Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 506E Connecting two different Companies

Reply
Thread Tools

PIX 506E Connecting two different Companies

 
 
Paul
Guest
Posts: n/a
 
      03-22-2006
I have a Cisco PIX506E connecting our 3 other facilities via VPN all is
fine - we have the need to create a VPN connection with one of our Clients
but they will be using different isakmp policies and transform sets - can I
connect to this client as well as keep our existing facilities working ?? I
also would not want our client to be able to browse around our network ...

thoughts ...

Thanks
Paul


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      04-01-2006
In article <bOfUf.481$Ph4.360@edtnps90>, Paul <(E-Mail Removed)> wrote:
>I have a Cisco PIX506E connecting our 3 other facilities via VPN all is
>fine - we have the need to create a VPN connection with one of our Clients
>but they will be using different isakmp policies and transform sets - can I
>connect to this client as well as keep our existing facilities working ??


Yes, no problem. Transform sets are configured at the same level
that you configure peer and ACL to match. For the isakmp policy,
just add another policy with a higher policy number.

>I also would not want our client to be able to browse around our network ...


That's tougher.

If you currently have sysopt connection permit-ipsec configured,
you will have to turn that off, and when you do so you will
have to configure your access-list attached to your outside
interface (access-group) to permit the existing VPN traffic.

Then for the new client, you would add to your outside interface
access-list -only-:

- necessary IP traffic from the new client -other- than TCP, UDP, and
ICMP

- ICMP time-exceeded and unreachable and possibly echo-reply

- replying UDP traffic from the client that might be delayed by
more than 2 minutes (e.g., some Exchange flows), and UDP traffic they
are authorized to initiate to you (e.g., WINS, DNS, perhaps NETBIOS).
Allow as little UDP traffic in as you can get away with.

Do -not- allow any TCP connections from the client, not unless they
are authorized to use some server of yours. [Note: some forms of
DNS can require TCP, but a lot of the time you can get away
with just UDP for DNS.]


If you leave permit-ipsec configured, then you would need to work
hard on your crypto map match-address ACL, and will probably
find it too messy to get the controls you want, at least
without having the PIX complain. PIX 6.2 does not allow you to
specify your crypto map ACL right down to the port level;
PIX 6.3 does, but you would probably have to use at least the
3.6 VPN client (there are some combinations of OS's and
configurations for which people still use 3.0; there have been
a series of problems with the 4.0 client.)
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 4) Michiel Cisco 0 08-25-2006 01:17 AM
PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 3) Michiel Cisco 19 08-24-2006 08:55 PM
PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 2) Michiel Cisco 2 08-22-2006 08:46 PM
PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT Michiel Cisco 4 08-22-2006 12:26 PM
VPN on PIX 506E, only two clients can connect ChudleyDog Cisco 2 02-11-2005 02:54 PM



Advertisments