W2K Radius PIX 501 & W2k VPN Clients. Can it work? HOW??

[Hockeman]

W2K Radius PIX 501 & W2k VPN Clients. Can it work? HOW??

 

[Fritjof]

Yes, it works. Just add the pix connection to the radius server and configure the pix using pdm. The newest version of the pdm provides an vpn-agent that makes the configuration very easy.

 

[Hockeman]

Yes... it works fine. I've used that before. The problem is that you have to use the Cisco VPN Client. I'd like to use the Microsoft VPN Client. Do you know how to do that?

 

[yizhar]

HI.

There are 2 major options to work with MS VPN client:

1) Configure the pix to act as a PPTP VPN server, with the MS server acting as RADIUS server for authentication.
Both PDM (the latest) and PIXCRIPT can help you with the configuration and also Cisco samples.

2) You can configure the MS server to act as VPN server (RRAS). The pix will need the following configuration:
* A static mapping of registered ip address to the VPN server.
* access-list entries to permit the PPTP TCP port (I don't remember now the port number) and GRE:
access-list fromoutside permit tcp any host VPNSERVER eq PPTP
access-list fromoutside permit gre any host VPNSERVER

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[abovebrd]

why would an access-list be perferred over a conduit statement.

static (inside,outside) xxx.xxx.xxx.xxx 192.168.1.1 netmask 255.255.255.255 0 0
conduit permit gre host xxx.xxx.xxx.xxx any
conduit permit tcp host xxx.xxx.xxx.xxx eq 1723 any

I'm just not really clear on why and when I should use access-lists over conduits ?

-Danny
dan@snoboarder.net