Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


VPN Connection Process

Posted on 2004-11-14
Medium Priority
Last Modified: 2013-11-16
I currently connect to my office network using a pptp vpn from my xp machine at home.  The office uses a Cisco 2600 router and an ISA server for a firewall.  I first connect to the router and receive a natted ip address for the dmz.  Then I make a second connection to the ISA into the internal network.  All works well.
I am about to replace the ISA with a PIX.  With the new config, the router will not do NAT as it will now be handled by the PIX.

Typically, should I require authentication at the router or simply pass through to the external interface of the PIX and establish the connection there?
Question by:cisdoz2
LVL 36

Accepted Solution

grblades earned 2000 total points
ID: 12579808
You have two main choices.

1) Pass all PPTP traffic straight through to the ISA server so that it handles the VPN connections.

2) Have the PIX handle the VPN connections itself.

My personal choice would be the second option as I prefer to keep the firewall performing all firewall type tasks.
You can have the PIX use Windows as an authentication server by using the Radius server that it comes with. I know this certenly works using IPSEC and the Cisco client but I am not 100% sure about using PPTP.
LVL 79

Expert Comment

ID: 12580382
Agree with my good friend grblades..
Use the capabilities of the PIX as the VPN endpoint, and use the Cisco IPSEC VPN client instead of the Microsoft PPTP client if you want maximum control over your users, and maximum security. You can retire the ISA server, or use it to its maximum advantage as a one-legged proxy server only.

I am 100% sure that the PIX can/will be a PPTP server endpoint, but again, the Cisco VPN client is much more secure...

Expert Comment

ID: 12581147
Sorry to jump in guys but here's a link that will help you in setting up the PIX to do RADIUS through Windows 2000 or 2003 servers


Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Screencast - Getting to Know the Pipeline
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 1 hour left to enroll

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question