Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > CISCO PIX 515e, VPN and packet filtering

Reply
Thread Tools

CISCO PIX 515e, VPN and packet filtering

 
 
BigKev
Guest
Posts: n/a
 
      08-23-2004
Greetings CISCO gurus,

I'll try to keep this as brief as possible. Currently we have a Win2K
server running Routing and Remote Acces (RRAS) for a VPN solution for
our business. We have several outside vendors that connect to our VPN,
and have access to various machines on our network for FTP, telnet,
etc.

We are using Remote Access Policies and specifically the IP Packet
Filters to limit the IP addresses the vendors have access to when
connected to our network VPN. If we want to deny all traffic except
traffic to/from 10.1.1.5 to a particular vendor, we can do that.

My question: We got a CISCO PIX 515e firewall, which I understand has
some VPN capabilities. I know next to squat about CISCO, since I am
not the network administrator. However, I would like to know: Is it
possible with the 515e to do the same kind of setup as I have with
Microsoft RRAS? I'd like to be able to setup VPN groups, and be able
restrict access on VPN connections to certain IP addresses on the
internal network.

The network admin says this isn't possible with the 515e. He says
once the vendors are connected on the VPN, they become like regular
nodes on the internal network and you cannot packet filter traffic
between the VPN IP address pool and the internal addresses. He says
we need to buy a dedicated VPN solution to do what I want to do.

Anyone else know differently? If it can be done, are there online
resources you could point me to so I can show our network admin?

Thanks,

Kevin Meagher
http://www.velocityreviews.com/forums/(E-Mail Removed)
 
Reply With Quote
 
 
 
 
Roman Nakhmanson
Guest
Posts: n/a
 
      08-24-2004
(E-Mail Removed) (BigKev) wrote in message news:<(E-Mail Removed) om>...
> Greetings CISCO gurus,
>
> I'll try to keep this as brief as possible. Currently we have a Win2K
> server running Routing and Remote Acces (RRAS) for a VPN solution for
> our business. We have several outside vendors that connect to our VPN,
> and have access to various machines on our network for FTP, telnet,
> etc.
>
> We are using Remote Access Policies and specifically the IP Packet
> Filters to limit the IP addresses the vendors have access to when
> connected to our network VPN. If we want to deny all traffic except
> traffic to/from 10.1.1.5 to a particular vendor, we can do that.
>
> My question: We got a CISCO PIX 515e firewall, which I understand has
> some VPN capabilities. I know next to squat about CISCO, since I am
> not the network administrator. However, I would like to know: Is it
> possible with the 515e to do the same kind of setup as I have with
> Microsoft RRAS? I'd like to be able to setup VPN groups, and be able
> restrict access on VPN connections to certain IP addresses on the
> internal network.
>
> The network admin says this isn't possible with the 515e. He says
> once the vendors are connected on the VPN, they become like regular
> nodes on the internal network and you cannot packet filter traffic
> between the VPN IP address pool and the internal addresses. He says
> we need to buy a dedicated VPN solution to do what I want to do.
>
> Anyone else know differently? If it can be done, are there online
> resources you could point me to so I can show our network admin?
>
> Thanks,
>
> Kevin Meagher
> (E-Mail Removed)


Hi
I assume your vendors connect to vpn using pptp, right?
it can be done for pptp, but you need software for pix v6.3.1 or
higher

1. configure pix using guide for pptp with radius auth. from cisco.com
2. create acl (access list) for each group of vpn users restricting
them to certain resources on the local network.
3. configure radius to give out attribute "Filter-ID"=acl-number for
vpn users

that's all

Roman Nakhmanson
my email is (E-Mail Removed)
 
Reply With Quote
 
 
 
 
Tosh
Guest
Posts: n/a
 
      08-24-2004
> I assume your vendors connect to vpn using pptp, right?
> it can be done for pptp, but you need software for pix v6.3.1 or
> higher
>

You can also do the same with no release restrictions (perhaps) and no need
for a radius server, if you wish.
1) Configure as many vpn groups as you need
2) Assign each group a different pool
3) Filter each pool on the inside interface
Bye,
Tosh.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
convert the ip packet to and from RS-232 packet Li Han Python 2 02-09-2009 02:43 PM
%PIX-4-402106: Rec'd packet not an IPSEC packet. lfnetworking Cisco 3 08-27-2006 05:30 AM
VPN PIX-_static PIX ; PIX-dynamic_PIX ; VPN Client Svenn Cisco 3 03-13-2006 09:25 AM
VPN Connection Problems between Cisco PIX 506E and Cisco VPN Concentrator 3005 Kai Cisco 0 02-15-2005 02:03 PM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM



Advertisments