CISCO PIX 515e, VPN and packet filtering

Discussion in 'Cisco' started by BigKev, Aug 23, 2004.

  1. BigKev

    BigKev Guest

    Greetings CISCO gurus,

    I'll try to keep this as brief as possible. Currently we have a Win2K
    server running Routing and Remote Acces (RRAS) for a VPN solution for
    our business. We have several outside vendors that connect to our VPN,
    and have access to various machines on our network for FTP, telnet,

    We are using Remote Access Policies and specifically the IP Packet
    Filters to limit the IP addresses the vendors have access to when
    connected to our network VPN. If we want to deny all traffic except
    traffic to/from to a particular vendor, we can do that.

    My question: We got a CISCO PIX 515e firewall, which I understand has
    some VPN capabilities. I know next to squat about CISCO, since I am
    not the network administrator. However, I would like to know: Is it
    possible with the 515e to do the same kind of setup as I have with
    Microsoft RRAS? I'd like to be able to setup VPN groups, and be able
    restrict access on VPN connections to certain IP addresses on the
    internal network.

    The network admin says this isn't possible with the 515e. He says
    once the vendors are connected on the VPN, they become like regular
    nodes on the internal network and you cannot packet filter traffic
    between the VPN IP address pool and the internal addresses. He says
    we need to buy a dedicated VPN solution to do what I want to do.

    Anyone else know differently? If it can be done, are there online
    resources you could point me to so I can show our network admin?


    Kevin Meagher
    BigKev, Aug 23, 2004
    1. Advertisements

  2. Hi
    I assume your vendors connect to vpn using pptp, right?
    it can be done for pptp, but you need software for pix v6.3.1 or

    1. configure pix using guide for pptp with radius auth. from
    2. create acl (access list) for each group of vpn users restricting
    them to certain resources on the local network.
    3. configure radius to give out attribute "Filter-ID"=acl-number for
    vpn users

    that's all

    Roman Nakhmanson
    my email is
    Roman Nakhmanson, Aug 24, 2004
    1. Advertisements

  3. BigKev

    Tosh Guest

    I assume your vendors connect to vpn using pptp, right?
    You can also do the same with no release restrictions (perhaps) and no need
    for a radius server, if you wish.
    1) Configure as many vpn groups as you need
    2) Assign each group a different pool
    3) Filter each pool on the inside interface
    Tosh, Aug 24, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.