Secure Mobile Access 100 10.2 Administration Guide

Method One – SMA Appliance on LAN Interface

  1. From a management system, log in to the SMA appliance’s Secure Mobile Access management interface. By default, the management interface is X0 and the default IP address is 192.168.200.1.
  2. Navigate to the Network > Interfaces page and click on the configure icon for the X0 interface. On the pop-up that appears, change the X0 address to 192.168.100.2 with a mask of 255.255.255.0. When done, click OK to save and activate the change.
  3. Navigate to the Network > Routes page and change the Default Gateway to 192.168.100.1 When done, click Accept in the upper-right corner to save and activate the change.
  4. Navigate to the NetExtender > Client Addresses page. You need to enter a range of IP addresses for the 192.168.100.0/24 network that are not in use on your internal LAN network; if your network has an existing DHCP server or the PIX is running a DHCP server on its internal interface, you need to make sure not to conflict with these addresses. For example: enter 192.168.100.201 in the field next to Client Address Range Begin: and enter 192.168.100.249 in the field next to Client Address Range End:. When done, click Accept in the upper-right corner to save and activate the change.
  5. Navigate to the NetExtender > Client Routes page. Add a client route for 192.168.100.0. If there is an entry for 192.168.200.0, delete it.
  6. Navigate to the Network > DNS page and enter your internal network’s DNS addresses, internal domain name, and WINS server addresses. These are critical for NetExtender to function correctly. When done, click Accept in the upper-right corner to save and activate the change.
  7. Navigate to the System > Restart page and click Restart…
  8. Install the SMA appliance’s X0 interface on the LAN network of the PIX. Do not hook any of the appliance’s other interfaces up.
  9. Connect to the PIX’s management CLI by way of the console port, telnet, or SSH and enter configure mode.
  10. Issue the command ‘clear http’ to shut off the PIX’s HTTP/S management interface.
  11. Issue the command ‘access-list sslvpn permit tcp any host x.x.x.x eq www’ (replace x.x.x.x with the WAN IP address of your PIX)
  12. Issue the command ‘access-list sslvpn permit tcp any host x.x.x.x eq https’ (replace x.x.x.x with the WAN IP address of your PIX)
  13. Issue the command ‘static (inside,outside) tcp x.x.x.x www 192.168.100.2 www netmask 255.255.255.255 0 0’ (replace x.x.x.x with the WAN IP address of your PIX)
  14. Issue the command ‘static (inside,outside) tcp x.x.x.x https 192.168.100.2 https netmask 255.255.255.255 0 0’ (replace x.x.x.x with the WAN IP address of your PIX)
  15. Issue the command ‘access-group sslvpn in interface outside’
  16. Exit config mode and issue the command ‘wr mem’ to save and activate the changes.
  17. From an external system, attempt to connect to the SMA appliance using both HTTP and HTTPS. If you cannot access the SMA appliance, check all previous steps and test again.
Final Config Sample – Relevant Programming in Bold:
PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto
interface ethernet2 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security4
enable password SqjOo0II7Q4T90ap encrypted passwd SqjOo0II7Q4T90ap encrypted hostname tenaya
domain-name vpntestlab.com clock timezone PDT -8
clock summer-time PDT  recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21
fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80
fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names
access-list sslvpn permit tcp any host 64.41.140.167 eq www access-list sslvpn permit tcp any host 64.41.140.167 eq https pager lines 24
logging on logging timestamp
logging buffered warnings logging history warnings mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 64.41.140.167 255.255.255.224
ip address inside 192.168.100.1 255.255.255.0 no ip address dmz
ip audit info action alarm ip audit attack action alarm pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
static (inside,outside) tcp 64.41.140.167 www 192.168.100.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 64.41.140.167 https 192.168.100.2 https netmask 255.255.255.255 0 0
access-group sslvpn in interface outside route outside 0.0.0.0 0.0.0.0 64.41.140.166 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.43.244.18 source outside prefer no snmp-server location
no snmp-server contact
snmp-server community SF*&^SDG no snmp-server enable traps floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 15
console timeout 20
dhcpd address 192.168.100.101-192.168.100.199 inside dhcpd dns 192.168.100.10
dhcpd lease 600
dhcpd ping_timeout 750 dhcpd domain vpntestlab.com dhcpd enable inside terminal width 80
banner motd Restricted Access. Please log in to continue. Cryptochecksum:422aa5f321418858125b4896d1e51b89
: end tenaya#

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.