Need a VPN solution for 25 users..already own PIX 515UR

Discussion in 'Cisco' started by elizabethkono, Sep 26, 2006.

  1. Hello

    I have a new job with a school that has a 3Mbp Internet connection with
    a PIX 515UR with version 7 of the IOS and an ISA server. A few
    teachers VPN with PPTP to ISA and I can restrict them with packet
    filtering to a single IP address and port number. My supervisor wants a
    better VPN solution that can do what we do now plus make sure that the
    VPN user has a virus scanner and meets other requirements. I wanted to
    use PIX but ISA is in the way and VPN does not work. I have two choices
    (1) Convert ISA from firewall mode to poxy server mode so I can use
    PIX VPN features. (2) Purchase another device (Cisco ASA??) and install
    it in parallel to the PIX. I thought of purchasing a VPN only device
    but then I would still need a firewall unless I could somehow use it
    with the existing PIX firewall without changing anything with ISA. We
    expect about 15 concurrent users. We do have money in the budget so if
    installing a new device parallel to our PIX would work then we would
    want to do that. Most important is that we get the best VPN features
    possible, even if it means changing our network configuration. All our
    network switches are Cisco.

    Thanks for your suggestions
    Elizabeth Kono
     
    elizabethkono, Sep 26, 2006
    #1
    1. Advertisements

  2. Hi Elizabeth,

    You may also wish to investigate the Cisco Solution Designer:

    http://www.ciscowebtools.com/sa2/child/1.0/index.asp

    as well as the Cisco Product Advisor:

    http://tools.cisco.com/GCT/PCTPST/index.jsp

    Cisco Pre-Sales Support:

    Please call 1-800-745-7381 in the USA or Canada between 8:00 A.M. and
    8:00 P.M. EST.

    http://www.bradreese.com/contact-us.htm#CISCO

    Sincerely,

    Brad Reese
    BradReese.Com - Cisco Repair
    http://www.bradreese.com/cisco-big-iron-repair.htm
    1293 Hendersonville Road, Suite 17
    Asheville, North Carolina USA 28803
    USA & Canada: 877-549-2680
    International: 828-277-7272
    Fax: 775-254-3558
    AIM: R2MGrant
    BradReese.Com - Cisco Power Supply Headquarters
    http://www.bradreese.com/cisco-power-supply-inventory.htm
     
    www.BradReese.Com, Sep 26, 2006
    #2
    1. Advertisements

  3. If you want to be able to check what the VPN user has running on the
    user's own computer, then the Cisco name for that is
    "Network Admission Control" (NAC)
    http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html
    http://www.cisco.com/en/US/products/ps6128/products_white_paper0900aecd802bdc42.shtml

    Reviewing those briefly, it appears to me that the client MAC address
    must reach the controlling server. I would not have expected that
    information to be available remotely, but a short review of some
    of the PIX 6 commands suggests to me that the MAC must in fact be
    transported as part of an IPSec connection... but if I assess
    correctly, because those PPTP sessions are not terminating on the PIX
    (and indeed -cannot- terminate on a PIX with any current 7.x release!)
    then you do not have access to the remote device's MAC unless you can
    somehow get the IAS to cooperate (and that's provided that PPTP even
    knows.)

    You might have to go for 802.1X authentication, having the PPTP user
    use EAP or LEAP when authenticating to the IAS, with the IAS sending
    the MAC information over to a NAC device. But I suspect that until
    you can manage to switch over from PPTP terminating on the IAS
    to some other VPN scheme that a NAC appliance would not be able to
    impose the policy properly.

    So, if you could switch the users from PPTP to IPSec you could possibly
    do the trick with a NAC appliance; with the PPTP still in place,
    you might have to use the more general "Network Admission Framework".


    ObDisclaimer: on this topic, I only know what I've briefly skimmed.
    If you want to persue this approach, you should find someone who
    knows what they are doing ;-)
     
    Walter Roberson, Sep 26, 2006
    #3
  4. elizabethkono

    roger t Guest

    Hello,

    SSL VPN's seem to be taking over in this category. Aventail makes a
    nice product
    but it's pricey depending on the licenses required.
     
    roger t, Sep 27, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.