Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix VPN Best practices Help 1

Status
Not open for further replies.
tek777

tek777

Technical User
Nov 6, 2001
99
0
0
US
I would like to know what the best and easiest way to allow users to VPN into the office by VPN using a pix 501. Is it as simple as configuring the VPN client software, and they authenticate to the pix? I tried to buy a book, Cisco Pix VPN, but it talks mostly about site-to-site and I am more interested in an intranet VPN.

I see some people using Microsoft's VPN though the pix for VPN access. That would work, but adding a server is one more thing to fail.

There seems to be alot of choices when setting up a VPN. Choices like using IPSEC, PPTP, L2TP, Certificates, etc.

I would try to start working on a setup using the 501 as a test, and using the Cisco 4.x client software. I dont have the software for the client just yet. I will have access to my smartnet soon.

I just wanted peoples feedback on what they had implemented, and how it is working, or what you suggest. Expensive equipment like a VPN 5000 is out of the question right now on our budget at work. Any feedback welcome....

Thanks,

Brian
 
Sort by date Sort by votes
HI.

> I would try to start working on a setup using the 501 as a test, and using the Cisco 4.x client software.
Good. I think that this is the best choice.

For small business, I normally use Cisco VPN + XAUTH using their existing Win2000 server with IAS as a RADIUS server for user authentication.
Using XAUTH gives you better security because an attacker will need to know much more to gain access.
You can first establish VPN without XAUTH, and add that feature in second step after the VPN is working.

You can configure the pix using PDM, it does the job well.

You should remember to use a non-existing and non-overlapping subnet for VPN clients. i.e. if your internal subnet is 10.0.0.x then the VPN clients will use something else like 192.168.11.x

You should consider the VPN as one of the major holes in your firewall - which means:
Securing remote workstations - anti virus, windows updates, personal firewall (or WinXP ICF), Antispy/trojan, instructing the remote user how to work safely on the remote PC, securing their EMail, etc...

You should also consider bandwidth issues when planning to implement VPN. These can be handled in many cases by using remote control software solutions.



Yizhar Hurwitz
 
Upvote 0 Downvote
OK, thanks for your reply. One other question :) If the clients use 192.168.11,x, would I put my IAS server on the 192, or on the 10 network? Do you have any simple example configs I could see. I set up the VPN using the 501 wizard, but I want to learn each part of it for when something goes wrong. I tried the VPN client, but i was not able to connect to the gateway, I will have to check my configs again. Thanks!
 
Upvote 0 Downvote
HI.

> would I put my IAS server on the 192, or on the 10 network
The IAS is normally on the internal network (or DMZ if you have one), so if internal network is 10.0.0.0 then IAS will have 10.0.0.X

> I tried the VPN client, but i was not able to connect to the gateway.
By default, a VPN client is unable to access the pix inside interface.
You should try accessing hosts on the internal network via the VPN, do not try to access the pix itself.



Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
136
Sameer258
Sameer258
Ailuin
  • Locked
  • Question
Best Residential proxy provider.
Replies
1
Views
122
AvivBes
AvivBes
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
143
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
66
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
165
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top