Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.
Course Of The Month
9 days, 19 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Configure PIX to Apply ACL to Remote Access VPN User During XAUTH ?
Posted on 2006-06-21
Want to ALLOW 4 external outside service provider vendors to make a VPN connection to (& through) our PIX515e [Ver 6.3(5)], BUT LIMIT them after VPN tunnel is open to making a Windows Remote Desktop Connection to only the XP workstation LAN client that runs the various Facilities Management applications for our location.
(With fantastic help from ExEX) our new PIX515e 'EasyVPN' server/firewall now requires XAUTH of any remote access clients who attempt to establish remote access VPN connectivity to the internal LAN (192.168.0.0/24). Specifically, the PIX utilizes RADIUS authentication via IAS running on a Windows Server 2003 DC located behind the PIX INSIDE interface on our internal LAN. Works great & I sleep better knowing lost laptops don't equal exposed LAN resources.
Can I configure the PIX & the RADIUS server to apply an ACL to the "VENDOR" AD account during the remote access VPN client XAUTH login process that would limit those guys to connecting to host 192.168.0.105 only? (That PC and the "VENDOR" account have been tightly locked down via Active Directory Group Policy but my VPN solution as currently configured does not limit them to that machine, they could browse our network & use the "VENDOR" account to perform RDC logins on other PCs - Can't have that.)
I also thought about relocating the XP workstation LAN client that runs the various Facilities Management applications for our location to the DMZ (i.e. behind PIX MIDDLE interface)?
I found a good ExEX solution on the very subject of per-user ACLs referring to 2 "excellent" Cisco web resources but neither link worked ("The page you are looking for cannot be found"). Other documentation I see on Cisco's site seems to suggest downloadable PIX ACLs require Cisco Secure ACS which I do not have?
I think I understand from Mr. Holman & Mr. Moore's comments in the above mentioned solution that I can create a separate remote access users group for our outside service providers but I am clueless on how to tell the RADIUS (in my case M.S. IAS Server) how to apply an ACL when it recieves a request from the PIX to authenticate the "VENDOR" login account?
Expert thoughts from my Expert friends?
DALVIS
(With fantastic help from ExEX) our new PIX515e 'EasyVPN' server/firewall now requires XAUTH of any remote access clients who attempt to establish remote access VPN connectivity to the internal LAN (192.168.0.0/24). Specifically, the PIX utilizes RADIUS authentication via IAS running on a Windows Server 2003 DC located behind the PIX INSIDE interface on our internal LAN. Works great & I sleep better knowing lost laptops don't equal exposed LAN resources.
Can I configure the PIX & the RADIUS server to apply an ACL to the "VENDOR" AD account during the remote access VPN client XAUTH login process that would limit those guys to connecting to host 192.168.0.105 only? (That PC and the "VENDOR" account have been tightly locked down via Active Directory Group Policy but my VPN solution as currently configured does not limit them to that machine, they could browse our network & use the "VENDOR" account to perform RDC logins on other PCs - Can't have that.)
I also thought about relocating the XP workstation LAN client that runs the various Facilities Management applications for our location to the DMZ (i.e. behind PIX MIDDLE interface)?
I found a good ExEX solution on the very subject of per-user ACLs referring to 2 "excellent" Cisco web resources but neither link worked ("The page you are looking for cannot be found"). Other documentation I see on Cisco's site seems to suggest downloadable PIX ACLs require Cisco Secure ACS which I do not have?
I think I understand from Mr. Holman & Mr. Moore's comments in the above mentioned solution that I can create a separate remote access users group for our outside service providers but I am clueless on how to tell the RADIUS (in my case M.S. IAS Server) how to apply an ACL when it recieves a request from the PIX to authenticate the "VENDOR" login account?
Expert thoughts from my Expert friends?
DALVIS
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4-
4
8 Comments
Here's a good example using PIX and Radius from our good friend and fellow expert GRBLADES
http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
I'm not sure about using MS IAS, but I'll look into it. The PIX config should follow the example in the link above. Just create the acl that you will want to apply to that group..
http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
I'm not sure about using MS IAS, but I'll look into it. The PIX config should follow the example in the link above. Just create the acl that you will want to apply to that group..
OK...
Looks like in IAS you want to go into Policies, choose your group/policy,
Edit Profile | Advanced tab | Add
Choose Cisco-AV-pair
Enter your acl name as the string
Looks like in IAS you want to go into Policies, choose your group/policy,
Edit Profile | Advanced tab | Add
Choose Cisco-AV-pair
Enter your acl name as the string
From grblades excellent web link you provided I conclude the following PIX configuration additions are necessary?
Create separate IP Pool & VPN GROUP for Outside Service Vendors
!--- Define a split-tunnel ACL so that all traffic to these addresses are sent across the VPN.
!--- All other traffic is sent across the Internet normally.
access-list Service_Vendors_splitTunne
!--- Define address pools for the vpn user groups
ip local pool ESPpool 192.168.2.1-192.168.2.6
!--- Don't perform NAT between internal machines and VPN users
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
!--- Non staff group. These users don't get access to WINS or internal DNS
vpngroup Service_Vendors address-pool ESPpool
vpngroup Service_Vendors split-tunnel Service_Vendors_splitTunne
vpngroup Service_Vendors idle-time 1800
vpngroup Service_Vendors password *********
Create special ACL for Assignment to Outside Service Vendors
!--- DefineACLs to be assigned to users by RADIUS server
access-list vpnservicevendor permit tcp 192.168.2.0 255.255.255.0 host 192.168.0.105 eq 3389
access-list vpnservicevendor deny ip any any log
Create separate IP Pool & VPN GROUP for Outside Service Vendors
!--- Define a split-tunnel ACL so that all traffic to these addresses are sent across the VPN.
!--- All other traffic is sent across the Internet normally.
access-list Service_Vendors_splitTunne
!--- Define address pools for the vpn user groups
ip local pool ESPpool 192.168.2.1-192.168.2.6
!--- Don't perform NAT between internal machines and VPN users
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
!--- Non staff group. These users don't get access to WINS or internal DNS
vpngroup Service_Vendors address-pool ESPpool
vpngroup Service_Vendors split-tunnel Service_Vendors_splitTunne
vpngroup Service_Vendors idle-time 1800
vpngroup Service_Vendors password *********
Create special ACL for Assignment to Outside Service Vendors
!--- DefineACLs to be assigned to users by RADIUS server
access-list vpnservicevendor permit tcp 192.168.2.0 255.255.255.0 host 192.168.0.105 eq 3389
access-list vpnservicevendor deny ip any any log
Looks like you're on the right path..
"vpnservicevendor" becomes the string you add in the IAS Cisco-AV-pair
"vpnservicevendor" becomes the string you add in the IAS Cisco-AV-pair
Irmoore your technical prowess astounds me.
Application of those configuration changes to the PIX & M.S. IAS (RADIUS) server resulted in a successful connection on the first try that only allows access to the specified host computer (192.168.0.105) via an XP Remote Desktop Connection and nothing else!
We will save enough on service call trip charges to pay for our Experts Exchange subscription and then some.
THANK YOU!!
I Love ExEx,
DALVIS
Application of those configuration changes to the PIX & M.S. IAS (RADIUS) server resulted in a successful connection on the first try that only allows access to the specified host computer (192.168.0.105) via an XP Remote Desktop Connection and nothing else!
We will save enough on service call trip charges to pay for our Experts Exchange subscription and then some.
THANK YOU!!
I Love ExEx,
DALVIS
A correction - actually the "vpnservicevendor" ACL specified in the PIX configuration is NOT being applied to the vpngroup Service_Vendors when they connect.
I just opened a remote access VPN connection as a "Service_Vendor" and noticed that I CAN make XP Remote Desktop connections to hosts other than 192.168.0.105 (although I could not, as intended, browse the LAN or, thanks to Group Policy restrictions, complete the Remote Desktop login using the AD account set up for outside service providers except on the .105 host).
I have not been able to determine whether the problem is a missing statement in the PIX configuration or the configuration of the Remote Access Policy on my Microsoft IAS Server performing RADIUS XAUTH for the PIX?
PIX ACL Config:
!--- DefineACLs to be assigned to users by RADIUS server
access-list vpnservicevendor permit tcp 192.168.2.0 255.255.255.0 host 192.168.0.105 eq 3389
access-list vpnservicevendor deny ip any any log
The first Remote Access Policy defined on my M.S. IAS (RADIUS server) has the following entry on the ADVANCED tab's "SPECIFY ADDITIONAL CONNECTION ATTRIBUTES TO BE RETURNED TO THE REMOTE ACCESS SERVER":
NAME VENDOR VALUE
Cisco-AV-Pair CISCO vpnservicevendor
I would like to resolve this but from a functional standpoint I have achieved the goal of setting up a remote access VPN group for service vendors (separate from our staff group) that allow them to VPN in but limit their access to a single PC. My reason for this follow up post is to prevent confusion (& wasted time) by somebody else trying to use the solution.
Next time I will test more before posting and accepting - my apologies.
DALVIS
I just opened a remote access VPN connection as a "Service_Vendor" and noticed that I CAN make XP Remote Desktop connections to hosts other than 192.168.0.105 (although I could not, as intended, browse the LAN or, thanks to Group Policy restrictions, complete the Remote Desktop login using the AD account set up for outside service providers except on the .105 host).
I have not been able to determine whether the problem is a missing statement in the PIX configuration or the configuration of the Remote Access Policy on my Microsoft IAS Server performing RADIUS XAUTH for the PIX?
PIX ACL Config:
!--- DefineACLs to be assigned to users by RADIUS server
access-list vpnservicevendor permit tcp 192.168.2.0 255.255.255.0 host 192.168.0.105 eq 3389
access-list vpnservicevendor deny ip any any log
The first Remote Access Policy defined on my M.S. IAS (RADIUS server) has the following entry on the ADVANCED tab's "SPECIFY ADDITIONAL CONNECTION ATTRIBUTES TO BE RETURNED TO THE REMOTE ACCESS SERVER":
NAME VENDOR VALUE
Cisco-AV-Pair CISCO vpnservicevendor
I would like to resolve this but from a functional standpoint I have achieved the goal of setting up a remote access VPN group for service vendors (separate from our staff group) that allow them to VPN in but limit their access to a single PC. My reason for this follow up post is to prevent confusion (& wasted time) by somebody else trying to use the solution.
Next time I will test more before posting and accepting - my apologies.
DALVIS
Featured Post
![[Webinar] Learn How Hackers Steal Your Credentials](https://filedb.experts-exchange.com/files/public/2017/5/21/e0b7778f-e79e-4b5d-9ec6-5496e40be42e.png)
Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible.
http://www.dd-wrt.com/site/support/router-database
http://www.dd-wrt.c…
Overview
Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month9 days, 19 hours left to enroll
623 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.