Hi, Im trying to set up a VPN for a few (15-20 sometimes on travel) remote users. Im new to using a PIX 515. It has vpn and 3des enabled and we have 100 client licenses. Its a W2K network with the PIX behind a cisco 2514. I have a 2K CA Server running with CEP installed.If the cisco client vpns to,and terminates on the PIX using certificates. Can the user browse the network or is a RRAS server necessary to authenticate and give permission to the client to browse the network? Would this require opening ports 137-9 both ways for Netbios? Any help clearing up these issues would be a great help. Thanks in advance.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Setting up a new PIX 515 VPN with a question
- Thread starter wholmer
- Start date
HI.
> Can the user browse the network or is a RRAS server ...
Once the VPN is configured and working, the user can ACCESS the internal network hosts.
To BROWSE the network, you need to handle name resolution issues.
You can do that by either using static LMHOSTS/HOSTS files at the client, or pushing internal WINS/DNS servers addresses to the clients.
Anyway - I don't think that a VPN client needs to browse the network. It should be able to access the needed servers and that all in most cases.
> ... is a RRAS server necessary to authenticate and give permission ...
No.
But, an IAS server (MS RADIUS server, comes with the OS, can be installed from ADD/REMOVE) - this is what you need to authenticate the VPN clients. This is called XAUTH in the pix terminology.
The Cisco VPN client can have dual authentication.
The first authentication is the group name/password or the certificate. This is preconfigured and stored on the workstation.
The second authentication (opitonal but highly recommended) is the XAUTH.
The client will get a prompt for user name & password.
The pix will contact your W2K RADIUS server (IAS) to authenticate the user.
> .. Would this require opening ports 137-9 both ways for Netbios?
If you use the command "sysopt connection permit-ipsec" then the answer is No.
If you don't use it, then you need to add statements to the access-list bound to outside interface that define the traffic you want to permit from VPN clients to internal network. In that case, the answer is Yes.
Bye
Yizhar Hurwitz
> Can the user browse the network or is a RRAS server ...
Once the VPN is configured and working, the user can ACCESS the internal network hosts.
To BROWSE the network, you need to handle name resolution issues.
You can do that by either using static LMHOSTS/HOSTS files at the client, or pushing internal WINS/DNS servers addresses to the clients.
Anyway - I don't think that a VPN client needs to browse the network. It should be able to access the needed servers and that all in most cases.
> ... is a RRAS server necessary to authenticate and give permission ...
No.
But, an IAS server (MS RADIUS server, comes with the OS, can be installed from ADD/REMOVE) - this is what you need to authenticate the VPN clients. This is called XAUTH in the pix terminology.
The Cisco VPN client can have dual authentication.
The first authentication is the group name/password or the certificate. This is preconfigured and stored on the workstation.
The second authentication (opitonal but highly recommended) is the XAUTH.
The client will get a prompt for user name & password.
The pix will contact your W2K RADIUS server (IAS) to authenticate the user.
> .. Would this require opening ports 137-9 both ways for Netbios?
If you use the command "sysopt connection permit-ipsec" then the answer is No.
If you don't use it, then you need to add statements to the access-list bound to outside interface that define the traffic you want to permit from VPN clients to internal network. In that case, the answer is Yes.
Bye
Yizhar Hurwitz
- Thread starter
- #3
OK! Thanks for the clarification on that. So if I have the clients map to the necessary folders then browsing wont be required? Then I configure the PIX for group name/password AND XAUTH using IAS I can forget about certificates (see other post " PIX Root Certificate won't take).Can the IAS be in the Domain or would a DMZ be required for it?
HI.
> So if I have the clients map to the necessary folders then browsing wont be required?
Right.
> Then I configure the PIX for group name/password AND XAUTH using IAS I can forget about certificates?
Certificates are considered stronger then group name /password, but using group name / group password and XAUTH in addition is also quite strong and I use that method for most of my clients.
> Can the IAS be in the Domain or would a DMZ be required for it?
Yes, it can be any W2K server in you network, but placing a dedicated IAS server with minimal local user accounts only for VPN clients, can be more secure and easy to manage and control, but adds additional costs which are not required.
Bye
Yizhar Hurwitz
> So if I have the clients map to the necessary folders then browsing wont be required?
Right.
> Then I configure the PIX for group name/password AND XAUTH using IAS I can forget about certificates?
Certificates are considered stronger then group name /password, but using group name / group password and XAUTH in addition is also quite strong and I use that method for most of my clients.
> Can the IAS be in the Domain or would a DMZ be required for it?
Yes, it can be any W2K server in you network, but placing a dedicated IAS server with minimal local user accounts only for VPN clients, can be more secure and easy to manage and control, but adds additional costs which are not required.
Bye
Yizhar Hurwitz
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question
