Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Physical Security to PIX 501 VPN Solution. 1

Status
Not open for further replies.
xylax

xylax

MIS
Oct 14, 2005
31
US
I have a dilima with physical access to Cisco PIX 501s. I am about to deploy 70+ PIX 501s out to the field. Each PIX will have a VPN back to a PIX 515e, which is in my office. Anyone on the VPN will be on my domain. I'm a concerned with the physical access to the PIX 501s. My machines I have connected will be on a domain and will be restricted using Group Policies. However, anyone else could bring in their computer and plug into my network at anytime.

Due to some equipment at the location, DHCP will be enabled and each location will have their own subnet. Using an AAA server is not an option and since the 'mac-list' command only pertains to AAA, that's out. Anyone have any thoughts other than putting elmers glue into the empty ports?
 
Sort by date Sort by votes
What kind of switches at the remote sites? You can enable port security and have just one MAC per port, then disable all other ports. You could also go the route of 802.1x with AAA and authenticate to the domain controller through IAS.

Just a few options.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Each location has DSL, Cable, or Wireless modems from ISPs. All the modems are in bridged mode and the PIX is the authenticating device. Since there are only 3 devices, at max, at each location, no switches are installed.

Shon
Network Administrator
 
Upvote 0 Downvote
Ok, that's tougher. You can limit the # of DHCP leases to the exact amount needed for the site and make the lease times really long.

You can try this (although I have not) is to setup a fake AAA and give the MAC exemption to the MACs that you know and have all others authenticate. When they can't reach the fake AAA server, they fail and can't go across the VPN. I don't think cisco had this in mind, but it might work.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Good thinking. I've thought of those too. However, your first idea can be circumvented by programming the same IP address with the machine thats already at the location. The bad user will get an IP conflict but possibily get internet traffic anyways.

As for the second idea, I tried that as well but probably didn't do it right. When I tried to setup a fake AAA server, the PIX said that it didn't exist. Is there any way to force the PIX to point to a AAA server that doesn't exist?

Shon
Network Administrator
 
Upvote 0 Downvote
Then your best bet is 802.1x that authenticates across the VPN. You can get by just about everything else.

I haven't had it reject an AAA server that I hadn't spun up yet. That's odd. But, You can fake a MAC address just as easily as change your IP. So I would go with the .1x.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
I took what you said and pointed the aaa-server config to our firewall anyways. Looks like the main firewall, a PIX 515 accepted the 501's. Since there wasn't a username and password setup on the 515, it always asks for authentication in which nothing works. I applied the mac exempt list to it and viola! A working mac-list. Thanks for the help Brent!

Shon
Network Administrator
 
Upvote 0 Downvote
Glad it worked - That feature really should be included.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
255
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
272
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
266
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
117
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
335
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top