Secure Mobile Access 100 10.2 Administration Guide
Table of Contents
Method Two – SMA Appliance on DMZ Interface
This method is optional and requires that the PIX have an unused third interface, such as a PIX 515, PIX 525, or PIX 535. We are using the default numbering scheme of the SMA appliance.
- From a management system, log in to the SMA appliance’s Secure Mobile Access management interface. By default, the management interface is X0 and the default IP address is
192.168.200.1. - Navigate to the Network > Routes page and make sure the Default Gateway is set to
192.168.200.2. When done, click Accept in the upper-right corner to save and activate the change. - Navigate to the Clients >Settings > Client Addresses page. Enter
192.168.200.201in the field next to Client Address Range Begin: and enter192.168.200.249in the field next to Client Address Range End:’. When done, click Accept in the upper-right corner to save and activate the change. - Navigate to the Clients >Settings > Client Routes page. Add a client route for
192.168.100.0and192.168.200.0. - Navigate to the Network > DNS page and enter your internal network’s DNS addresses, internal domain name, and WINS server addresses. These are critical for NetExtender to function correctly. When done, click Accept in the upper-right corner to save and activate the change.
- Navigate to the System > Restart page and click Restart…
- Install the SMA appliance’s X0 interface on the unused DMZ network of the PIX. Do not hook any of the appliance’s other interfaces up.
- Connect to the PIX’s management CLI by way of console port, telnet, or SSH and enter configure mode.
- Issue the command
‘clear http’to shut off the PIX’s HTTP/S management interface. - Issue the command
‘interface ethernet2 auto’(or whatever interface you are using) - Issue the command
‘nameif ethernet2 dmz security4’(or whatever interface you are using) - Issue the command
‘ip address dmz 192.168.200.2 255.255.255.0’ - Issue the command
‘nat (dmz) 1 192.168.200.0 255.255.255.0 0 0’ - Issue the command
‘access-list sslvpn permit tcp any host x.x.x.x eq www’ (replace x.x.x.x with the WAN IP address of your PIX) - Issue the command
‘access-list sslvpn permit tcp any host x.x.x.x eq https’(replace x.x.x.x with the WAN IP address of your PIX) - Issue the command
‘access-list dmz-to-inside permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0’ - Issue the command
‘access-list dmz-to-inside permit ip host 192.168.200.1 any’ - Issue the command
‘static (dmz,outside) tcp x.x.x.x www 192.168.200.1 www netmask 255.255.255.255 0 0’(replace x.x.x.x with the WAN IP address of your PIX) - Issue the command
‘static (dmz,outside) tcp x.x.x.x https 192.168.200.1 https netmask 255.255.255.255 0 0’(replace x.x.x.x with the WAN IP address of your PIX) - Issue the command
‘static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 0 0’ - Issue the command
‘access-group sslvpn in interface outside’ - Issue the command
‘access-group dmz-to-inside in interface dmz’ - Exit config mode and issue the command
‘wr mem’to save and activate the changes. - From an external system, attempt to connect to the SMA appliance using both HTTP and HTTPS. If you cannot access the SMA appliance, check all previous steps and test again.
PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto
nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security4
enable password SqjOo0II7Q4T90ap encrypted passwd SqjOo0II7Q4T90ap encrypted hostname tenaya
domain-name vpntestlab.com clock timezone PDT -8
clock summer-time PDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21
fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80
fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69
names
access-list sslvpn permit tcp any host 64.41.140.167 eq www access-list sslvpn permit tcp any host 64.41.140.167 eq https
access-list dmz-to-inside permit ip 192.168.200.0 255.255.255.0 192.168.100.0
255.255.255.0
access-list dmz-to-inside permit ip host 192.168.200.1 any pager lines 24
logging on logging timestamp
logging buffered warnings mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 64.41.140.167 255.255.255.224
ip address inside 192.168.100.1 255.255.255.0
ip address dmz 192.168.200.2 255.255.255.0 ip audit info action alarm
ip audit attack action alarm pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
nat (dmz) 1 192.168.200.0 255.255.255.0 0 0
static (dmz,outside) tcp 64.41.140.167 www 192.168.200.1 www netmask 255.255.255.255
0 0
static (dmz,outside) tcp 64.41.140.167 https 192.168.200.1 https netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 0 0 access-group sslvpn in interface outside
access-group dmz-to-inside in interface dmz route outside 0.0.0.0 0.0.0.0 64.41.140.166 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.43.244.18 source outside prefer floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
console timeout 20
dhcpd address 192.168.100.101-192.168.100.199 inside dhcpd dns 192.168.100.10
dhcpd lease 600
dhcpd ping_timeout 750 dhcpd domain vpntestlab.com dhcpd enable inside terminal width 80
banner motd Restricted Access. Please log in to continue. Cryptochecksum:81330e717bdbfdc16a140402cb503a77
: end