CISCO PIX 515e, VPN and packet filtering

CISCO PIX 515e, VPN and packet filtering

Post by BigK » Wed, 25 Aug 2004 00:36:40



Greetings CISCO gurus,

I'll try to keep this as brief as possible.  Currently we have a Win2K
server running Routing and Remote Acces (RRAS) for a VPN solution for
our business. We have several outside vendors that connect to our VPN,
and have access to various machines on our network for FTP, telnet,
etc.

We are using Remote Access Policies and specifically the IP Packet
Filters to limit the IP addresses the vendors have access to when
connected to our network VPN.  If we want to deny all traffic except
traffic to/from 10.1.1.5 to a particular vendor, we can do that.

My question:  We got a CISCO PIX 515e firewall, which I understand has
some VPN capabilities. I know next to squat about CISCO, since I am
not the network administrator.  However, I would like to know: Is it
possible with the 515e to do the same kind of setup as I have with
Microsoft RRAS?   I'd like to be able to setup VPN groups, and be able
restrict access on VPN connections to certain IP addresses on the
internal network.

The network admin says this isn't possible with the 515e.  He says
once the vendors are connected on the VPN, they become like  regular
nodes on the internal network and you cannot packet filter traffic
between the VPN IP address pool and the internal addresses.  He says
we need to buy a dedicated VPN solution to do what I want to do.

Anyone else know differently?     If it can be done, are there online
resources you could point me to so I can show our network admin?

Thanks,

Kevin Meagher

 
 
 

CISCO PIX 515e, VPN and packet filtering

Post by Roman Nakhmans » Wed, 25 Aug 2004 13:36:53



> Greetings CISCO gurus,

> I'll try to keep this as brief as possible.  Currently we have a Win2K
> server running Routing and Remote Acces (RRAS) for a VPN solution for
> our business. We have several outside vendors that connect to our VPN,
> and have access to various machines on our network for FTP, telnet,
> etc.

> We are using Remote Access Policies and specifically the IP Packet
> Filters to limit the IP addresses the vendors have access to when
> connected to our network VPN.  If we want to deny all traffic except
> traffic to/from 10.1.1.5 to a particular vendor, we can do that.

> My question:  We got a CISCO PIX 515e firewall, which I understand has
> some VPN capabilities. I know next to squat about CISCO, since I am
> not the network administrator.  However, I would like to know: Is it
> possible with the 515e to do the same kind of setup as I have with
> Microsoft RRAS?   I'd like to be able to setup VPN groups, and be able
> restrict access on VPN connections to certain IP addresses on the
> internal network.

> The network admin says this isn't possible with the 515e.  He says
> once the vendors are connected on the VPN, they become like  regular
> nodes on the internal network and you cannot packet filter traffic
> between the VPN IP address pool and the internal addresses.  He says
> we need to buy a dedicated VPN solution to do what I want to do.

> Anyone else know differently?     If it can be done, are there online
> resources you could point me to so I can show our network admin?

> Thanks,

> Kevin Meagher


Hi
I assume your vendors connect to vpn using pptp, right?
it can be done for pptp, but you need software for pix v6.3.1 or
higher

1. configure pix using guide for pptp with radius auth. from cisco.com
2. create acl (access list) for each group of vpn users restricting
them to certain resources on the local network.
3. configure radius to give out attribute "Filter-ID"=acl-number for
vpn users

that's all

Roman Nakhmanson


 
 
 

CISCO PIX 515e, VPN and packet filtering

Post by Tosh » Wed, 25 Aug 2004 14:11:07


Quote:> I assume your vendors connect to vpn using pptp, right?
> it can be done for pptp, but you need software for pix v6.3.1 or
> higher

You can also do the same with no release restrictions (perhaps) and no need
for a radius server, if you wish.
1) Configure as many vpn groups as you need
2) Assign each group a different pool
3) Filter each pool on the inside interface
Bye,
       Tosh.