VPN Connection Process

I currently connect to my office network using a pptp vpn from my xp machine at home.  The office uses a Cisco 2600 router and an ISA server for a firewall.  I first connect to the router and receive a natted ip address for the dmz.  Then I make a second connection to the ISA into the internal network.  All works well.
I am about to replace the ISA with a PIX.  With the new config, the router will not do NAT as it will now be handled by the PIX.

Typically, should I require authentication at the router or simply pass through to the external interface of the PIX and establish the connection there?
cisdoz2Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grbladesCommented:
You have two main choices.

1) Pass all PPTP traffic straight through to the ISA server so that it handles the VPN connections.

2) Have the PIX handle the VPN connections itself.

My personal choice would be the second option as I prefer to keep the firewall performing all firewall type tasks.
You can have the PIX use Windows as an authentication server by using the Radius server that it comes with. I know this certenly works using IPSEC and the Cisco client but I am not 100% sure about using PPTP.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmooreCommented:
Agree with my good friend grblades..
Use the capabilities of the PIX as the VPN endpoint, and use the Cisco IPSEC VPN client instead of the Microsoft PPTP client if you want maximum control over your users, and maximum security. You can retire the ISA server, or use it to its maximum advantage as a one-legged proxy server only.

I am 100% sure that the PIX can/will be a PPTP server endpoint, but again, the Cisco VPN client is much more secure...
0
cnewgaardCommented:
Sorry to jump in guys but here's a link that will help you in setting up the PIX to do RADIUS through Windows 2000 or 2003 servers

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.