Need a VPN solution for 25 users..already own PIX 515UR

Hello

I have a new job with a school that has a 3Mbp Internet connection with
a PIX 515UR with version 7 of the IOS and an ISA server. A few
teachers VPN with PPTP to ISA and I can restrict them with packet
filtering to a single IP address and port number. My supervisor wants a
better VPN solution that can do what we do now plus make sure that the
VPN user has a virus scanner and meets other requirements. I wanted to
use PIX but ISA is in the way and VPN does not work. I have two choices
(1) Convert ISA from firewall mode to poxy server mode so I can use
PIX VPN features. (2) Purchase another device (Cisco ASA??) and install
it in parallel to the PIX. I thought of purchasing a VPN only device
but then I would still need a firewall unless I could somehow use it
with the existing PIX firewall without changing anything with ISA. We
expect about 15 concurrent users. We do have money in the budget so if
installing a new device parallel to our PIX would work then we would
want to do that. Most important is that we get the best VPN features
possible, even if it means changing our network configuration. All our
network switches are Cisco.

Thanks for your suggestions
Elizabeth Kono

 

Hi Elizabeth,

You may also wish to investigate the Cisco Solution Designer:

http://www.ciscowebtools.com/sa2/child/1.0/index.asp

as well as the Cisco Product Advisor:

http://tools.cisco.com/GCT/PCTPST/index.jsp

Cisco Pre-Sales Support:

Please call 1-800-745-7381 in the USA or Canada between 8:00 A.M. and
8:00 P.M. EST.

http://www.bradreese.com/contact-us.htm#CISCO

Sincerely,

Brad Reese
BradReese.Com - Cisco Repair
http://www.bradreese.com/cisco-big-iron-repair.htm
1293 Hendersonville Road, Suite 17
Asheville, North Carolina USA 28803
USA & Canada: 877-549-2680
International: 828-277-7272
Fax: 775-254-3558
AIM: R2MGrant
BradReese.Com - Cisco Power Supply Headquarters
http://www.bradreese.com/cisco-power-supply-inventory.htm

 

If you want to be able to check what the VPN user has running on the
user's own computer, then the Cisco name for that is
"Network Admission Control" (NAC)
http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html
http://www.cisco.com/en/US/products/ps6128/products_white_paper0900aecd802bdc42.shtml

Reviewing those briefly, it appears to me that the client MAC address
must reach the controlling server. I would not have expected that
information to be available remotely, but a short review of some
of the PIX 6 commands suggests to me that the MAC must in fact be
transported as part of an IPSec connection... but if I assess
correctly, because those PPTP sessions are not terminating on the PIX
(and indeed -cannot- terminate on a PIX with any current 7.x release!)
then you do not have access to the remote device's MAC unless you can
somehow get the IAS to cooperate (and that's provided that PPTP even
knows.)

You might have to go for 802.1X authentication, having the PPTP user
use EAP or LEAP when authenticating to the IAS, with the IAS sending
the MAC information over to a NAC device. But I suspect that until
you can manage to switch over from PPTP terminating on the IAS
to some other VPN scheme that a NAC appliance would not be able to
impose the policy properly.

So, if you could switch the users from PPTP to IPSec you could possibly
do the trick with a NAC appliance; with the PPTP still in place,
you might have to use the more general "Network Admission Framework".


ObDisclaimer: on this topic, I only know what I've briefly skimmed.
If you want to persue this approach, you should find someone who
knows what they are doing ;-)

 

Hello,

SSL VPN's seem to be taking over in this category. Aventail makes a
nice product
but it's pricey depending on the licenses required.