VPN Connection Process

Posted on 2004-11-14
Last Modified: 2013-11-16
I currently connect to my office network using a pptp vpn from my xp machine at home.  The office uses a Cisco 2600 router and an ISA server for a firewall.  I first connect to the router and receive a natted ip address for the dmz.  Then I make a second connection to the ISA into the internal network.  All works well.
I am about to replace the ISA with a PIX.  With the new config, the router will not do NAT as it will now be handled by the PIX.

Typically, should I require authentication at the router or simply pass through to the external interface of the PIX and establish the connection there?
Question by:cisdoz2
    LVL 36

    Accepted Solution

    You have two main choices.

    1) Pass all PPTP traffic straight through to the ISA server so that it handles the VPN connections.

    2) Have the PIX handle the VPN connections itself.

    My personal choice would be the second option as I prefer to keep the firewall performing all firewall type tasks.
    You can have the PIX use Windows as an authentication server by using the Radius server that it comes with. I know this certenly works using IPSEC and the Cisco client but I am not 100% sure about using PPTP.
    LVL 79

    Expert Comment

    Agree with my good friend grblades..
    Use the capabilities of the PIX as the VPN endpoint, and use the Cisco IPSEC VPN client instead of the Microsoft PPTP client if you want maximum control over your users, and maximum security. You can retire the ISA server, or use it to its maximum advantage as a one-legged proxy server only.

    I am 100% sure that the PIX can/will be a PPTP server endpoint, but again, the Cisco VPN client is much more secure...
    LVL 3

    Expert Comment

    Sorry to jump in guys but here's a link that will help you in setting up the PIX to do RADIUS through Windows 2000 or 2003 servers

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    This video discusses moving either the default database or any database to a new volume.

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now