Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Automate VPN client software based on the defined network

Posted on 2006-06-24
6
Medium Priority
?
446 Views
Last Modified: 2013-11-16
Dears,

I'm running a Cisco VPN client 4.6 for Windows XP .I have configured remote access in the PIX firewall which is running 7.0(2) software version.

Basically we will invoke the VPN client software in our system  to establish the tunnel with our organization network.

But my requirement is the following,

Letz consider suppose the user takes their laptop to home and plug into the ISP netwrok, I need to automate the VPN client software on my laptop whenever a traffic gets intiated through Dial-up,ADSL and Wi-FI based on the network list.

To give an overview, once the VPN client finds the foreign address in the network card(say Public IP address other than organization Internal LAN IP), It should not allow the users to access the internet. It should have control on the adapters so that no traffic will be initiated out unless the user gets authenticated by VPN client.

At the same time if the interface receives the organization LAN IP address ,the VPN client utility should not come-up for authentication,so that the users can connect to their office network.

Is it a way to integrate VPN client utility with all the adapters atleast with LAN NIC .

Are there any 3rd party VPN client product will support this feature with PIX firewall?

Kindly advice me how to go about.

Your valuable feedback appreciated..


rgds
sai
0
Comment
Question by:vijaikanagaraj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 23

Accepted Solution

by:
Erik Bjers earned 1500 total points
ID: 16977562
Not sure you can do this with a VPN client.

My network requires the same thing you are trying to do.  If a laptop leaves the office they are only allow to connect to the VPN and nothing else.

The way I do it is with Symantec Client Security (spacifficaly the firewall side).

Create a managed firewall policy that will not allow the user to change, delete, or disable it.  The policy should allow ICMP Echo commands to any address (this is a ping), inbound DHCP, and outbound UDP ports 62514, 62515, and 500 (also TCP 1000 if you are using TCP VPN) to the external IP(S) of your VPN server.

The end result is the laptop can get an IP from the DHCP server at the user's home, can ping (needed to keep some connections alive), and they will beable to connect to your VPN AND NOTHING ELSE.

I'm sure you can do this with other managed firewall clients like Zone Alarm but I can only help with Symantec as that I what I use.

good luck

eb
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16980505
Use the auto initiation feature of the Cisco VPN client:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/4_6/admin/vcach4.htm

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16980625
The ports mentioned above are relitive to your setup, our vpn we use UDP port 20000 for the connections, we allow DHCP broadcasts. The cisco vpn firewall is only active when the VPN client software is connected to a VPN end point, so you could use it's own firewall to set these rules up once connected... however to keep the users from connecting to other resources like wifi, or a local lan... that may be a  little tougher. You can setup a 3rd party firewall program to only allow access to the public ip's of your VPN's and their ports, as well as allowing traffic to a certain private subnet once connected. You can use windows IPSec filters, built in since win2k, or a 3rd party like zonealarm. ZoneAlarm pro can have a password assigned to it so that only those who have the pass can allow cetain actions, if the pass isn't known, then all one can do is select "deny" or ignore. I'd take away admin priv's from the users accounts when ever possible also. ZoneAlarm can't be safely and properly uninstalled without the password, but it could be by-passed if they users have admin rights. Firewall's are stateful, so if your PC sends out a DHCP broadcast, the firewall should be smart enough to allow the answer back through, but not all firewalls are smart enough, especially with something like DHCP as it's a broadcast, and is a sessionless protocol.

-rich
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 23

Expert Comment

by:Erik Bjers
ID: 16980651
Symantec's client firewall is also stateful, and has password protected uninstall.  You can also lock it down to the point where users (admins included) can not change any settings or disabel the firewall.  
0
 

Author Comment

by:vijaikanagaraj
ID: 16981272
Hi folks ,

thnaks for ur response.But  as per ejbers comment ,it address my problem somehow.But what would it happen if I connect my same laptop to my internal network.will it allow the normal traffic .

Since my requirement is the VPN client should act based on the IP address received by the interface.

If it is ISP address then it should block the users from accessing internet and only they should pass through VPN client,in the same way if it is internal IP address then the user will access the LAN as usual.

We have tried the Auto-initiation feature which was not the solution for this solution.It wirks good only within LANs if you move from one LAn to other LAN.

To add more on this I have cisco security Agent software also installed ,will this can achieve the firewall functionality in terms of restricting the ports.

rgds
sai

0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 16981363
Symantec's client firewall works with locations and you can set rules based on location.  You can set it up so that when the laptop has an IP from your network it has internet connectivity and anything else you allow.  You then set the default location (anything that is not defined as another location) to block everything except connectivity to your domain.

I'm not sure about the CISCO security agent as I've never used it myself.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question