https://community.cisco.com/t5/network-access-control/proxy-authentication/m-p/841699#M5528 <P>I have the following topology. R1 with firewall features, R2 and ACS belong to Customer A, while R3 with firewall features and VPN concentrator belong to Customer B. </P><P> </P><P>User--Internet--R1FW---R2--R3FW--VPNConcentrator |</P><P> ACS </P><P></P><P>The requirement is for User which is a mobile user of Customer A to connect to Customer?s B VPN concentrator and open a IPSEC connection using Cisco VPN client. </P><P></P><P>User must also be authenticated when entering Customer A network and I am considering proxy authentication. So, before opening the vpn client, the user will initiate an http connection to R1 and authenticate itself to the ACS server using a username/password. If authentication is successful, an entry will be downloaded to the R1 inbound access-list to allow traffic from the IP of the authenticated user to the IP of the VPN concentrator.</P><P></P><P></P><P>The problem is that Customer B needs to know the IP addresses of users with vpn clients so that it can allow only traffic from this IP passing through R3 FW. </P><P>Since this is a mobile user it can connect from different places so he does not use a single IP.</P><P></P><P>Here are my thoughts/questions to address this issue:</P><P></P><P>1. Is it possible to assign User with a static IP when authentication with the ACS along with proxy authentication?</P><P>2. Can I use NAT outside at R1 so I translate user IP to a static IP? Do you see any issue with this implementation?</P><P>3. Is there another solution to achieve the above: 1. authentication of mobile users and static IP assignment?</P><P></P><P>Thanks,</P><P>Evi</P><P> </P><P></P> Fri, 21 Feb 2020 18:19:14 GMT epekou 2020-02-21T18:19:14Z https://community.cisco.com/t5/network-access-control/proxy-authentication/m-p/841699#M5528 <P>I have the following topology. R1 with firewall features, R2 and ACS belong to Customer A, while R3 with firewall features and VPN concentrator belong to Customer B. </P><P> </P><P>User--Internet--R1FW---R2--R3FW--VPNConcentrator |</P><P> ACS </P><P></P><P>The requirement is for User which is a mobile user of Customer A to connect to Customer?s B VPN concentrator and open a IPSEC connection using Cisco VPN client. </P><P></P><P>User must also be authenticated when entering Customer A network and I am considering proxy authentication. So, before opening the vpn client, the user will initiate an http connection to R1 and authenticate itself to the ACS server using a username/password. If authentication is successful, an entry will be downloaded to the R1 inbound access-list to allow traffic from the IP of the authenticated user to the IP of the VPN concentrator.</P><P></P><P></P><P>The problem is that Customer B needs to know the IP addresses of users with vpn clients so that it can allow only traffic from this IP passing through R3 FW. </P><P>Since this is a mobile user it can connect from different places so he does not use a single IP.</P><P></P><P>Here are my thoughts/questions to address this issue:</P><P></P><P>1. Is it possible to assign User with a static IP when authentication with the ACS along with proxy authentication?</P><P>2. Can I use NAT outside at R1 so I translate user IP to a static IP? Do you see any issue with this implementation?</P><P>3. Is there another solution to achieve the above: 1. authentication of mobile users and static IP assignment?</P><P></P><P>Thanks,</P><P>Evi</P><P> </P><P></P> Fri, 21 Feb 2020 18:19:14 GMT https://community.cisco.com/t5/network-access-control/proxy-authentication/m-p/841699#M5528 epekou 2020-02-21T18:19:14Z https://community.cisco.com/t5/network-access-control/proxy-authentication/m-p/841700#M5532 <HTML><HEAD></HEAD><BODY><P>Does the Concentrator have connectivity with Cust A's ACS server? I assume so. The best way to assign the remote client an IP address is to use an IP pool which is attached to the VPN user's group. Then Cust B would be able to build fw rules around this subnet. Be sure to use NARs to permit only authentication to the VPN and not any other RADIUS/TACACS+ clients. HTH.</P></BODY></HTML> Fri, 14 Dec 2007 03:01:29 GMT https://community.cisco.com/t5/network-access-control/proxy-authentication/m-p/841700#M5532 j.langton 2007-12-14T03:01:29Z