Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515E with Radius W2k for VPN (PPTP)

Status
Not open for further replies.
Fritjof

Fritjof

Technical User
Aug 23, 2002
15
DE
Hallo,

my company has just bought a pix 515e to secure the internet access and I have to configure it. My basic configuration seems to work and now I trying to go ahead. I would like to allow the users to login to the network via VPN and I have some general questions about it.

I learned from Cisco TAC and in the forum that there are many ways to do VPN-Connections (IPSEC with Cisco Client, PPTP with W2k-Client...). For many reasons I would like to use the integrated W2k/XP VPN Client to connect to the network.

There are 2 ways to go now.

I can try to configure the pix in a way that it allows outside traffic on Port 1723 (PPTP) to pass through and connect to a W2k RAS server on the inside. The advantage of this is that I don't need a radius server. I have done this on a cisco router (1720) before via PAT and it worked. What do I have to do on the PIX?

The second way seems a little bit more secure for me and I would prefere to do so. I learned in the forum that it is possible to let the pix establish the VPN-connection via PPTP. Users can log on to the pix using the standard w2k/xp client. Do do so I need to setup a radius server in the inside network. I would like to use the radius server the comes with the W2k-Server package. Is that possible? I have never used that software before, but in my understanding it should be completly AD-integrated, so that I don't have to create a new user-database!? It sounds relativly painless to me. Does this work the way I explaind it? Do you have any experiance with this configuration? Tips & Hints? How does the pix configuration work?


Sorry for my bad english. Thankx in advance for any help.

Fritjof
 
Sort by date Sort by votes
HI.

Using the Cisco IPSec VPN has several advantages.
One of them is that you can require dual authentications - first authentication is group name and password or certificate (both options are preconfigured on the client system by the administrator in small organizations) , and the second authentication is to a RADIUS server which can be W2K IAS with AD username and password.
This gives you a higher degree of security.

But you're going to use PPTP, at least for now.
Both options that you have mentioned (internal VPN server or PIX as the PPTP server) are fine and doable.

> I can try to configure the pix in a way that it allows
> outside traffic on Port 1723
Yes, this method works.
You need to have "static" that maps to the internal vpn server, and allow both TCP 1723, *AND* GRE protocol:
static (inside,outside) x.x.x.x 10.0.0.5
access-list fromoutside permit tcp any host x.x.x.x eq 1723
access-list fromoutside permit gre any host x.x.x.x

> learned in the forum that it is possible to let the pix
> establish the VPN-connection via PPTP
Yes you can do it, and Yes the IAS of W2K can authenticate using AD credentials. The incoming users should have strong passwords of course, and they need (only them!) to have "Dial up" enabled in their user properties.

* Another option to consider for future and better security and managment - a dedicated VPN server, either from MS (dedicated W2K server not connected to AD and with certificates and L2TP), Cisco (3005 for example) or other.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Hi Yizhar,

thank you for the configuration. It works very well. First I made the mistake of using the ip-number of the outside interface (wich I allready use for PAT) for the vpn-server. That configuration doesn't work at all. Now I use another ip-number (wich you told me to use in another post) and everything works fine now.

static (inside,outside) x.x.x.6 10.0.0.5
access-list fromoutside permit tcp any host x.x.x.6 eq 1723
access-list fromoutside permit gre any host x.x.x.6

The only problem I now have left is that I can't build up a pptp-connection from the inside to the outside. When I try to connect to an outside pptp-host I get to the authentication but never get authenticated. Do I have to make another acces list?

Thanx

Fritjof
 
Upvote 0 Downvote
HI.

Yes, you have two options:

1) If you need the outbound PPTP connection on 1 or few internal hosts, you need to give each host a dedicated static nat mapping like you did with the server, and to permit incoming GRE traffic from the remote PPTP server.
This might require additional registered IP addresses if you don't have enough.

2) If you need to support many hosts, then you can consider using a W2K server as proxy using RRAS with NAT and DDR, or simply using it as a terminal server.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
700
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
604
Johnkite
Johnkite
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
734
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
160
WhosYourDiffie
WhosYourDiffie
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
540
XLNTech1
XLNTech1

Part and Inventory Search

Sponsor

Back
Top