Remote User VPN using PIX 515

[Udir]

I currently use MS RAS for VPN and want to transition off of it. I have a PIX 515 with 3DES and DES enabled, and I want remote users to VPN through the PIX rather than the RAS server. I am just looking for the pieces that I will need to effectively utilize the PIX and enable VPN. Which client do you suggest and what other software? I want each remote user to use a seperate login and it would be nice if it were their AD login, but not required.

Thanks.

 

[yizhar]

HI.

You will need the Cisco VPN client - ask your Cisco dealer for this.

What is the pix OS version? What is the PDM version?

> I want each remote user to use a seperate login ...
You can use a single group name and group password defined on the pix, and for user authentication you should use XAUTH (RADIUS) to the MS server (is it W2K?).
On the MS server you install RADIUS server, it is called Internet Authentication Service on W2K and can be installed from Add/Remove programs.

For more details please provide more info about the software versions in use (Pix, PDM, MS).

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Udir]

We are running OS Version 6.2(1).

The PDM is not installed. (Would you recommend that it be?)

DC in on MS is 4.0.

The problem with using 1 username and password for login, is that when someone leaves they don't want to have to change the vpn password. would this affect that decision?

 

[yizhar]

HI.

> The PDM is not installed. (Would you recommend that it be?)
Yes. Install the latest PDM. It has VPN wizard and options that can help you, among with other management features.

> DC in on MS is 4.0.
You mean NT4?
If so, you can install RADIUS server using the NT4 Option Pack (the IIS4 setup).
But remember that this may require reapplying service packs and updates afterwards and several server restarts.
(I've installed IAS only on W2K servers and didn't try NT4 yet).

> The problem with using 1 username and password ...
With the pix IPSec VPN, you have dual authentication.
First is called group (group name and password)
The second is called XAUTH (user authentication with RADIUS).

So even if the group name and password are compromised, it is not enough to let someone in.
Therefor you do not need to define a different group name and password for each user.

For even stronger authentication, you can implement CA certificates instead of the group authentication.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Udir]

Ok, I appreciate your help. I have some questions/need some suggestions in which direction to go.

We have about 500 users network wide, and I have no problems with most of the network users, but I do have about 15-20 users that use non-compnay computers to connect to the network using MS Remote access software. Their computers are not a part of our domain or they belong to another domain. Will the cisco group username and password work in the situtation wherethese users are not a part of our internal network. I hope this is clear, if not let me know.

Thanks for your help.

 

[yizhar]

HI.

If you mean that you have 500 VPN clients, or even at least 50, I suggest that you use a dedicated VPN server instead of the pix, which can offload the pix but more important it will give you a higher degree of control on the VPN traffic.

Look for the Cisco VPN server or other vendors - it is not cheap but could be the best solution.

You can also work with a combination of Cisco VPN clients (for your company users) and MS PPTP clients (for the other company) with different "ip local pool" addresses, and then you limit the level of access that PPTP clients have using access-lists or some other method.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Udir]

We have on a daily average about 10-15 VPN users. 500 is the number of users in our network.

Can the MS PPTP client log into the network if the PIX is handling VPN? But that goes back to the issue of how do you integrate VPN group accounts and users accounts with RADIUS when the passthrough information is different from their domain to ours?

 

[Udir]

Ok tell me if this will work.

I have 2 types of users: Domain users that need access to the entire network while remote. Use a VPN group and RADIUS server to support these users access to the network. Only problem I have with this is salesmen with their home computer that VPN into the network.. Sugguestions


2nd type of user: Non-employee access
Create a second type of VPN usergroup inside the pix (Is it possible?) and then restrict their access with Access list (is that possible?) to only use specific ip address inside the company?

Suggestions?

 

[yizhar]

HI.

> Can the MS PPTP client log into the network if the PIX is handling VPN?
Yes, it does not realy matter.
It is the same idea that a RAS (modem) client can access network resources whether it connects to a Cisco,3COM or MS RAS server.


> Ok tell me if this will work ....
Yes, it can work, seems like a reasonable plan.
But it requires careful design and implementation.
> Create a second type of VPN usergroup inside the pix (Is it possible?)
Yes - possible.
> and then restrict their access with Access list (is that possible?)
Yes - but you will need to disable the permit-ipsec:
no sysopt connection permit-ipsec
Then create a different "ip local pool" for each group (type) of VPN clients, and use access-list (the same access-list which is bound to the outside interface) to control access.

Plan also for monitoring and verifying your implementation - do not just "put and forget".

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar