Configure PIX to Apply ACL to Remote Access VPN User During XAUTH ?
Posted on 2006-06-21
Want to ALLOW 4 external outside service provider vendors to make a VPN connection to (& through) our PIX515e [Ver 6.3(5)], BUT LIMIT them after VPN tunnel is open to making a Windows Remote Desktop Connection to only the XP workstation LAN client that runs the various Facilities Management applications for our location.
(With fantastic help from ExEX) our new PIX515e 'EasyVPN' server/firewall now requires XAUTH of any remote access clients who attempt to establish remote access VPN connectivity to the internal LAN (192.168.0.0/24). Specifically, the PIX utilizes RADIUS authentication via IAS running on a Windows Server 2003 DC located behind the PIX INSIDE interface on our internal LAN. Works great & I sleep better knowing lost laptops don't equal exposed LAN resources.
Can I configure the PIX & the RADIUS server to apply an ACL to the "VENDOR" AD account during the remote access VPN client XAUTH login process that would limit those guys to connecting to host 192.168.0.105 only? (That PC and the "VENDOR" account have been tightly locked down via Active Directory Group Policy but my VPN solution as currently configured does not limit them to that machine, they could browse our network & use the "VENDOR" account to perform RDC logins on other PCs - Can't have that.)
I also thought about relocating the XP workstation LAN client that runs the various Facilities Management applications for our location to the DMZ (i.e. behind PIX MIDDLE interface)?
I found a good ExEX solution on the very subject of per-user ACLs referring to 2 "excellent" Cisco web resources but neither link worked ("The page you are looking for cannot be found"). Other documentation I see on Cisco's site seems to suggest downloadable PIX ACLs require Cisco Secure ACS which I do not have?
I think I understand from Mr. Holman & Mr. Moore's comments in the above mentioned solution that I can create a separate remote access users group for our outside service providers but I am clueless on how to tell the RADIUS (in my case M.S. IAS Server) how to apply an ACL when it recieves a request from the PIX to authenticate the "VENDOR" login account?
Expert thoughts from my Expert friends?