Solved

VPN Client w/Cisco PIX 506E & What (& how) it Can Do Stuff For My Client's Business

Posted on 2006-06-28
6
382 Views
Last Modified: 2011-08-18
Hello,

With the help of EE member LRMOORE (my Cisco god), I configured a new network with a Cisco 1841T-1 Router and  Cisco PIX 506E Firewall.  I am touching Cisco stuff for the first time in my life by the way and I'm loving the lessons I'm getting.  Guess you have to start somewhere...  EE's the place!  

Anyhoo, we created a VPN group called VPN3000.  

I had told the client that the PIX is VPN-ready but I can't really give him any specific information until I know what the best practices are and how the client's business can start benefiting from VPN connectivity to the office.

First question:
1. When I use the VPN client to connect to the network, I have to log in with the VPN group password.  Once the connection is established, I am prompted for a second user name and password.  I can't log in with the same VPN Group username and password.  When I enter one of the username & password combinations with privilege level 15 that are stored on the PIX, I can then fully authenticate and get onto the network.  What is the best practice in dealing with this?  This is a small business with 20 employees.  Should I create separate accounts and passwords for every employee or is there a way that all employees could use the same username and password?  Again, industry best practice...
2. Once authenticated, what can users actually do on the network?  Is there an easy alternative to WIndows XP's Remote Desktop Connection that they could use to work from their office PC?  Until Active Directory is deployed, the workstations on the network are in a workgroup environment.  This makes managing Windows Firewall almost impossible.  I guess I need to provide the client with an easy sort-of 2-click way to get their desktop computer screen on their home computer & on the road.  Is there proprietary Cisco software for remote desktop (that's free and can somehow run off of the PIX?)
3.  If remote desktop is not a good idea, perhaps they could install their proprietary software on their home PC and access their proprietary database server "locally" via VPN?  This brings me to a different question.  How would I have to configure that on the PIX?  What IOS commands should I issue?  For example, let's say a Unix box called ABC has a public IP of 1.1.1.1 and a private IP of 2.2.2.2.  VPN Group users are on a 3.3.3.3 subnet when they tunnel in.  When a user authenticates into the network via VPN, how can I allow VPN users or the VPN pool of IP's to be able to access only specific ports on the private IP of the server ABC?  Perhaps it would be easier to allow all VPN users or the VPN pool of IP's to have complete unrestricted access to all addresses and ports on the local 2.2.2.x subnet?  I will need the IOS commands to run on the PIX to get this done.  
4.  I guess I just need a brief tutorial or a couple of useful links about the ways that a small business can use the Cisco VPN Client connectivity to its advantage.  I can really think of nothing else other than RDP, perhaps TightVNC and/or access to some resources on the network?  Hold on a second...  another question!
5.  This brings me to a different question and is something that the client will definitely want to do in the future because they're not running A.D. (yet).  Is it possible for the Pix firewall to pass authentication onto an Active Directory server so that users could automatically connect to their resources, i.e. home folder, printer, perhaps even desktop (through Terminal Services?)  What's are the industry best practice solution for this?

I haven't deployed or used Cisco VPN software in the past and this is a first one for me.  I'm looking for someone to educate me a little bit on what the possibilities are without spending much of anything and working with PIX 506E.  I guess most medium-sized and large businesses have it set up in a way that users who VPN are automatically connected to their workstations and/or other network resources.  I would imagine this would be controlled by Active Directory and/or a Terminal Services server?  Would users have to have roaming profiles in order to connect to their desktops?  Would this require a separate server for authentication?  

Let's keep in mind, the client only has one Linux box running a proprietary database application and a 2nd server which will act as the active directory domain controller, MS exchange server 2003 and a file server.  The 2nd server has some balls with 2 Xeon's & loads of RAM & HD capacity.

Please help clear my head a little bit.  I know I probably confused you in the process of asking these questions.  My apologies :)
0
Comment
Question by:taki1gostek
  • 2
  • 2
6 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 17011659
You really need to deploy the active directory first.
Once you have deployed that, you can move on.

The VPN client lets you run anything that you can run over the LAN. So if you have configured the Windows firewall to block traffic on the LAN, then it will be blocked on the VPN as well. A machine on the VPN will appear to be on the network and will even appear in any browse lists.

Once you have deployed Active Directory, you can configure Internet Authentication Server on to the domain controller. Then configure a RADIUS client in that application and the PIX to use RADIUS. The client application can then be configured with the Group username and password, then the second prompt will be for domain credentials.

For accessing resources, you need to decide what is being used to access those resources.
I only deploy VPNs for company machines to access. I don't allow users to install and use their own machines to access the network. That means I don't need to worry about authentication - if they can access it inside, they can access it outside.

Simon.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17024047
Thanks for your advice Simon.  Guess I'll wait for the A.D. to be deployed before I can get the client to fully understand the VPN concept.  

One last question though, what would be the format of the file (or script) that has to be executed on the VPN client upon establishing a connection?

In other words, is there a batch file that will connect the user's home PC to network shares etc at the office?  The VPN client allows you to specify a program to run.  If I were to design a separate batch file for every user, would that be a good idea?  i.e. \\1.1.1.1\scripts\userscript.bat run with specific credentials upon establishing a VPN connection...
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 17024105
There is nothing that you can execute on the client with the Cisco VPN client. VPN makes the connection - it isn't a login.
I also wouldn't allow a user's home PC to connect to the network on a VPN. You have no way of knowing what is on the user's machine that could try and get in. There are many reports of companies being compromised via user home computers.  

If you are using domain members, then you can configure the VPN client to start before login. The client will then connect to the internet, login to the VPN, then login to the machine. The machine then operates as if it is on the LAN - as it actually logged in to the server and didn't use the cached credentials.

Simon.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17232965
Sorry, I wasn't in town and had no access to the net.  I will ask a similar question because I still need assistance on a separate post.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question