07-24-2008 11:02 AM - edited 02-21-2020 03:51 PM
we have two different vendor firewalls, with the first level being a cisco firewall. The setup is:
ISP <--> (Router) <--> (Cisco Firewall) <--> (other vendor firewall) <--> Internal LAN
We need to give remote users (with VPN clients installed), access to some resources to in the internal LAN.
My question where should i configure my IPSec VPN, for best security practice, considering that my Router, Firewall-1 & Firewall-2, all support VPN features.
Also I want to allow the remote users (who get assigned local IP from the internal IP Pool), to allow specific resources (read servers) & specific ports.
So can I implement an access-list, after the VPN is terminated & the users get their local pool IPs ?
Thanks & Regards
MD
Solved! Go to Solution.
07-25-2008 05:12 AM
Hello MD,
What is the version of code you are running on your PIX? If you are running 6.x version of code then you will not have the option to use vpn-filter command for restriction of certain IP address access.
You ought to be running 7.x version for that where you can specify an ACL to restrict traffic .
Also, only some PIX firewalls can be upgraded to 7.x version, please look into the link given below
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q1
If you cannot upgrade the PIX to 7.x version then you might have to use another VPN device.
Hope this answers your questions. Rate this post if it helped.
Cheers,
Gilbert
07-24-2008 11:34 AM
MD,
What kind of Cisco Firewall do you have?
If it is an ASA, then terminate the VPN Clients on the Cisco Firewall. on the ASA you can implement the feature called as vpn-filter which restricts access for the users according to the group-policy they get assigned to.
Hope this answers your question. Let me know.
Thanks
Gilbert
07-24-2008 10:23 PM
Thanks Gilbert, for your suggestion.
We have the PIX firewall, behind which there is one more firewal , behind which is the server farm.
So let me know, whether it would be wise to load the PIX with additional responsibility, or we should have another VPN appliance to support remote access IPSec VPN.
Also i want to restrict the remote access VPN clients to only a few servers & specific ports. As such where can we configure the access lists..
Thanks, Regards
MD
07-25-2008 05:12 AM
Hello MD,
What is the version of code you are running on your PIX? If you are running 6.x version of code then you will not have the option to use vpn-filter command for restriction of certain IP address access.
You ought to be running 7.x version for that where you can specify an ACL to restrict traffic .
Also, only some PIX firewalls can be upgraded to 7.x version, please look into the link given below
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q1
If you cannot upgrade the PIX to 7.x version then you might have to use another VPN device.
Hope this answers your questions. Rate this post if it helped.
Cheers,
Gilbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide