Method One – SRA Appliance on LAN Interface

1
From a management system, log into the SRA appliance’s management interface. By default the management interface is X0 and the default IP address is 192.168.200.1.
2
Navigate to the Network > Interfaces page and click on the configure icon for the X0 interface. On the pop-up that appears, change the X0 address to 192.168.100.2 with a mask of 255.255.255.0. When done, click on the OK button to save and activate the change.
3
Navigate to the Network > Routes page and change the Default Gateway to 192.168.100.1 When done, click on the Accept button in the upper-right-hand corner to save and activate the change.
4
Navigate to the NetExtender > Client Addresses page. You will need to enter a range of IP addresses for the 192.168.100.0/24 network that are not in use on your internal LAN network; if your network has an existing DHCP server or the PIX is running a DHCP server on its internal interface, you will need to make sure not to conflict with these addresses. For example: enter 192.168.100.201 in the field next to Client Address Range Begin:, and enter 192.168.100.249 in the field next to Client Address Range End:. When done, click on the Accept button in the upper-right-hand corner to save and activate the change.
5
Navigate to the NetExtender > Client Routes page. Add a client route for 192.168.100.0. If there is an entry for 192.168.200.0, delete it.
6
Navigate to the Network > DNS page and enter your internal network’s DNS addresses, internal domain name, and WINS server addresses. These are critical for NetExtender to function correctly. When done, click on the Accept button in the upper-right-hand corner to save and activate the change.
7
Navigate to the System > Restart page and click on the Restart… button.
8
Install the SRA appliance’s X0 interface on the LAN network of the PIX. Do not hook any of the appliance’s other interfaces up.
9
Connect to the PIX’s management CLI via console port, telnet, or SSH and enter configure mode.
10
Issue the command ‘clear http’ to shut off the PIX’s HTTP/S management interface.
11
Issue the command ‘access-list sslvpn permit tcp any host x.x.x.x eq www’ (replace x.x.x.x with the WAN IP address of your PIX)
12
Issue the command ‘access-list sslvpn permit tcp any host x.x.x.x eq https’ (replace x.x.x.x with the WAN IP address of your PIX)
13
Issue the command ‘static (inside,outside) tcp x.x.x.x www 192.168.100.2 www netmask 255.255.255.255 0 0’ (replace x.x.x.x with the WAN IP address of your PIX)
14
Issue the command ‘static (inside,outside) tcp x.x.x.x https 192.168.100.2 https netmask 255.255.255.255 0 0’ (replace x.x.x.x with the WAN IP address of your PIX)
15
Issue the command ‘access-group sslvpn in interface outside’
16
Exit config mode and issue the command ‘wr mem’ to save and activate the changes.
17
From an external system, attempt to connect to the SRA appliance using both HTTP and HTTPS. If you cannot access the SRA appliance, check all steps above and test again.
Final Config Sample – Relevant Programming in Bold:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security4
enable password SqjOo0II7Q4T90ap encrypted
passwd SqjOo0II7Q4T90ap encrypted
hostname tenaya
domain-name vpntestlab.com
clock timezone PDT -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list sslvpn permit tcp any host 64.41.140.167 eq www
access-list sslvpn permit tcp any host 64.41.140.167 eq https
pager lines 24
logging on
logging timestamp
logging buffered warnings
logging history warnings
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 64.41.140.167 255.255.255.224
ip address inside 192.168.100.1 255.255.255.0
no ip address dmz
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
static (inside,outside) tcp 64.41.140.167 www 192.168.100.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 64.41.140.167 https 192.168.100.2 https netmask 255.255.255.255 0 0
access-group sslvpn in interface outside
route outside 0.0.0.0 0.0.0.0 64.41.140.166 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.43.244.18 source outside prefer
no snmp-server location
no snmp-server contact
snmp-server community SF*&^SDG
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 15
console timeout 20
dhcpd address 192.168.100.101-192.168.100.199 inside
dhcpd dns 192.168.100.10
dhcpd lease 600
dhcpd ping_timeout 750
dhcpd domain vpntestlab.com
dhcpd enable inside
terminal width 80
banner motd Restricted Access. Please log in to continue.
Cryptochecksum:422aa5f321418858125b4896d1e51b89
: end
tenaya#