Jouni Forss Wed, 08/08/2007 - 18:11
User Badges:
  • Super Bronze, 10000 points or more

Doing a final work on a small network model which has a PIX 515 7.1(2)


I have configured 2 different VPN remote access groups into the PIX and from what i remember the PIX lets trough the traffic iniated from the VPN client side.


I tested a remote desktop program and it worked fine without doing any additional configuration on the PIX. So it would seem it lets trough all traffic by default IF im not totally wrong. Is the VPN remote client perhaps considered a client from the trusted side of the network and thats why aint blocked by the PIX.


My inside ACLs didnt permit the RD traffic but it still got trough from the inside to the VPN client so im guessing it would be in this case considered "return traffic" for which the PIX keeps a connection/port open?

homeboarder8 Thu, 08/09/2007 - 05:16
User Badges:

Yeah I'm still a little confused... Right now I'm using Windows VPN to to open up a PPTP connection from a remote computer to the server. This forces me to open up port 1723 on the PIX. Now is there any more secure way to go about doing this rather than opening up this port? Prehaps VPN to the pix first and then VPN to the server???


Thanks!

homeboarder8 Thu, 08/09/2007 - 05:21
User Badges:

Yeah I'm still a little confused... Right now I'm using Windows VPN to to open up a PPTP connection from a remote computer to the server. This forces me to open up port 1723 on the PIX. Now is there any more secure way to go about doing this rather than opening up this port? Prehaps VPN to the pix first and then VPN to the server???


Thanks!

Jouni Forss Thu, 08/09/2007 - 19:58
User Badges:
  • Super Bronze, 10000 points or more

Guess the main difference in the way i did the VPN connection was that i used the PIX to terminate the VPN tunnel and i also used Ciscos own VPN client software. (Had some problems with the Windows own)


I never had to open a port seperately for the VPN connection.


In my final work basicly the only ports/connections that are allowed into the network are traffic to DMZ areas where a FTP/HTTP servers recide. And then ofcourse the VPN groups that require authentication to even use. Both VPN groups have their own ACL also.


Im guessing that if its a big network with a risk that the traffic would be inspected or something then you could use a secure connection even past the border of the network. Im not really the best person to advice on these things though. Pretty new to VPN etc still.

Actions

This Discussion