SL Seminar By: Jim Gau 172.16.W.2 (DMZ) .1 Outside: 192.168.0.1 Inside: 140.144.235.Z Page 1 / 4 Remote Client 192.168.0.2 Switch 172.16.W.3 RadiusHost 140.144.235.X TSHost 140.144.235.Y Translated to: 192.168.0.Y Install IAS in insidehost; choose Cisco as Radius client, allow access in policy 1, and add authentication for pap and chap. Remote user: aaauser Password: aaapass Remote Client try http://192.168.0.Y/tsweb PIX should prompt you with user name and password before TS connection. names name 140.144.235.X RadiusHost name 140.144.235.Y TSHost name 192.168.0.Y TTSHost interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 ip address outside 192.168.0.1 255.255.255.0 ip address inside 140.144.235.Z 255.255.255.0 ip address dmz 172.16.W.1 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 interface route outside 0.0.0.0 0.0.0.0 192.168.0.2 SL Seminar By: Jim Gau Page 2 / 4 Translate the host to outside option1: access-list outside_access_in permit ip any host TTSHost access-group outside_access_in in interface outside static (inside,outside) TTSHost TSHost Test and Attack: Ping 192.168.0.Y from Remote Client Ping 140.144.235.Y from Remote Client. It should fail. Open the web page at: http://192.168.0.Y Attack the 192.168.0.Y host from Remote Client station: rpctest 192.168.0.Y Record the port 57005 and telnet to: telnet 192.168.0.Y 57005 _______________________________________________________________________ Before AAA authentication, enable VPN client in PIX firewall: (2nd group needs to change the 192.168.5.0 to 192.168.6.0 or any network other than 5.0) access-list inside_outbound_nat0_acl permit ip 140.144.235.0 255.255.255.0 192.168.5.0 255.255.255.0 ip local pool vpnclient 192.168.5.100-192.168.5.200 nat (inside) 0 access-list inside_outbound_nat0_acl sysopt connection permit-pptp vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication pap vpdn group PPTP-VPDN-GROUP ppp authentication chap vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto vpdn group PPTP-VPDN-GROUP client configuration address local vpnclient vpdn group PPTP-VPDN-GROUP client configuration dns 4.2.2.1 4.2.2.2 vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username remoteuser password remotepass vpdn enable outside From the Remote Client (192.168.0.2) create a PPTP client to VPN into the inside network. The Remote Client should get 192.168.5.100 IP address after VPN into the PIX. Ping and TS to 140.144.235.Y from Remote Client. It should work this time. Right click the VPN icon at task bar of the Remote Client. Select disconnect to close the VPN session. _______________________________________________________________________ Wait for your instructor before entering the following commands to your Pix. aaa-server myradius protocol radius aaa-server myradius (inside) host RadiusHost secretkey aaa authentication include any inbound 0 0 0 0 myradius timeout uauth 0:05:00 absolute At the RadiusHost, run Ethereal to capture and review the Radius authentication user name and password (encrypted vs Cisco CSACS server in clear text). Repeat the above test and attack. Compare the results. Once authenticated, the attack still succeeded. Translate the host to outside option2 (Wait for your instructor before entering commands): access-list outside_access_in permit tcp any host TTSHost eq www SL Seminar By: Jim Gau Page 3 / 4 access-list outside_access_in permit tcp any host TTSHost eq 3389 access-group outside_access_in in interface outside static (inside,outside) tcp TTSHost 3389 TSHost 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp TTSHost www TSHost www netmask 255.255.255.255 0 0 Repeat the above test and attack. Compare the results. Even authenticated, the attack should fail. _______________________________________________________________________ Troubleshoot VPN client not working after enabling AAA authentication: VPN to PIX from the Remote Client. After VPN connection established, the remote desktop to 140.144.235.Y failed. Why? Exclude the Remote Client from the authentication list. aaa authentication exclude any inbound 0 0 192.168.0.2 255.255.255.255 myradius When VPN to PIX from Remote Client. PIX still require authentication. Why? At Pix firewall: logging on logging host inside RadiusHost logging trap debugging review the KiwiSyslog or the VPNRemoteDesktopKiwiSyslog.txt (What is the source address try to remote desktop?) At the RadiusHost use Ethereal to capture (or view VPNPingEtherealCapture.cap) while pinging the 140.144.235.X host from Remote Client. What is the source address you send to the PIX firewall after VPN? (192.168.5.100) From the KiwiSyslog and Ethereal Capture, we should update the exclude command to: no aaa authentication exclude any inbound 0 0 192.168.0.2 255.255.255.255 myradius aaa authentication exclude any inbound 0 0 192.168.5.100 255.255.255.255 myradius VPN to PIX from the Remote Client. It should work without authentication. The remote desktop to 140.144.235.Y should also work as well. _______________________________________________________________________ SL Seminar By: Jim Gau Page 4 / 4 Follow other hand outs to configure Cisco 1242AP with Local Radius and WPA2Enterprise security. Follow other hand outs to configure Cisco 1242AP with Repeater configuration. Once the wireless work station authenticated and associated with the AP, 1. The wireless station can access the Internet (open web site of the Remote Client at 192.168.0.2 2. The wireless station cannot access inside network by default, 3. For the wireless station to access the inside network, it can VPN to the Pix firewall and gain access the servers in the inside network. The VPN client could be Cisco VPN client or Microsoft VPN client. The previous exercise also showed you how to VPN to the inside network from the Remote Client with Microsoft PPTP VPN client. (Both VPN clients are covered at CISN24 and CISS25 courses in details.)
© Copyright 2024 ExpyDoc
