Restricting user(s) access to IP /Protocol via PIX VPN and Windows Server 2003 RADIUS Server

Posted on 2006-04-10
Last Modified: 2013-11-16
500 points up for this one :)

Hey all, I have sifted through pages of related answers to my question before posting and cannot find anything definitive to answer question, so here's mine, hoping others are in the same predicament:

I am running Cisco PIX 515 with 2 windows 2003 standard servers running as RADIUS servers. Currently, the only users able to use VPN are IT staff, who are given full access to the network. The requirement of low-level users needing email only access has arisen, and for obvious reasons we wish to segregate their traffic to only the systems required. MS Routing and Remote access is not being used, so I am unable to implement a filter on this end. This leaves me to applying an ACL on the PIX to those users only, could someone help me out in this area, or is there an easier way that I am overlooking?

Many, many thanks!

Question by:suburbia_sims
    LVL 51

    Expert Comment

    by:Keith Alabaster
    Are you running Exchange? Do you have/can you implement Outlook Web Access?
    LVL 11

    Accepted Solution

    You can use downlaodable ACL's with the radius server which basically allows you to place dynamic access lists on a user/group when they log in

    PIX Version 6

    PIX Version 7
    LVL 32

    Expert Comment

    Lets see, the users would be probably needing to access the mail through outlook (OST) and probably access their machines right?

    In that case, as long as the users don't belong to any administrators group there shouldn't be any problem. User will be able to connect via VPN ->authenticate via Radius to the AD and given proper permissions. Just add the user to the Remote Desktop Users on their individual pcs, which you can do probably via a script or so.

    I don't see any other problem, because if they want to get onto a pc, then it is going to be only through Remote desktop. If you can also make sure that they use the *Compliant* machines to connect (Usually company provided laptops with all the antivirus and stuff), then there is no problem at all.

    LVL 32

    Expert Comment

    If it is only for E-Mail, I would consider Keith's suggestion of enabling Outlook Web Access (assuming you have Exchange Servers for mail). It is very simple to implement though.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now