PIX plus PKI

Discussion in 'Cisco' started by Michael, Dec 18, 2003.

  1. Michael

    Michael Guest

    Hi all,

    We're using PIX 515R version 6.3 as firewall and VPN gateway provided for
    remote dial-in ipsec users to connect to company's inside network. Our R&D
    team issued a PKI solution with smart card and card reader connected to
    users's computer to do authentication. Certificated are stored in Microsoft
    AD and we use Windows 2000 server with Certificate Service as CA server. Our
    manager want the solution to be applied to our PIX to provide remote ipsec
    users login with smart card.

    How many things I've to do for Cisco VPN Client software?
    How many things I've to do for PIX itself?

    Thanks!!
     
    Michael, Dec 18, 2003
    #1
    1. Advertisements

  2. Configure the usual stuff for remote vpn clients authenticating with
    certificates. Do not configure vpngroup, this will allow VPN over NAT using
    the Cisco VPN Client, but will break the certificate authentication at all.
    Furthermore: If you are using vpngroup, the OU part in the certificate
    subject must be choosen carefully in order to work with the PIX.
     
    Lutz Donnerhacke, Dec 18, 2003
    #2
    1. Advertisements

  3. :We're using PIX 515R version 6.3 as firewall and VPN gateway provided for
    :remote dial-in ipsec users to connect to company's inside network. Our R&D
    :team issued a PKI solution with smart card and card reader connected to
    :users's computer to do authentication. Certificated are stored in Microsoft
    :AD and we use Windows 2000 server with Certificate Service as CA server.

    I've never implimented certificates, so I don't know the ins and outs
    myself. There were, though, recent reports in this newsgroup that
    in at least some setups, Windows 2000 server CA was incompatible
    with PIX, and that Windows 2003 server CA was required instead
    (or at least replacing the CA part on the 2000 server.)


    If you google recent postings in this group for PIX CA 2003
    then you will probably be able to make more sense of the situation
    than I did.
     
    Walter Roberson, Dec 18, 2003
    #3
  4. Michael

    Jason Kau Guest

    This is detailed here:

    "IPSec Between PIX and Cisco VPN Client Using Smartcard Certificates
    Configuration Example"
    http://www.cisco.com/warp/public/471/configipsecsmart.html
     
    Jason Kau, Dec 18, 2003
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.