CISCO PIX 515e, VPN and packet filtering

Discussion in 'Cisco' started by BigKev, Aug 23, 2004.

  1. BigKev

    BigKev Guest

    Greetings CISCO gurus,

    I'll try to keep this as brief as possible. Currently we have a Win2K
    server running Routing and Remote Acces (RRAS) for a VPN solution for
    our business. We have several outside vendors that connect to our VPN,
    and have access to various machines on our network for FTP, telnet,
    etc.

    We are using Remote Access Policies and specifically the IP Packet
    Filters to limit the IP addresses the vendors have access to when
    connected to our network VPN. If we want to deny all traffic except
    traffic to/from 10.1.1.5 to a particular vendor, we can do that.

    My question: We got a CISCO PIX 515e firewall, which I understand has
    some VPN capabilities. I know next to squat about CISCO, since I am
    not the network administrator. However, I would like to know: Is it
    possible with the 515e to do the same kind of setup as I have with
    Microsoft RRAS? I'd like to be able to setup VPN groups, and be able
    restrict access on VPN connections to certain IP addresses on the
    internal network.

    The network admin says this isn't possible with the 515e. He says
    once the vendors are connected on the VPN, they become like regular
    nodes on the internal network and you cannot packet filter traffic
    between the VPN IP address pool and the internal addresses. He says
    we need to buy a dedicated VPN solution to do what I want to do.

    Anyone else know differently? If it can be done, are there online
    resources you could point me to so I can show our network admin?

    Thanks,

    Kevin Meagher
     
    BigKev, Aug 23, 2004
    #1
    1. Advertising

  2. (BigKev) wrote in message news:<>...
    > Greetings CISCO gurus,
    >
    > I'll try to keep this as brief as possible. Currently we have a Win2K
    > server running Routing and Remote Acces (RRAS) for a VPN solution for
    > our business. We have several outside vendors that connect to our VPN,
    > and have access to various machines on our network for FTP, telnet,
    > etc.
    >
    > We are using Remote Access Policies and specifically the IP Packet
    > Filters to limit the IP addresses the vendors have access to when
    > connected to our network VPN. If we want to deny all traffic except
    > traffic to/from 10.1.1.5 to a particular vendor, we can do that.
    >
    > My question: We got a CISCO PIX 515e firewall, which I understand has
    > some VPN capabilities. I know next to squat about CISCO, since I am
    > not the network administrator. However, I would like to know: Is it
    > possible with the 515e to do the same kind of setup as I have with
    > Microsoft RRAS? I'd like to be able to setup VPN groups, and be able
    > restrict access on VPN connections to certain IP addresses on the
    > internal network.
    >
    > The network admin says this isn't possible with the 515e. He says
    > once the vendors are connected on the VPN, they become like regular
    > nodes on the internal network and you cannot packet filter traffic
    > between the VPN IP address pool and the internal addresses. He says
    > we need to buy a dedicated VPN solution to do what I want to do.
    >
    > Anyone else know differently? If it can be done, are there online
    > resources you could point me to so I can show our network admin?
    >
    > Thanks,
    >
    > Kevin Meagher
    >


    Hi
    I assume your vendors connect to vpn using pptp, right?
    it can be done for pptp, but you need software for pix v6.3.1 or
    higher

    1. configure pix using guide for pptp with radius auth. from cisco.com
    2. create acl (access list) for each group of vpn users restricting
    them to certain resources on the local network.
    3. configure radius to give out attribute "Filter-ID"=acl-number for
    vpn users

    that's all

    Roman Nakhmanson
    my email is
     
    Roman Nakhmanson, Aug 24, 2004
    #2
    1. Advertising

  3. BigKev

    Tosh Guest

    > I assume your vendors connect to vpn using pptp, right?
    > it can be done for pptp, but you need software for pix v6.3.1 or
    > higher
    >

    You can also do the same with no release restrictions (perhaps) and no need
    for a radius server, if you wish.
    1) Configure as many vpn groups as you need
    2) Assign each group a different pool
    3) Filter each pool on the inside interface
    Bye,
    Tosh.
     
    Tosh, Aug 24, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steve Baker
    Replies:
    8
    Views:
    1,247
  2. Spoettel Otmar
    Replies:
    0
    Views:
    590
    Spoettel Otmar
    May 12, 2004
  3. Vicky

    802.1q for packet filtering

    Vicky, Apr 4, 2005, in forum: Cisco
    Replies:
    15
    Views:
    2,885
    Walter Roberson
    Apr 6, 2005
  4. lfnetworking
    Replies:
    3
    Views:
    5,026
    lfnetworking
    Aug 27, 2006
  5. Ron Martell

    Linux Kernel Fragmented IPv6 Packet Filtering Bypass

    Ron Martell, Nov 7, 2006, in forum: Computer Support
    Replies:
    18
    Views:
    727
    The Ghost In The Machine
    Nov 9, 2006
Loading...

Share This Page