Re: PIX IpSec Authentication Questions.

dladen · ‎02-24-2005

I am looking at using a pair of PIX 525 for firewalling and ipsec termination. The firewall will have two physical and about 8 virtual interfaces. I would like to have the pix be the termination point for ipsec traffic on two interfaces, outside and extranet.

-Is this a valid concept.

-Can I have it setup so user can authenticate from the internet, extranet, or both.

-Can the PIX support the Microsoft L2TP VPN solution.

-Can the PIX use RADIUS to authenticate remote users and remote management (telnet/ssh to the PIX)...can it be setup so the user ID can do one or the other or both.

-Can the PIX use one RADIUS server to authenticate remote users and another to authenticate remote management.

-What is the impact to the ipsec users when the PIX does a failover.

Thanks,

Dan Laden

scoclayton · ‎02-24-2005

-Is this a valid concept.

A - Yes

-Can I have it setup so user can authenticate from the internet, extranet, or both.

A - Yes

-Can the PIX support the Microsoft L2TP VPN solution.

A - Yes, but support for PPTP and L2TP are being removed from all PIX releases beyond 6.3. So, if you have any plans to upgrade in the future, I would suggest an IPSec solution. The Cisco IPSec client is free of charge with the PIX.

-Can the PIX use RADIUS to authenticate remote users and remote management (telnet/ssh to the PIX)...can it be setup so the user ID can do one or the other or both.

A - Yes, though configuring the authorization options could be a little tricky.

-Can the PIX use one RADIUS server to authenticate remote users and another to authenticate remote management.

A - Yes

-What is the impact to the ipsec users when the PIX does a failover.

A - All tunnels will fail and need to re-established. There is no concept of stateful failover for IPSec client connections on the PIX.

Hope this helps.

Scott

dladen · ‎02-24-2005

Thanks, this is what I needed to know.

-Can the PIX use RADIUS to authenticate remote users and remote management (telnet/ssh to the PIX)...can it be setup so the user ID can do one or the other or both.

A - Yes, though configuring the authorization options could be a little tricky.

Do you know of a document that details how to do this.

Also, I am familiar with the VPN Concentrator 3030, are their any function in the 3030 that cannot be replicated in the PIX firewall.

mostiguy · ‎02-24-2005

The 3000 concentrators are a completely different product, they support tcp encapsulation of IPSec packets, ip compression, QOS, etc - all features that 6.3 pix os does not offer

scoclayton · ‎02-24-2005

The documentation details you are looking for would be related to the RADIUS server you are planning to use for this function. All the PIX cares about getting is a YES or NO from the authentication server. You would need to make sure your AAA server could make a distinction between a VPN client connection and an admin connection.

As has been pointed out, the VPN 3000 series is a full featured VPN platform. The PIX, while very capable, does not offer near the number of "bells and whistles" as the 3000 does with respect to VPN functionality.

Scott