PIX-VPN-Radius

Discussion in 'Cisco' started by Michael Kiessling, Oct 28, 2003.

  1. Hi,

    One of our PIXes need to authentificate vpn-users against a radius server.
    The Problem is that the PIX can contact the radius server only over its
    own vpn-tunnel (see below).
    Afaik vpn-devices are not able to get in their own vpn-tunnel - if that's
    true the only solution is to put a proxy radius in lan1...


    lan1:::::|PIX|--------vpn-tunnel---------|PIX|:::lan2:::|Radius-Server|
    |
    |
    |___vpn-clients

    Maybe someone has a solution without setting up a new service (like a
    radius proxy).

    Thank you very much...
    Michael Kiessling
    Michael Kiessling, Oct 28, 2003
    #1
    1. Advertising

  2. In article <>,
    Michael Kiessling <> wrote:
    :One of our PIXes need to authentificate vpn-users against a radius server.
    :The Problem is that the PIX can contact the radius server only over its
    :eek:wn vpn-tunnel (see below).
    :Afaik vpn-devices are not able to get in their own vpn-tunnel - if that's
    :true the only solution is to put a proxy radius in lan1...


    :lan1:::::|PIX|--------vpn-tunnel---------|PIX|:::lan2:::|Radius-Server|
    : |
    : |
    : |___vpn-clients

    :Maybe someone has a solution without setting up a new service (like a
    :radius proxy).

    I don't think I understand what you mean by,
    "Afaik vpn-devices are not able to get in their own vpn-tunnel" ?

    When the PIX does RADIUS authentication, the packets are going to
    originate from the PIX, not from lan1 or vpn-clients. If the RADIUS
    server is only accessible by VPN, then what you need to do is configure
    an additional entry in the access-list for the match-address clauses.
    The additional entry should allow the *outside* address of the first
    PIX to access the resources it needs.

    e.g., if you now have
    access-list acl-to-lan2 permit lan1 255.255.255.0 lan2 255.255.255.0
    then add
    access-list acl-to-lan2 permit host pix1_external host radius_server

    and make the corresponding entry on the other end.
    --
    How does Usenet function without a fixed point?
    Walter Roberson, Oct 28, 2003
    #2
    1. Advertising

  3. > I don't think I understand what you mean by,
    > "Afaik vpn-devices are not able to get in their own vpn-tunnel" ?


    The Pix at lan1 can reach the radius server at lan2 only through the
    vpn-tunnel, so it has to send its radius packets in its own tunnel.
    I thaught a vpn-device is not possible to send packets made by its
    own in its own vpn-tunnel eg. when u want to verify a vpn-tunnel
    and you want to ping through it, u need a host in lan1 to ping to
    lan2, because you cant send the ping directly from the pix...


    I'll try it with your configuration...

    Thank you very much so far...

    > e.g., if you now have
    > access-list acl-to-lan2 permit lan1 255.255.255.0 lan2 255.255.255.0
    > then add
    > access-list acl-to-lan2 permit host pix1_external host radius_server
    >
    > and make the corresponding entry on the other end.
    Michael Kiessling, Oct 29, 2003
    #3
  4. In article <>,
    Michael Kiessling <> wrote:
    :> I don't think I understand what you mean by,
    :> "Afaik vpn-devices are not able to get in their own vpn-tunnel" ?

    :The Pix at lan1 can reach the radius server at lan2 only through the
    :vpn-tunnel, so it has to send its radius packets in its own tunnel.
    :I thaught a vpn-device is not possible to send packets made by its
    :eek:wn in its own vpn-tunnel eg. when u want to verify a vpn-tunnel
    :and you want to ping through it, u need a host in lan1 to ping to
    :lan2, because you cant send the ping directly from the pix...

    Traffic originating from the PIX itself can be included in a VPN tunnel
    by naming the external IP address of the PIX itself in the
    'match address' ACL.

    I didn't figure this one out myself; I had to ask the TAC for how to do
    it the first time, as it was not clear in the 5.2 documentation I was
    starting from. The wording has been improved since then, but I think
    you still have to know exactly what you are looking for before you can
    find it.
    --
    If a troll and a half can hook a reader and a half in a posting and a half,
    how many readers can six trolls hook in six postings?
    Walter Roberson, Oct 29, 2003
    #4
  5. > Traffic originating from the PIX itself can be included in a VPN tunnel
    > by naming the external IP address of the PIX itself in the
    > 'match address' ACL.


    I'll try it...

    Thank you very much for spending time on my problem,
    Michael Kiessling
    Michael Kiessling, Oct 31, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David
    Replies:
    0
    Views:
    2,624
    David
    Nov 6, 2003
  2. tejlor
    Replies:
    2
    Views:
    2,267
    tejlor
    Nov 25, 2003
  3. GVB
    Replies:
    1
    Views:
    2,762
    Martin Bilgrav
    Feb 6, 2004
  4. Svenn
    Replies:
    3
    Views:
    708
    Svenn
    Mar 13, 2006
  5. DCS
    Replies:
    2
    Views:
    5,064
    eshan_amiran
    Mar 26, 2009
Loading...

Share This Page