Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
417
Views
6
Helpful
3
Replies

Lock-and-Key: Dynamic Access List on a Pix 515e?

tsnoke
Level 1
Level 1

‎05-17-2004 05:38 PM - edited ‎02-20-2020 11:24 PM

Our corporate network has a Pix 515e w/DMZ at the edge of our network.

We have vendors who want to access their devices inside my network. They are wanting to use a variety of patently insecure applications to facilitate that.

I don't want to leave holes in the firewall for apps like pcanywhere all the time.

I like Lock-and-Key but I can't figure out how to set it up on a firewall, is it possible?

Or are there any dynamic alternatives that give me authentication, accounting and administration?

Thanks in Advance,

~Timur

0 Helpful
3 Replies 3

ehirsel
Level 6
Level 6

‎05-18-2004 03:44 AM

On the pix you can setup user authen and authorization using an external (or for pix 6.3 local) accounts that would provide the lock and key functionality. The pix doc at www.cisco.com gives examples of that.

The key would be to have the vendors supply their credentials in some type of vpn, either pptp, l2tp, or ipsec. IPSec is the best method, but it may not be workable depending upon how the vendors will connect. If the connections will always be from a support center, you can ask them if it is possible to set up a site-to-site vpn between your network and theirs. This would be done for each vendor.

You can use pptp if the vendor support is a field agent, and will always be mobile, and connecting from different locations. You can use remote-access ipsec as well, using the cisco client. The newer versions (v 4.0 and higer) of the cisco vpn client can work with other vpn clients. The main issue with vpn is that will the vendor be willing to install it on their computer. And how to control the config changes, and what if personnel rotate?

PPTP may be your best bet along with AAA authen. Use a radius server if you can to allow for per-user downloadable access-lists so that you can store and manage the acls on a central server.

I hope this helps. Again I refer you to the pix doc at www.cisco.com for more details.

tsnoke
Level 1
Level 1
In response to ehirsel

‎05-18-2004 07:57 AM

Are there any examples of a pix config using dynamic access lists?

I would like to see how to impliment Lock-and-Key on a PIX but don't quite see how to use telnet to identify a host for the dynamic access list.

can you post an example... or include a URL with an example?

Thanks in advance,

~t

0 Helpful

ehirsel
Level 6
Level 6
In response to tsnoke

‎05-18-2004 10:36 AM

Here is a link relating to downloadable ACL's that are stored on a RADIUS server (tacacs+ cannot be used yet):

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm#1030990

Here is the link relating to AAA:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm#1090040

Lock-and-Key is an IOS Firewall feature set term, the PIX relys on AAA authorization to implement the same featurs. Unlike FWSM you can use more than telnet to a virtual interface; you can use pptp/l2tp/ipsec/http/https as well as telnet to authen users too.

If you want to use the virtual telnet, or https) on the pix this link:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1037665

will explain the virutal telnet/http/https capabilities of the pix 6.3 code.

All of the links relate to the pix 6.3 code and should get you the info you need.

Let me know if this helps.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card