Solved

VPN Client w/Cisco PIX 506E & What (& how) it Can Do Stuff For My Client's Business

Posted on 2006-06-28
6
373 Views
Last Modified: 2011-08-18
Hello,

With the help of EE member LRMOORE (my Cisco god), I configured a new network with a Cisco 1841T-1 Router and  Cisco PIX 506E Firewall.  I am touching Cisco stuff for the first time in my life by the way and I'm loving the lessons I'm getting.  Guess you have to start somewhere...  EE's the place!  

Anyhoo, we created a VPN group called VPN3000.  

I had told the client that the PIX is VPN-ready but I can't really give him any specific information until I know what the best practices are and how the client's business can start benefiting from VPN connectivity to the office.

First question:
1. When I use the VPN client to connect to the network, I have to log in with the VPN group password.  Once the connection is established, I am prompted for a second user name and password.  I can't log in with the same VPN Group username and password.  When I enter one of the username & password combinations with privilege level 15 that are stored on the PIX, I can then fully authenticate and get onto the network.  What is the best practice in dealing with this?  This is a small business with 20 employees.  Should I create separate accounts and passwords for every employee or is there a way that all employees could use the same username and password?  Again, industry best practice...
2. Once authenticated, what can users actually do on the network?  Is there an easy alternative to WIndows XP's Remote Desktop Connection that they could use to work from their office PC?  Until Active Directory is deployed, the workstations on the network are in a workgroup environment.  This makes managing Windows Firewall almost impossible.  I guess I need to provide the client with an easy sort-of 2-click way to get their desktop computer screen on their home computer & on the road.  Is there proprietary Cisco software for remote desktop (that's free and can somehow run off of the PIX?)
3.  If remote desktop is not a good idea, perhaps they could install their proprietary software on their home PC and access their proprietary database server "locally" via VPN?  This brings me to a different question.  How would I have to configure that on the PIX?  What IOS commands should I issue?  For example, let's say a Unix box called ABC has a public IP of 1.1.1.1 and a private IP of 2.2.2.2.  VPN Group users are on a 3.3.3.3 subnet when they tunnel in.  When a user authenticates into the network via VPN, how can I allow VPN users or the VPN pool of IP's to be able to access only specific ports on the private IP of the server ABC?  Perhaps it would be easier to allow all VPN users or the VPN pool of IP's to have complete unrestricted access to all addresses and ports on the local 2.2.2.x subnet?  I will need the IOS commands to run on the PIX to get this done.  
4.  I guess I just need a brief tutorial or a couple of useful links about the ways that a small business can use the Cisco VPN Client connectivity to its advantage.  I can really think of nothing else other than RDP, perhaps TightVNC and/or access to some resources on the network?  Hold on a second...  another question!
5.  This brings me to a different question and is something that the client will definitely want to do in the future because they're not running A.D. (yet).  Is it possible for the Pix firewall to pass authentication onto an Active Directory server so that users could automatically connect to their resources, i.e. home folder, printer, perhaps even desktop (through Terminal Services?)  What's are the industry best practice solution for this?

I haven't deployed or used Cisco VPN software in the past and this is a first one for me.  I'm looking for someone to educate me a little bit on what the possibilities are without spending much of anything and working with PIX 506E.  I guess most medium-sized and large businesses have it set up in a way that users who VPN are automatically connected to their workstations and/or other network resources.  I would imagine this would be controlled by Active Directory and/or a Terminal Services server?  Would users have to have roaming profiles in order to connect to their desktops?  Would this require a separate server for authentication?  

Let's keep in mind, the client only has one Linux box running a proprietary database application and a 2nd server which will act as the active directory domain controller, MS exchange server 2003 and a file server.  The 2nd server has some balls with 2 Xeon's & loads of RAM & HD capacity.

Please help clear my head a little bit.  I know I probably confused you in the process of asking these questions.  My apologies :)
0
Comment
Question by:taki1gostek
  • 2
  • 2
6 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 17011659
You really need to deploy the active directory first.
Once you have deployed that, you can move on.

The VPN client lets you run anything that you can run over the LAN. So if you have configured the Windows firewall to block traffic on the LAN, then it will be blocked on the VPN as well. A machine on the VPN will appear to be on the network and will even appear in any browse lists.

Once you have deployed Active Directory, you can configure Internet Authentication Server on to the domain controller. Then configure a RADIUS client in that application and the PIX to use RADIUS. The client application can then be configured with the Group username and password, then the second prompt will be for domain credentials.

For accessing resources, you need to decide what is being used to access those resources.
I only deploy VPNs for company machines to access. I don't allow users to install and use their own machines to access the network. That means I don't need to worry about authentication - if they can access it inside, they can access it outside.

Simon.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17024047
Thanks for your advice Simon.  Guess I'll wait for the A.D. to be deployed before I can get the client to fully understand the VPN concept.  

One last question though, what would be the format of the file (or script) that has to be executed on the VPN client upon establishing a connection?

In other words, is there a batch file that will connect the user's home PC to network shares etc at the office?  The VPN client allows you to specify a program to run.  If I were to design a separate batch file for every user, would that be a good idea?  i.e. \\1.1.1.1\scripts\userscript.bat run with specific credentials upon establishing a VPN connection...
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 17024105
There is nothing that you can execute on the client with the Cisco VPN client. VPN makes the connection - it isn't a login.
I also wouldn't allow a user's home PC to connect to the network on a VPN. You have no way of knowing what is on the user's machine that could try and get in. There are many reports of companies being compromised via user home computers.  

If you are using domain members, then you can configure the VPN client to start before login. The client will then connect to the internet, login to the VPN, then login to the machine. The machine then operates as if it is on the LAN - as it actually logged in to the server and didn't use the cached credentials.

Simon.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17232965
Sorry, I wasn't in town and had no access to the net.  I will ask a similar question because I still need assistance on a separate post.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now