VPN Client w/Cisco PIX 506E & What (& how) it Can Do Stuff For My Client's Business
Posted on 2006-06-28
With the help of EE member LRMOORE (my Cisco god), I configured a new network with a Cisco 1841T-1 Router and Cisco PIX 506E Firewall. I am touching Cisco stuff for the first time in my life by the way and I'm loving the lessons I'm getting. Guess you have to start somewhere... EE's the place!
Anyhoo, we created a VPN group called VPN3000.
I had told the client that the PIX is VPN-ready but I can't really give him any specific information until I know what the best practices are and how the client's business can start benefiting from VPN connectivity to the office.
1. When I use the VPN client to connect to the network, I have to log in with the VPN group password. Once the connection is established, I am prompted for a second user name and password. I can't log in with the same VPN Group username and password. When I enter one of the username & password combinations with privilege level 15 that are stored on the PIX, I can then fully authenticate and get onto the network. What is the best practice in dealing with this? This is a small business with 20 employees. Should I create separate accounts and passwords for every employee or is there a way that all employees could use the same username and password? Again, industry best practice...
2. Once authenticated, what can users actually do on the network? Is there an easy alternative to WIndows XP's Remote Desktop Connection that they could use to work from their office PC? Until Active Directory is deployed, the workstations on the network are in a workgroup environment. This makes managing Windows Firewall almost impossible. I guess I need to provide the client with an easy sort-of 2-click way to get their desktop computer screen on their home computer & on the road. Is there proprietary Cisco software for remote desktop (that's free and can somehow run off of the PIX?)
3. If remote desktop is not a good idea, perhaps they could install their proprietary software on their home PC and access their proprietary database server "locally" via VPN? This brings me to a different question. How would I have to configure that on the PIX? What IOS commands should I issue? For example, let's say a Unix box called ABC has a public IP of 220.127.116.11 and a private IP of 18.104.22.168. VPN Group users are on a 22.214.171.124 subnet when they tunnel in. When a user authenticates into the network via VPN, how can I allow VPN users or the VPN pool of IP's to be able to access only specific ports on the private IP of the server ABC? Perhaps it would be easier to allow all VPN users or the VPN pool of IP's to have complete unrestricted access to all addresses and ports on the local 2.2.2.x subnet? I will need the IOS commands to run on the PIX to get this done.
4. I guess I just need a brief tutorial or a couple of useful links about the ways that a small business can use the Cisco VPN Client connectivity to its advantage. I can really think of nothing else other than RDP, perhaps TightVNC and/or access to some resources on the network? Hold on a second... another question!
5. This brings me to a different question and is something that the client will definitely want to do in the future because they're not running A.D. (yet). Is it possible for the Pix firewall to pass authentication onto an Active Directory server so that users could automatically connect to their resources, i.e. home folder, printer, perhaps even desktop (through Terminal Services?) What's are the industry best practice solution for this?
I haven't deployed or used Cisco VPN software in the past and this is a first one for me. I'm looking for someone to educate me a little bit on what the possibilities are without spending much of anything and working with PIX 506E. I guess most medium-sized and large businesses have it set up in a way that users who VPN are automatically connected to their workstations and/or other network resources. I would imagine this would be controlled by Active Directory and/or a Terminal Services server? Would users have to have roaming profiles in order to connect to their desktops? Would this require a separate server for authentication?
Let's keep in mind, the client only has one Linux box running a proprietary database application and a 2nd server which will act as the active directory domain controller, MS exchange server 2003 and a file server. The 2nd server has some balls with 2 Xeon's & loads of RAM & HD capacity.
Please help clear my head a little bit. I know I probably confused you in the process of asking these questions. My apologies :)