Setting up VPN access at home for users.

[cwhitesock]

I have been tasked with project of setting up VPN access into our network for about 20 users. I would like to know what you think the best route to use would be. I already have in place a Cisco 3000 Concentrator, and we use that for Tech only use with the Cisco Client.

We don't want the end users to have to use the client and I know this can be done with the Cisco HW client 3002, and the PIX's (501's would be the ones we would use if we went that route) However, I want to be able to only enable VPN acces thru 1 port, and only allow the PC we give them to be able to connect thru that port and to our network. The other ports would be for their home PC's to the internet.

The end users PC that we give them will be secure, and they will not be local admins. I do not want to use DHCP because I don't want them to unplug from the hardware and have them plug into anything else (ISP) and get an IP.

I guess I could use Certificates in this scenerio but I have never used them before. Any help, hints, or ideas would be great!

 

[lgarner]

The Pix 501 (and 506E) only has 2 interfaces. You can restrict the user by an access-list on the inside interface, or by a crypto access-list. Either would be based on the PC's IP address.

 

[cwhitesock]

The PIX 501 includes an integrated 4-port Fast Ethernet (10/100) switch and a Fast Ethernet (10/100) interface as the public interface.

I'll probably setup just like you said and use a static addy for the work pc, and DHCP all others. I just don't know if you can apply DHCP to some ports only and not others with PIX 501 - Or if it will even be a problem. Know what I mean?

Also, does using a Cisco HW Client 3002 really give me anything great that configuring a PIX 501 connot?

 

[lgarner]

The 501 has an integrated switch, but it is considered a single *interface* ("inside"). It's the same result you'd get by cross-connecting a 4-port NetGear switch to a 506's inside i/f.

Cisco really points out that there are only two interfaces, inside and outside. So I'm pretty sure that there are no per-port configurations like you'd find on a smarter switch, so per-port DHCP isn't an option. I think the static address and access-lists is your best bet.

I've been told to avoid the hw vpn client, but I've never actually used one. With th 501 you can use the EasyVPN client setup, so it's supposed to be pretty much plug-and-play.

 

[cwhitesock]

OK - thanks for the help on that. I'll use the ACL's to get around that. Now another question. Certificates, I would like to know if I could make or get a computer specific certificate? I am about to setup up a CA server on the network, and before I do I want to look at some options.

I do not want the users to be able to export a certificate, and import it on another computer. I would love to have one certificate per computer if possible.

What I am trying to get here is the user when they attached to the firewall (this is configured for VPN to my network) that if they don't have the specific cert. for that computer it will not let them in or give them the ability to authenticate with out that machine specific cert.

Am I going about this wrong, or is there an easier way?