Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Authentication through PIX LAN to LAN to a remote RADIUS server

Status
Not open for further replies.
jduran

jduran

IS-IT--Management
Jan 30, 2003
7
ES
Hi forum:

I have 2 PIX 501 running a LAN to LAN VPN between them without problems. Say PIX1 is the HQ located PIX and PIX2 is the remote office PIX. I've installed a RADIUS server in the HQ LAN (inside interface of PIX1)

I can authenticate remote users using VPN 3000 Client on PIX2 locally (using VPNGROUPs) to access that LAN (remote office).

From one PIX I can't ping the inside interface of the other PIX. Also I can't ping the RADIUS server from PIX2. Pinging from the (inside) LANs is possible in both sides.

Is it possible to authenticate remote users on PIX2 through the RADIUS server (located in the HQ LAN) given that we already have a LAN to LAN stablished tunnel between both sites?

Any help would be apreciated. Thanks in advance.

 
Sort by date Sort by votes
HI.

> From one PIX I can't ping the inside interface of the other PIX
This is normal and by design.
The pix will not accept packets to its own interface which comes from a different interface. VPN traffic is coming from outside so you can't ping the ping inside interface.

> Also I can't ping the RADIUS server from PIX2
This is because the pix is pinging from the outside interface.
For this to work you will probably need to add another line to the access-list used by the VPN.
For example:
pix1 inside = 192.168.1.254
pix1 outside = a.a.a.a
pix2 inside = 192.168.2.254
pix2 outside = b.b.b.b

#Currently you have in pix 2:
access-list ??? permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map mymap 10 match address ???
#And you will need to add:
access-list ??? permit ip host b.b.b.b 192.168.1.0 255.255.255.0
#To encrypt traffic between pix outside interface and the RADIUS server.

You will need to add a mirrored access-list at pix1, like:
accesss-list ??? permit ip 192.168.1.0 255.255.255.0 host b.b.b.b

I guess that with those changes it will work.
But if you can install another RADIUS server behind PIX2 LAN, I think that it is a better and more fault-tolerant solution.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Thanks a lot Yizhar for answering.

I've managed to solution the problem in another way by publishing the radius server to the Internet (with a public IP address) and performing athentication from PIX2 via that public IP.

Putting a second radius server behind PIX2 is not a solution for me because I want centralized administration. Fault tolerance is ensured via a linux clustered radius server already running.

Again, thanks a lot
 
Upvote 0 Downvote
HI.

> I've managed to solution the problem in another way by publishing the radius server to the Internet
This is a less secure option because RADIUS encryptes only the passwords, and other info is sent unencrypted.

Using the VPN tunnel to encrypt the RADIUS traffic can give you a higher level of security.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Hi forum.

Does anybody have remote radius authentication via a LAN to LAN tunnel between a PIX and a CVPN3005?

Any help would be appreciated.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
731
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
618
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
550
nnaarrnn
nnaarrnn
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
137
Russtoleum
Russtoleum
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
171
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top