr2 idle-time 1800
vpngroup vmr2 password ********
vpngroup grace address-pool ippool
vpngroup grace default-domain xxxx.com
vpngroup grace split-tunnel 101
vpngroup grace idle-time 1800
vpngroup grace password ********
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 128
vpdn group 1 client configuration address local ippool
vpdn group 1 client authentication aaa AuthInbound
vpdn group 1 pptp echo 60
vpdn username vmr2 password *********
vpdn username test2 password *********
vpdn enable outside
username vmr2 password GykSunQWdCv4dXFH encrypted privilege 15
privilege show level 15 command access-group
privilege clear level 15 command access-group
terminal width 80
banner login Unauthorized access and use of this network/device will be
prosecuted.
banner motd Unauthorized access and use of this network/device will be
prosecuted.
Cryptochecksum:24558cdd86e7726fc9cc5e299b277a8c
: end