Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
384
Views
0
Helpful
3
Replies

remote access VPN with 2 levels of firewall

Go to solution
moditsec12
Level 1
Level 1

‎07-24-2008 11:02 AM - edited ‎02-21-2020 03:51 PM

we have two different vendor firewalls, with the first level being a cisco firewall. The setup is:

ISP <--> (Router) <--> (Cisco Firewall) <--> (other vendor firewall) <--> Internal LAN

We need to give remote users (with VPN clients installed), access to some resources to in the internal LAN.

My question where should i configure my IPSec VPN, for best security practice, considering that my Router, Firewall-1 & Firewall-2, all support VPN features.

Also I want to allow the remote users (who get assigned local IP from the internal IP Pool), to allow specific resources (read servers) & specific ports.

So can I implement an access-list, after the VPN is terminated & the users get their local pool IPs ?

Thanks & Regards

MD

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to moditsec12

‎07-25-2008 05:12 AM

Hello MD,

What is the version of code you are running on your PIX? If you are running 6.x version of code then you will not have the option to use vpn-filter command for restriction of certain IP address access.

You ought to be running 7.x version for that where you can specify an ACL to restrict traffic .

Also, only some PIX firewalls can be upgraded to 7.x version, please look into the link given below

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q1

If you cannot upgrade the PIX to 7.x version then you might have to use another VPN device.

Hope this answers your questions. Rate this post if it helped.

Cheers,

Gilbert

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ggilbert
Cisco Employee
Cisco Employee

‎07-24-2008 11:34 AM

MD,

What kind of Cisco Firewall do you have?

If it is an ASA, then terminate the VPN Clients on the Cisco Firewall. on the ASA you can implement the feature called as vpn-filter which restricts access for the users according to the group-policy they get assigned to.

Hope this answers your question. Let me know.

Thanks

Gilbert

0 Helpful

Go to solution
moditsec12
Level 1
Level 1
In response to ggilbert

‎07-24-2008 10:23 PM

Thanks Gilbert, for your suggestion.

We have the PIX firewall, behind which there is one more firewal , behind which is the server farm.

So let me know, whether it would be wise to load the PIX with additional responsibility, or we should have another VPN appliance to support remote access IPSec VPN.

Also i want to restrict the remote access VPN clients to only a few servers & specific ports. As such where can we configure the access lists..

Thanks, Regards

MD

0 Helpful

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to moditsec12

‎07-25-2008 05:12 AM

Hello MD,

What is the version of code you are running on your PIX? If you are running 6.x version of code then you will not have the option to use vpn-filter command for restriction of certain IP address access.

You ought to be running 7.x version for that where you can specify an ACL to restrict traffic .

Also, only some PIX firewalls can be upgraded to 7.x version, please look into the link given below

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q1

If you cannot upgrade the PIX to 7.x version then you might have to use another VPN device.

Hope this answers your questions. Rate this post if it helped.

Cheers,

Gilbert

0 Helpful
Customers Also Viewed These Support Documents