Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
4
Replies

VPNs:replacing a 3000 concentrator with ASAs

faghouri83
Level 1
Level 1

‎10-20-2010 02:58 AM

Hi Everyone

Ive got a bit of a basic question but cant seem to find the answer via google. Not touched firewalls for years so im a bit rusty.

Anyway, I need to replace a vpn 3000 concentrator with 2 asa 5540s in active/standby configuration. The firewalls will be doing nothing but allowing remote IPSEC users and anyconnect users into the internal network.

Basically the asa's will sit behind the dmz (behind checkpoint firewalls). The concentrator 3000 at the moment is communicating with active directory using kerberos for authentication.

What ide like to know is, Can i simply do the same with the ASA's? Can i just authenticate users using kerberos and leave it at that? or will i need to  use LDAP to set up Authorisation?

Basically Im hoping its going to be as easy as copying the kerberos info from the concentrator to the ASAs and allowing remote vpn users to get access to everything in the internal network.

As you can see, im more or less starting from scratch with firewalls so any help is appreciated. Thanks

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-20-2010 03:21 AM

Are you doing any authorization at the moment with VPN3000, or only authentication?

Here is a sample configuration on ASA to use Kerberos to authenticate and LDAP for authorization:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml

However, pls kindly advise if you are actually using authorization on VPN3000 and what authorization you are actually doing. The reason I ask is you might be able to do it differently with ASA configuration.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-20-2010 03:28 AM

Morning,

ASA can do kerberos as AAA server:

ciscoasa(config)# aaa-server NAME protocol kerberos

However kerberos is not used for authorization of VPN users though.

Summary of support per server per functions.

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/access_aaa.html#wp1059666

It can be still user to authenticate users.

Best idea, if you ask me, for authentication and authorization together is to use Radius, IAS servers I believe have option to do it.

Marcin

0 Helpful

faghouri83
Level 1
Level 1

‎10-21-2010 05:14 PM

Thanks for that!

Ive checked the VPN concentrator and it has only been configured with authentication via kerberos. What i need to configure is a basic setup on the firewalls so that remote users can log in via IPSEC (using vpn client) and cisco anyconnect. Can I simply use Kerberos to authenticate via active directory and leave it at that? Im not very familiar with Active directory and LDAP etc so ide rather not implement that if i dont have to.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to faghouri83

‎10-21-2010 05:16 PM

Absolutely yes. You can just configure Kerberos for authentication if you don't require any authorization.

0 Helpful
Customers Also Viewed These Support Documents