01-19-2005 04:13 PM - edited 02-21-2020 01:33 PM
Hi all
I'm currently investigating ways to implement VPN tunnels (using IPSec) to permit "road warriors" to be able to connect to the Enterprise network via the Internet. I currently run a PIX 515E fw and would like to use this fw to terminate the VPN connection point (which will be running Cisco VPN client app). I'd like to know the following:
1. Whether it's possible to configure the PIX to dynamically assign the appropriate private IP address (to the tunnel) based on the type of users that coming in? (eg, IT will have one DHCP scope, Sales will have another etc)
2. To do the above, will I have to use multiple public address on the PIX (and of course configure the VPN client with the address)?
3. Will I require a separate interface on the PIX to be able to terminate the VPN tunnels?
4. The VPN clients will be a mixed of Win2K and WinXP platform. If you know of any incompatibility issue, please let me know.
5. Since I'm a newbie to this sort of configuration, it will be greatly appreciated if you can provide me more information directly to my email address vincentn@mediamonitors.com.au
Thanks in advance for your help
01-19-2005 05:02 PM
1. Yes, but you'll have to define two different VPN groups on the PIX with two different IP address pools. Note that the PIX will only assign IP addresses to VPN clients out of a locally configured pool, not via DHCP or Radius.
2. No, not at all, everyone can connect into the outside interface of the PIX. The group that you configure on the VPN client will define the properties (ip pool, DNS, WINS, etc) that are then pushed to that client.
3. No
4. No issues that I know of.
5. See here for details:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml
This only defines one group (called "vpn3000"), you can see this defined in the PIX config and then configured on the VPN client. For your scenarion with having two separate groups, just configure a second set of "vpngroup" commands, specifying a different groupname other than "vpn3000". Define a 2nd ip address pool also, and reference that in the 2nd vpngroup commands. This 2nd group name is also what you would configure on the VPN client for those specific users.
01-19-2005 08:18 PM
I should have asked this in the original message but ...
Just another note, let say that the public IP address of the PIX is 11.11.11.1,
1. Will I have to permit all IP traffic from the perimeter router to reach this IP address on the PIX?
2. Additionally, I think that I should permit icmp traffic to this interface also for troubleshooting purposes.
3. What sort of protocol number should I be permitting through the perimeter router through to this public IP address if I wanted to be more restrictive if I don't want step 1 to happen?
Thanks.
01-24-2005 03:12 AM
Hi vincent,
You need not open anything on the outside interface for the public IP 11.11.11.1
You just need IP reachability to 11.11.11.1 from internet. Once this is there, you can connect on the PIX through a VPN client. You just need to configure stuffs, which was given to you by glenn before.
Once you get connected on VPN, you will be a part of the corporate local LAN and will be able to access/ping/telnet all resources on the Local LAN. In case you have an inside access-list on the PIX, make sure you give appropriate permissions , if the local pool is a different subnet than the inside address subnet.
Hope this helps.. all the best...
Raj
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide