RA Authentication problems 1

[bitslave]

This question may not make much sense, but I've now been completely confused by the lack-luster documentation on CCO.

I'm trying to configure my PIX515 for remote access. I would like to use IPSec, but cannot figure out a way to authenticate users. Seems that if I want to use pre-shared keys, I must know where the RA users are coming from. What about RSA-Sigs? I would love to use the Radius server on my interanl Domain Controller.

I'm pulling my hair out and my head is swimming! If anyone has any advice, I'd love to hear from you.

Thanks

 

[chicocouk]

The documentation on CCO is actually quite good on this issue. You don't need a static IP to use preshared keys for the first step of authentication, and you can then pass off further authentication to an internal RADIUS server. I'm assuming you want to connect using the Cisco VPN Client, as you haven't specified.

Have a look here for full documentation;

http://www.cisco.com/en/US/products...s_configuration_example09186a00800b6099.shtml

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[bitslave]

Thanks Chicocouk. After my frustration subsided a bit, I did find that doc and actually used it to configure the PIX and Radius server. The only problem with that doc is that there is a section in it describing how to create an acl to avoid having tunnel traffic NATed, but the acl entry (and associated ip pool) references a subnet not shown on the diagram. Perhaps I'm just too much in the "flat network" frame of mind since I'm in a small shop with one internal subnet. Given that my internal subnet is 192.168.1.0 and I want to use .101-.105 for my pool, how would I write this acl?

I am using the VPN client and it is authenticating to the firewall and handling my subsequent Radius authentication ok, but once it set my session up and configure the virtual adaptor with IP and DNS, I am unable to access any resources on the network. Others can ping me, but I can't ping them. Ideas?

I appreciate your assistance.

 

[chicocouk]

You mean access-list 101 on that documentation, right? It's not particularly clear there, I'd more than admit that, but basically you're allowing traffic from your lan to the range of ips you let people dial in and receive, the local pool of addresses.

One thing that everyone does the first time they set this up, which you're not supposed to do, is assign a group of ips on the same subnet as your local range. So in your case DON'T use 192.168.1.101 - 105 for your remote access clients, use a different (private) subnet, then tell the pix not to nat the traffic between those subnets.

In other words, try a config along these lines;



ip local pool ippool 172.16.30.1-172.16.30.254

access-list 101 permit ip 192.168.1.0 255.255.255.0 172.16.30.0 255.255.255.0
nat (inside) 0 access-list 101



And the rest as it is in the cisco documentation. So your remote access clients dial in and get assigned an ip on the 172.16.30.0/24 range, but this range has full access to the internal 192.168.1.0/24 range. That's what the "sysopt connection permit-ipsec" command does. If you want to limit the access the remote access users get, remove that command from the config and configure acls to only allow them the access you want them to have (smtp, pop3 but no shares, for example)

If you assign the remote access users ips on the local subnet all kinds of fun things happen. Sometimes it works, sometimes it doesn't. And you can be sure if you call TAC to troubleshoot it, the first thing they'll tell you to do is to change the localpool so it's on a seperate subnet.

Hope that makes some sense

Chico

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[bitslave]

Worked great! Thanks for your valuable insight!