PIX 501 VPN issues......stupid user

[lefty78]

Hello, hello...

I am absolutely newborn when it comes to firewalls and anything cisco. This is a forced new job. My first interaction with anything cisco related was opening the PIX 501. I currently do have it up and running on my LAN. My issue reside in further configuration.

I am blind to config dumps...I do yet know how to read them and I do not know how to apply them if I could read them. I am a lost cause to this so if any one out there can hold my hand through this I will appreciate it.

I want outside http requests -- i.e...from a IE browser, the user types

http://209.xxx.xxx.xxx,

the firewalls outside interface -- to be redirected to my internal web server at 192.168.1.2. I want this to be password protected.

I also want remote desktop connections for 4 internal computers. I want each user who authenticates to be directed to their respective machine. I have four static IP addresses, and they are assigned one to each machine (as well as the machines 192.168.1.xxx address for internet access)

If you need anymore info from me I will be glad to provide. I thank you in advance for your help...

 

[lefty78]

please help...

 

[yizhar]

HI.

> I want outside http requests -- i.e...from a IE browser,
Is this going to be a public web server, or for company roaming use only?

> I also want remote desktop connections for 4 internal computers...
For this, it is best to implement VPN.
You can ask your Cisco dealer for info about the Cisco VPN client software.
You can use PDM to generate a VPN configuration for the pix.
You can also use Cisco web site and pixcript for more info and samples of VPN:

http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html

http://www.cisco.com/warp/public/110/pix3000.html

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration

http://www.cisco.com/pcgi-bin/Suppo...ementation_and_Configuration#Samples_and_Tips

http://teachers.sivan.co.il/yizhar#pixcript

http://teachers.sivan.co.il/yizhar/files/pixlinks.htm

Good luck.


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[lefty78]

I think I do have this all done...I was a newborn this morning and a young adult by the end of the day. I know that I have the access enabled so that vpn3000 clients can get to my LAN, now I have to go off site and see if my complete list of needed functions will ALL work. As far as the http situation, I have decided NOT to have a simple IP query bypass the pix and hit my web server...for obvious security reasons (it is actually web-site management software....)

I will come back on monday and redirect any questions I may still have...in the meantime I will review the links and info you have forwarded to me...thanks or the help...

Who knows maybe Ill go for my CCNA next week....I have come a hundred steps since this morning and it is all seeming easier and easier.....

 

[lefty78]

ok....I have com a LONG way here. I have successfully configured the PIX for internet access, vpn access, and have upgraded both the firewall software and the pdm version....

NOW...I want to know if...

When a user logs on to the LAN with the vpn3000....is there a way I can then have them prompted for their windows authentication so they are allowed the same access as when they are physically on the LAN?....or is there further configuration with the PIX that can manage that? I would like for when they log on with the vpn3000 client to then be promted with a windows domain logon....let me know if I make any scense, I will try my best to explain my wants....

 

[yizhar]

HI.

> is there a way I can then have them prompted for their windows authentication
Yes, this is called XAUTH. You will need to configure a RADIUS server for this, on your Windows server.
It is a good idea to use XAUTH, because it better protects your network from attackers.

Do you have a Windows 2000 server?
Are the computers in Windows domain or workgroup?

The users will still need to authenticate at the application level (RDP).

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar