ip policy route-map LOOPNAT ip nat inside source list 1 interface Ethernet0 overload access-list 1 permit 10.0.0.0 0.255.255.255 route-map LOOPNAT permit 10 match ip address 1 set interface Loopback0 Note that Lo0 interface may have any ip address. ****************************************************************** ******** From: Question 29 Subject: How do I hide a summarized OSPF router from one ABR to another? area 1 range x.x.x.x x.x.x.x not-advertise ****************************************************************** ******** From: Question 30 Subject: How do I setup Windows 2000 and IPSec to PIX FIrewall To describe how to use the Local Security Policy MMC in W2K would take a long time. So, the config I will share with you is the 'dial-up' one I mentioned before. In this posting I will detail the bare minimum needed to get a W2K client working with a PIX firewall running v6.01 software. For simplicity I use a preshared key for authentication. Since I have to embed this key into the script I use it makes the configuration open and thus vulnerable. However, you should be able to tweak the configuration from this to meet your own security needs. The W2K IPSec client supports certificates as well as preshared keys so a "secure" version of this config is attainable. The configuration script I eked (it isn't beautiful code) out is actually written in Perl. If you would like to re-write it in the old DOS batch file format, please do so. Otherwise, you should find a copy of Perl for NT/W2K. I use the version found at http://www.activestate.com. The Perl script I show here is documented as to what it does. The MS ipsecpol.exe program that you have to use has it's own documentation which you should read. For the PIX I give you only the crypto, isakmp, and sysopt commands you need to issue to your PIX to make this config work. The config assumes that the PIX has NAT enabled. Ok, enough blabber, here it is I hope it is helpful For the purposes of this 'demo' config. The PIX Firewall will have 192.168.0.1 as it's outside IP. The inside network will be the 10.0.X.X network. The inside router will be 10.0.0.1 Quick Network Schematic: [W2K] > [Dial-Up WAN adapter (DHCP assigned address)] > [Internet] >[PIX Firewall(192.168.0.1)] > [Internal LAN (10.0.X.X)] > [Inside Router (10.0.0.1)] The PIX firewall commands needed are: sysopt connection permit-ipsec sysopt connection permit-l2tp sysopt ipsec pl-compatible crypto ipsec transform-set W2K esp-des esp-md5-hmac crypto ipsec transform-set W2K mode transport crypto dynamic-map W2KDynamic 11 set transform-set W2K crypto map W2K-Map 23 ipsec-isakmp dynamic W2KDynamic crypto map W2K-Map interface outside isakmp identity address isakmp key gobbeldygook address 0.0.0.0 netmask 0.0.0.0 isakmp policy 11 authentication pre-share isakmp policy 11 encryption des isakmp policy 11 hash md5 isakmp policy 11 group 1 isakmp policy 11 lifetime 28800 isakmp enable outside The Perl script I wrote is as follows. I execute this script everytime I establish a connection with my dial-up ISP. It then sets up the IPSec tunnel using my current ISP assigned IP Address. #begin listing # IPSecInit.pl # Written by: Steven Griffin Jr. # Date: 6 June, 2001. # Note: The basis of this code came from the PERL documentation site. # The original snippets came from the links below. # http://www.perldoc.com/perl5.6/lib/Net/hostent.html # http://www.perldoc.com/perl5.6/lib/Net/Ping.html # I should put this in POD format at somepoint but I am in a hurry right now. use Net::hostent; use Socket; #Two Variables: One for the local IP Address and one for the VPN Server #This script assumes that the VPN Server has a static IP $localipaddress, $VPNHostIP='192.168.0.1'; #The following section of code discerns the IP address of host provided #in the command line arguements. The default is the localhost. #NOTE: The code section is smart and gives you a routable IP (if available) and not just 127.0.0.1 # This section is pretty much identical to the one found on the PERL documentation site. # I just added an assignment of the discerned ipaddress to the $localipaddress variable. # I also changed the @ARGV assignment to 'localhost' instead of 'netscape.com' @ARGV = ('localhost') unless @ARGV; for $host ( @ARGV ) { unless ($h = gethost($host)) { warn "$0: no such host: $host\n"; next; } printf "\n%s is %s%s\n", $host, lc($h->name) eq lc($host) ? "" : "*really* ", $h->name; print "\taliases are ", join(", ", @{$h->aliases}), "\n" if @{$h->aliases}; if ( @{$h->addr_list} > 1 ) { my $i; for $addr ( @{$h->addr_list} ) { printf "\taddr #%d is [%s]\n", $i++, inet_ntoa($addr); } } else { #my modification is on the next line. printf "\taddress is [%s]\n", $localipaddress= inet_ntoa($h->addr); } if ($h = gethostbyaddr($h->addr)) { if (lc($h->name) ne lc($host)) { printf "\tThat addr reverses to host %s \n", $h->name; $host = $h->name; redo; } } } #This next section is a very modified version of the Ping example on the Perl Documentation Website. #Now that we know our IP address, we can setup the IPSec tunnel. #First we try and ping our VPN server. use Net::Ping; $p = Net::Ping->new("icmp"); print "\nCan I see my firewall? "; if ($p->ping($VPNHostIP) ) { print "Yes\nAttempting to initialize IPSec Connection"; #Now that we can see our server, lets stop and start the W2K IPSec Policy Agent. #This deletes any 'dynamic' IPSec policies that may have been in effect before. print "\nResetting IPSec Policy Agent"; $cmdstring='Net Stop "IPSec Policy Agent"'; system($cmdstring); $cmdstring='Net Start "IPSec Policy Agent"'; system($cmdstring); #Now we issue the ipsecpol command to setup the tunnel to our VPN Server. #The ipsecpol command line utility can be found on Microsoft's Website. # http://www.microsoft.com/downloads/release.asp?ReleaseID=29167 # or # http://download.microsoft.com/download/win2000platform/ipsecpol/1.00.0.0/NT5 /EN-US/ipsecpol_setup.exe #MS requires two ipsecpol commands be issued in order to setup a tunnel. #One for the inbound traffic and one for the outbound traffic. # For this Tunnel I used the following settings: # The IPSec filter '-f' is for the 10.0.0.0 255.255.0.0 network to My IP Address. # The tunnel setting '-t' is either My IP Address or the VPN Server's IP Address. # The security method list '-s' is for DES-MD5-1 # The security negotiation setting '-n' is for ESP[DES,MD5] # We are using QuickMode key exchange '-1k' rekeys after 10 quick modes '10q' # We are using perfect forward secrecy '-1p' # For authentication we are using a preshared key '-a' # NOTE: the preshared key must be enclosed in double quotes # See the documentation of the utility for further details. print "\nSetup IPSec Tunnel"; #This sets-up the inbound leg of the tunnel. We are filtering all traffic inbound from 10.0.X.X to our IP address. #The critical part of this statement is that the -t arguement must contain our local IP. $cmdstring = 'ipsecpol -f 10.0.*.*='.$localipaddress.' -t '.$localipaddress.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a PRESHARE:"gobbeldygook"'; printf "\n%s",$cmdstring; system($cmdstring); #This sets-up the outbound leg of the tunnel. We are filtering all traffic outbound to 10.0.X.X from our IP address. #The critical part of this statement is that the -t arguement must contain the VPN Server's IP Address. $cmdstring = 'ipsecpol -f '.$localipaddress.'=10.0.*.* -t '.$VPNHostIP.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a PRESHARE:"gobbeldygook"'; printf "\n%s\n",$cmdstring; system($cmdstring); #Now that we have issued our commands. We should test the network and see if we can see inside it. #The internal router is the easiest target. Here it is 10.0.0.1. #We first do a ping just so that the IPSec tunnel with negotiate. W2K does not setup the tunnel # until you actually try and send traffic to a IPSec filtered IP address. #Now we do another ping and tell the user what happened. print "\nTrying to ping internal network: "; $p->ping("10.0.0.1"); if ($p->ping("10.0.0.1")) { print "Success\n"; sleep(1); } else { print "Failure\n"; sleep(1); } } else { # If we reach this point, we could not see our VPN Server's external IP address from our ISP. . will have 192.168.0.1 as it's outside IP. The inside network will be the 10.0.X.X network. The inside router will be 10.0.0.1 Quick Network Schematic: [W2K] > [Dial-Up WAN adapter (DHCP. used the following settings: # The IPSec filter '-f' is for the 10.0.0.0 255.255.0.0 network to My IP Address. # The tunnel setting '-t' is either My IP Address or the VPN. the tunnel. We are filtering all traffic inbound from 10.0.X.X to our IP address. #The critical part of this statement is that the -t arguement must contain our local IP. $cmdstring = 'ipsecpol