First Pix 501 1

[tsgint]

I've completed basic configuration of a pix501 - at least it works - but now want to add remote access previously supplied by PPTP to a RRAS server on the lan want to loose the RRas server.
Router----Pix---Internal 192.168.0.0 NT4 Lan with Web/Exchange Servers. Router previously supplied nats now routing address group inside.
external Pix ip 202.101.109.30 internal 192.168.0.3
202.101.109.26 xlated to Web Server
202.101.109.27 xlated to Exchange Server
202.101.109.28-29 NATs for inside out internet access
202.101.109.30 PAT for inside out overflow
Now I'm ready to re-establish remote access with better than PPTP security. We will be moving to Win2k next year.
No internal dns...will set up later.
Questions: 1. Do I need Tacas,Radius,SSH on an inside server to establish encryption/authentication or can I set the PIX up, say with Cisco VPN Client 3.0 at the remote, to terminate and then gain access loging on to the LAN as a client?
2. If latter which is best way for security and how do I configure the PIX to be the tunnel end - i.e. handleing authentication /encryption. I'm leaning to IPSEC with an
address pool of 192.168.1.1-15
3. Is there a quick way to test from the office or do I need to be two places at once...home/office.
I would like to get this done asap as boss is pushing for his remote access.
Thanks in advance for any help.
By the way...
to get an exchange server running inside pix don't forget reverse dns on the outside dns server - 2 weeks
work to figure that one out.
To get everything functioning don't forget to clear the arp cache on the router...1 day to figure that out...
Tks again.


The more I know...the dumber I get.
snrtech

 

[yizhar]

HI.

1. Do I need Tacas,Radius ...
No, internal AAA server is optional, but recommended.
Without internal AAA you have single authentication (vpngroup name and password only)
With internal AAA server, you have dual authentication, which gives you a higher degree of security and control (vpngroup and password + aaa username and password).

2. ...how do I configure the PIX...
There are 3 options that I know of for VPN configuration:
* PDM (Make sure you have the latest version).
* pixcript (from my site)
* Cisco samples:

http://www.cisco.com/warp/public/471/top_issues/vpn/pixvpn_index.shtml

3. Is there a quick way to test from the office ...
Yes, here are 2 ways to do it, but there are more - just use your imagination and common sense:
* If the pix is not yet in production, you can set up a lab, connect a PC to the outside network of the pix with proper IP addressing and test from there.
You can also put a HUB between the pix and the router and connect the test PC to there.
* Use a PC with modem dialup connection to ISP for the test.

It is a very good idea to test in the office first.
You should know that there are some VPN issues related to the type of Internet connection that the remote client is using (for example Cisco VPN client to pix does not like some ADSL implementations, and will not work behind PAT), but a good start is to first verify that it works at the office before implementing at the client.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[tsgint]

Thanks for the help...enjoyed your site.
Been building up pix use as I get knowledge.

Followup: Using aaa do I also implement ipsec or some
othe type of encription? Does
this not mean I have to issue keys? or am I out-to-lunch.

Never thought of using a hub...beautiful!
Just pop a patch from the switch and move it over to the
hub..presto I've an outside connection.

Going to look at your script now. Tks again

The more I know...the dumber I get.
snrtech


The more I know...the dumber I get.
snrtech

 

[tsgint]

Oh yes...purchased pix501 with 3DES
The more I know...the dumber I get.
snrtech

 

[yizhar]

HI.

> or am I out-to-lunch ...
Yes, go to lunch, then ask again if needed.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar