https://community.cisco.com/t5/network-access-control/pix-ipsec-authentication-questions/m-p/351766#M2947 <HTML><HEAD></HEAD><BODY><P>The 3000 concentrators are a completely different product, they support tcp encapsulation of IPSec packets, ip compression, QOS, etc - all features that 6.3 pix os does not offer</P></BODY></HTML> Thu, 24 Feb 2005 18:41:06 GMT mostiguy 2005-02-24T18:41:06Z https://community.cisco.com/t5/network-access-control/pix-ipsec-authentication-questions/m-p/351763#M2944 <P>I am looking at using a pair of PIX 525 for firewalling and ipsec termination. The firewall will have two physical and about 8 virtual interfaces. I would like to have the pix be the termination point for ipsec traffic on two interfaces, outside and extranet.</P><P>-Is this a valid concept.</P><P>-Can I have it setup so user can authenticate from the internet, extranet, or both.</P><P>-Can the PIX support the Microsoft L2TP VPN solution.</P><P>-Can the PIX use RADIUS to authenticate remote users and remote management (telnet/ssh to the PIX)...can it be setup so the user ID can do one or the other or both. </P><P>-Can the PIX use one RADIUS server to authenticate remote users and another to authenticate remote management.</P><P>-What is the impact to the ipsec users when the PIX does a failover.</P><P></P><P>Thanks,</P><P>Dan Laden</P><P></P> Fri, 21 Feb 2020 18:12:24 GMT https://community.cisco.com/t5/network-access-control/pix-ipsec-authentication-questions/m-p/351763#M2944 dladen 2020-02-21T18:12:24Z https://community.cisco.com/t5/network-access-control/pix-ipsec-authentication-questions/m-p/351764#M2945 <HTML><HEAD></HEAD><BODY><P>-Is this a valid concept. </P><P>A - Yes</P><P></P><P>-Can I have it setup so user can authenticate from the internet, extranet, or both. </P><P>A - Yes</P><P></P><P>-Can the PIX support the Microsoft L2TP VPN solution.</P><P>A - Yes, but support for PPTP and L2TP are being removed from all PIX releases beyond 6.3. So, if you have any plans to upgrade in the future, I would suggest an IPSec solution. The Cisco IPSec client is free of charge with the PIX.</P><P> </P><P>-Can the PIX use RADIUS to authenticate remote users and remote management (telnet/ssh to the PIX)...can it be setup so the user ID can do one or the other or both.</P><P>A - Yes, though configuring the authorization options could be a little tricky.</P><P> </P><P>-Can the PIX use one RADIUS server to authenticate remote users and another to authenticate remote management. </P><P>A - Yes</P><P></P><P>-What is the impact to the ipsec users when the PIX does a failover. </P><P>A - All tunnels will fail and need to re-established. There is no concept of stateful failover for IPSec client connections on the PIX.</P><P></P><P>Hope this helps.</P><P></P><P>Scott</P><P></P></BODY></HTML> Thu, 24 Feb 2005 15:52:28 GMT https://community.cisco.com/t5/network-access-control/pix-ipsec-authentication-questions/m-p/351764#M2945 scoclayton 2005-02-24T15:52:28Z https://community.cisco.com/t5/network-access-control/pix-ipsec-authentication-questions/m-p/351765#M2946 <HTML><HEAD></HEAD><BODY><P>Thanks, this is what I needed to know.</P><P></P><P>-Can the PIX use RADIUS to authenticate remote users and remote management (telnet/ssh to the PIX)...can it be setup so the user ID can do one or the other or both.</P><P>A - Yes, though configuring the authorization options could be a little tricky. </P><P></P><P>Do you know of a document that details how to do this.</P><P></P><P>Also, I am familiar with the VPN Concentrator 3030, are their any function in the 3030 that cannot be replicated in the PIX firewall.</P><P></P><P></P></BODY></HTML> Thu, 24 Feb 2005 16:23:55 GMT https://community.cisco.com/t5/network-access-control/pix-ipsec-authentication-questions/m-p/351765#M2946 dladen 2005-02-24T16:23:55Z https://community.cisco.com/t5/network-access-control/pix-ipsec-authentication-questions/m-p/351766#M2947 <HTML><HEAD></HEAD><BODY><P>The 3000 concentrators are a completely different product, they support tcp encapsulation of IPSec packets, ip compression, QOS, etc - all features that 6.3 pix os does not offer</P></BODY></HTML> Thu, 24 Feb 2005 18:41:06 GMT https://community.cisco.com/t5/network-access-control/pix-ipsec-authentication-questions/m-p/351766#M2947 mostiguy 2005-02-24T18:41:06Z https://community.cisco.com/t5/network-access-control/pix-ipsec-authentication-questions/m-p/351767#M2948 <HTML><HEAD></HEAD><BODY><P>The documentation details you are looking for would be related to the RADIUS server you are planning to use for this function. All the PIX cares about getting is a YES or NO from the authentication server. You would need to make sure your AAA server could make a distinction between a VPN client connection and an admin connection.</P><P></P><P>As has been pointed out, the VPN 3000 series is a full featured VPN platform. The PIX, while very capable, does not offer near the number of "bells and whistles" as the 3000 does with respect to VPN functionality.</P><P></P><P>Scott</P></BODY></HTML> Thu, 24 Feb 2005 19:25:31 GMT https://community.cisco.com/t5/network-access-control/pix-ipsec-authentication-questions/m-p/351767#M2948 scoclayton 2005-02-24T19:25:31Z