VPN Client w/Cisco PIX 506E & What (& how) it Can Do Stuff For My Client's Business
Hello,
With the help of EE member LRMOORE (my Cisco god), I configured a new network with a Cisco 1841T-1 Router and Cisco PIX 506E Firewall. I am touching Cisco stuff for the first time in my life by the way and I'm loving the lessons I'm getting. Guess you have to start somewhere... EE's the place!
Anyhoo, we created a VPN group called VPN3000.
I had told the client that the PIX is VPN-ready but I can't really give him any specific information until I know what the best practices are and how the client's business can start benefiting from VPN connectivity to the office.
First question:
1. When I use the VPN client to connect to the network, I have to log in with the VPN group password. Once the connection is established, I am prompted for a second user name and password. I can't log in with the same VPN Group username and password. When I enter one of the username & password combinations with privilege level 15 that are stored on the PIX, I can then fully authenticate and get onto the network. What is the best practice in dealing with this? This is a small business with 20 employees. Should I create separate accounts and passwords for every employee or is there a way that all employees could use the same username and password? Again, industry best practice...
2. Once authenticated, what can users actually do on the network? Is there an easy alternative to WIndows XP's Remote Desktop Connection that they could use to work from their office PC? Until Active Directory is deployed, the workstations on the network are in a workgroup environment. This makes managing Windows Firewall almost impossible. I guess I need to provide the client with an easy sort-of 2-click way to get their desktop computer screen on their home computer & on the road. Is there proprietary Cisco software for remote desktop (that's free and can somehow run off of the PIX?)
3. If remote desktop is not a good idea, perhaps they could install their proprietary software on their home PC and access their proprietary database server "locally" via VPN? This brings me to a different question. How would I have to configure that on the PIX? What IOS commands should I issue? For example, let's say a Unix box called ABC has a public IP of 1.1.1.1 and a private IP of 2.2.2.2. VPN Group users are on a 3.3.3.3 subnet when they tunnel in. When a user authenticates into the network via VPN, how can I allow VPN users or the VPN pool of IP's to be able to access only specific ports on the private IP of the server ABC? Perhaps it would be easier to allow all VPN users or the VPN pool of IP's to have complete unrestricted access to all addresses and ports on the local 2.2.2.x subnet? I will need the IOS commands to run on the PIX to get this done.
4. I guess I just need a brief tutorial or a couple of useful links about the ways that a small business can use the Cisco VPN Client connectivity to its advantage. I can really think of nothing else other than RDP, perhaps TightVNC and/or access to some resources on the network? Hold on a second... another question!
5. This brings me to a different question and is something that the client will definitely want to do in the future because they're not running A.D. (yet). Is it possible for the Pix firewall to pass authentication onto an Active Directory server so that users could automatically connect to their resources, i.e. home folder, printer, perhaps even desktop (through Terminal Services?) What's are the industry best practice solution for this?
I haven't deployed or used Cisco VPN software in the past and this is a first one for me. I'm looking for someone to educate me a little bit on what the possibilities are without spending much of anything and working with PIX 506E. I guess most medium-sized and large businesses have it set up in a way that users who VPN are automatically connected to their workstations and/or other network resources. I would imagine this would be controlled by Active Directory and/or a Terminal Services server? Would users have to have roaming profiles in order to connect to their desktops? Would this require a separate server for authentication?
Let's keep in mind, the client only has one Linux box running a proprietary database application and a 2nd server which will act as the active directory domain controller, MS exchange server 2003 and a file server. The 2nd server has some balls with 2 Xeon's & loads of RAM & HD capacity.
Please help clear my head a little bit. I know I probably confused you in the process of asking these questions. My apologies :)
With the help of EE member LRMOORE (my Cisco god), I configured a new network with a Cisco 1841T-1 Router and Cisco PIX 506E Firewall. I am touching Cisco stuff for the first time in my life by the way and I'm loving the lessons I'm getting. Guess you have to start somewhere... EE's the place!
Anyhoo, we created a VPN group called VPN3000.
I had told the client that the PIX is VPN-ready but I can't really give him any specific information until I know what the best practices are and how the client's business can start benefiting from VPN connectivity to the office.
First question:
1. When I use the VPN client to connect to the network, I have to log in with the VPN group password. Once the connection is established, I am prompted for a second user name and password. I can't log in with the same VPN Group username and password. When I enter one of the username & password combinations with privilege level 15 that are stored on the PIX, I can then fully authenticate and get onto the network. What is the best practice in dealing with this? This is a small business with 20 employees. Should I create separate accounts and passwords for every employee or is there a way that all employees could use the same username and password? Again, industry best practice...
2. Once authenticated, what can users actually do on the network? Is there an easy alternative to WIndows XP's Remote Desktop Connection that they could use to work from their office PC? Until Active Directory is deployed, the workstations on the network are in a workgroup environment. This makes managing Windows Firewall almost impossible. I guess I need to provide the client with an easy sort-of 2-click way to get their desktop computer screen on their home computer & on the road. Is there proprietary Cisco software for remote desktop (that's free and can somehow run off of the PIX?)
3. If remote desktop is not a good idea, perhaps they could install their proprietary software on their home PC and access their proprietary database server "locally" via VPN? This brings me to a different question. How would I have to configure that on the PIX? What IOS commands should I issue? For example, let's say a Unix box called ABC has a public IP of 1.1.1.1 and a private IP of 2.2.2.2. VPN Group users are on a 3.3.3.3 subnet when they tunnel in. When a user authenticates into the network via VPN, how can I allow VPN users or the VPN pool of IP's to be able to access only specific ports on the private IP of the server ABC? Perhaps it would be easier to allow all VPN users or the VPN pool of IP's to have complete unrestricted access to all addresses and ports on the local 2.2.2.x subnet? I will need the IOS commands to run on the PIX to get this done.
4. I guess I just need a brief tutorial or a couple of useful links about the ways that a small business can use the Cisco VPN Client connectivity to its advantage. I can really think of nothing else other than RDP, perhaps TightVNC and/or access to some resources on the network? Hold on a second... another question!
5. This brings me to a different question and is something that the client will definitely want to do in the future because they're not running A.D. (yet). Is it possible for the Pix firewall to pass authentication onto an Active Directory server so that users could automatically connect to their resources, i.e. home folder, printer, perhaps even desktop (through Terminal Services?) What's are the industry best practice solution for this?
I haven't deployed or used Cisco VPN software in the past and this is a first one for me. I'm looking for someone to educate me a little bit on what the possibilities are without spending much of anything and working with PIX 506E. I guess most medium-sized and large businesses have it set up in a way that users who VPN are automatically connected to their workstations and/or other network resources. I would imagine this would be controlled by Active Directory and/or a Terminal Services server? Would users have to have roaming profiles in order to connect to their desktops? Would this require a separate server for authentication?
Let's keep in mind, the client only has one Linux box running a proprietary database application and a 2nd server which will act as the active directory domain controller, MS exchange server 2003 and a file server. The 2nd server has some balls with 2 Xeon's & loads of RAM & HD capacity.
Please help clear my head a little bit. I know I probably confused you in the process of asking these questions. My apologies :)
ASKER
Thanks for your advice Simon. Guess I'll wait for the A.D. to be deployed before I can get the client to fully understand the VPN concept.
One last question though, what would be the format of the file (or script) that has to be executed on the VPN client upon establishing a connection?
In other words, is there a batch file that will connect the user's home PC to network shares etc at the office? The VPN client allows you to specify a program to run. If I were to design a separate batch file for every user, would that be a good idea? i.e. \\1.1.1.1\scripts\userscri
One last question though, what would be the format of the file (or script) that has to be executed on the VPN client upon establishing a connection?
In other words, is there a batch file that will connect the user's home PC to network shares etc at the office? The VPN client allows you to specify a program to run. If I were to design a separate batch file for every user, would that be a good idea? i.e. \\1.1.1.1\scripts\userscri
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry, I wasn't in town and had no access to the net. I will ask a similar question because I still need assistance on a separate post.
Once you have deployed that, you can move on.
The VPN client lets you run anything that you can run over the LAN. So if you have configured the Windows firewall to block traffic on the LAN, then it will be blocked on the VPN as well. A machine on the VPN will appear to be on the network and will even appear in any browse lists.
Once you have deployed Active Directory, you can configure Internet Authentication Server on to the domain controller. Then configure a RADIUS client in that application and the PIX to use RADIUS. The client application can then be configured with the Group username and password, then the second prompt will be for domain credentials.
For accessing resources, you need to decide what is being used to access those resources.
I only deploy VPNs for company machines to access. I don't allow users to install and use their own machines to access the network. That means I don't need to worry about authentication - if they can access it inside, they can access it outside.
Simon.