remote access VPN with 2 levels of firewall

Answered Question
Jul 24th, 2008

we have two different vendor firewalls, with the first level being a cisco firewall. The setup is:


ISP <--> (Router) <--> (Cisco Firewall) <--> (other vendor firewall) <--> Internal LAN


We need to give remote users (with VPN clients installed), access to some resources to in the internal LAN.


My question where should i configure my IPSec VPN, for best security practice, considering that my Router, Firewall-1 & Firewall-2, all support VPN features.


Also I want to allow the remote users (who get assigned local IP from the internal IP Pool), to allow specific resources (read servers) & specific ports.


So can I implement an access-list, after the VPN is terminated & the users get their local pool IPs ?


Thanks & Regards

MD

Correct Answer by ggilbert about 8 years 7 months ago

Hello MD,


What is the version of code you are running on your PIX? If you are running 6.x version of code then you will not have the option to use vpn-filter command for restriction of certain IP address access.


You ought to be running 7.x version for that where you can specify an ACL to restrict traffic .


Also, only some PIX firewalls can be upgraded to 7.x version, please look into the link given below


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q1


If you cannot upgrade the PIX to 7.x version then you might have to use another VPN device.


Hope this answers your questions. Rate this post if it helped.


Cheers,

Gilbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ggilbert Thu, 07/24/2008 - 11:34

MD,


What kind of Cisco Firewall do you have?


If it is an ASA, then terminate the VPN Clients on the Cisco Firewall. on the ASA you can implement the feature called as vpn-filter which restricts access for the users according to the group-policy they get assigned to.


Hope this answers your question. Let me know.


Thanks

Gilbert

moditsec12 Thu, 07/24/2008 - 22:23

Thanks Gilbert, for your suggestion.


We have the PIX firewall, behind which there is one more firewal , behind which is the server farm.


So let me know, whether it would be wise to load the PIX with additional responsibility, or we should have another VPN appliance to support remote access IPSec VPN.


Also i want to restrict the remote access VPN clients to only a few servers & specific ports. As such where can we configure the access lists..


Thanks, Regards

MD

Correct Answer
ggilbert Fri, 07/25/2008 - 05:12

Hello MD,


What is the version of code you are running on your PIX? If you are running 6.x version of code then you will not have the option to use vpn-filter command for restriction of certain IP address access.


You ought to be running 7.x version for that where you can specify an ACL to restrict traffic .


Also, only some PIX firewalls can be upgraded to 7.x version, please look into the link given below


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q1


If you cannot upgrade the PIX to 7.x version then you might have to use another VPN device.


Hope this answers your questions. Rate this post if it helped.


Cheers,

Gilbert

Actions

This Discussion