Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Best Practice for VPN access

New to VPN.

I need to setup VPN access to my network, allowing a 3rd party to vpn in & maintain / configure a new system that is being developed. They would prefer to use MS VPN client opposed to the Cisco client.

I have a 2651, PIX 515 with a 3des licence, dmz interface, & Cisco Secure ACS 3 for windows software. I also intend to give users (16) OWA access to exchange & file lan access to VPN clients, but am apprehensive of just using MS Client. Is it secure? Can both be implemented? What is the best way to control LAN access to vpn clients?

All thoughts / suggestions appreciated.


Re: Best Practice for VPN access

This is a good starting point for deciding how to set up your VPN network:

New Member

Re: Best Practice for VPN access

The numerous known insecurities of the MS security implementations are well documented - as should be your remote access and business partner security policies. The bottom line is that if you want truly secure com links, use IPSec with either 3DES or AES. If your partner grumbles, ask them why they would want to use products that are known to have more holes than swiss cheese.

Best of luck.


Re: Best Practice for VPN access

You definitely want to use IPSec and the Cisco client. In addition to the numerous PPTP (MS) issues known, using the Cisco client will functionally provide better security. Pushing out split-tunneling and firewall policies to the VPN client, you can protect your network from the end host in addition to protecting the end host while he is connected to you.

1. Enable split tunneling. It will tell the clients what should be sent over the tunnel and what shouldn't. Only include in the split tunnel lists what you want clients to connect to.

2. Create filters on the VPN concentrator for the VPN group that only allows access to what you would like. Create the rules/filters under "Policy Management" and them apply them to the group on the "General" tab using the "Filters" drop down box.

I recommend using both. This means all internal networks should be defined in the split-tunnel and go across the VPN session. Use the filters to deny what you don't want at the concentrator. This will prevent your VPN clients from sending traffic meant for the internal network out to the Internet instead. You don't want any traffic like meant for internal networks inadvertently going out to the Internet in clear-text.

For best security, send firewall polices out to the VPN client that don't allow the client to talk to anything except your network. This will ensure that they are only connected when they want to accomlish something on your network, and also ensures that a compromised host is not used remotely as a backdoor to your network.