Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Restric access to a PIX VpnGroup

Status
Not open for further replies.
salibas007

salibas007

IS-IT--Management
Feb 10, 2004
7
CA
I have one question for all of you... I'd REALLY appreciate an answer to this one....
I am writing a proposal on an implementation of a client VPN scenario on a PIX 525. My client is going to provide client VPN access to certain of it's partners in the world. Each partner will have their own vpngroup configured on the PIX in order to limit their access to certain services and certain machines. Now each vpnmgroup has a password, and that works just fine.
My concern is: what stops 2 partners from exchanging the configuration file that come with the cisco vpn client 3.5 (I beleive it's a *.pcf file). They will be able to start a tunnel, authenticate on the RADIUS (becasue they both have access granted) and have access to the wrong server !!!! The config file could be just imported in any vpn client, and voila..... the tunnel will start (I know they still need to authenticate... but the tunnel is started).

Now my question is: How can I limit a user to a vpngroup in particular, say that Mr John should ONLY have access to the vpngroup labeled john. Is that possible ???? can I associate somehow the user to a vpngroup ??? does Cisco Secure ACS do this ??? I am currently using Microsoft's version of the Radius (their IAS service in Windows 2000) any ideas will definetly help !!!!! and oh ya, my customer is willing to look into ACS or something similar if that fixes this issue....

thanks a million

sam
 
Sort by date Sort by votes
ok... so after a bit of research, I found that Cisco secure ACS does support user downloadable ACL's.... You don't define a split-tunnel command in your vpngroup, the ACL is downloaded from the ACS...

Now when they say User downloadable, does that mean that after the user imputs his userID/password, all the vpn configs are downloaded from the ACS?? including DNS and WINS adresses ?? and the split-tunnel configuration pertinent to that user in particular ???

If that's the case, does that mean that I can create 1 vpngroup and 1 dhcp pool for al my VPN connections, and use ACS to define user specific ACL's ???

thanks again

sam
 
Upvote 0 Downvote
I'm new to this forum and PIX firewalls. My company uses a Pix 515 with a RADIUS to authenticate. Is it possible:

1. To allow the Cisco VPN client to "save password" for the RADIUS authentication? I see that if I change the client's config file (change the SavePassword=0 to =1) it opens up a little check box if you try to login but the next time you try its gone. VPN must be blowing the change I made to the client config file. How do I change this/allow this on the admin side? I have been searching and searching and cannot find the solution.

2. To allow certain groups access only certain specified IP's? In other words, can groups be forced into only accessing a static route? How is this done? I'm about to go crazy here...

Thank you guys so much!
 
Upvote 0 Downvote
Now when they say User downloadable, does that mean that after the user imputs his userID/password, all the vpn configs are downloaded from the ACS?? including DNS and WINS adresses ?? and the split-tunnel configuration pertinent to that user in particular ???"


Yes


"If that's the case, does that mean that I can create 1 vpngroup and 1 dhcp pool for al my VPN connections, and use ACS to define user specific ACL's ???"

Yes.

I believe this only works if you authenticate using TACACS+ between the pix and SecureACS, not with RADIUS authentication. SecureACS supports both. So you will need to reconfigure the PIX to authenticate using tacacs+, but it is do-able.




CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
great... thanks for your answers. the only thing is that I beleive you have radius and tacacs mixed up. As per Cisco, in order to suport user downloadable ACL's, the ACS has to be in Radius .... I'm not 150% sure, but if I remember correctly, I read that somewhere on their site.
 
Upvote 0 Downvote
You're right :)

Just checked, it is only when authenticating using RADIUS that the ACLS can be downloaded. I was assuming it was only through TACACS+ because that's cisco's own revision of TACACS, so I thought they would make it more fully featured than their RADIUS support, but apparently not.

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
266
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
284
Johnkite
Johnkite
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
349
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
75
gbayi_omo
gbayi_omo
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
228
Sparrow4
Sparrow4

Part and Inventory Search

Sponsor

Back
Top