Home office with PIX 501, filter witch computer to passthrough VPN

janjen · ‎10-08-2003

Hi, we have sold a solution with Pix 515E on the office and PIX 501 (less hassel than sw vpn) on the home offices. We do see that the VPN connection is up all the time. Then there is a security problem if the son or daughter connects their own machine on the Pix 501 for Internet surfing. Is it possible to filter out wich computers can access the VPN tunnel?

johan.strandloof · ‎10-08-2003

Yes, you could restric access to a single computer by changing the ACL that controls the tunnel traffic to only allow a specific host.

You would of course need a static inside address for this computer, rather than using the DHCP-pool.

janjen · ‎10-08-2003

Thanks for your reply, can we do this then:

deny 192.168.1.0/24 ip to 10.10.10.0/24 (worknetwork)

permit 192.168.1.80/32 ip to 10.10.10.0/24

will the last rule be stronger than the first that deny everyone?

csane · ‎10-08-2003

Your permit statement will need to be placed before the deny statement, otherwise .1.80 will be denied with the other machines.

johan.strandloof · ‎10-09-2003

Correct, although only the permit statement is needed, as we have - as always - an implicit deny.

Just "access-list xxx permit ip host x.x.x.x y.y.y.y z.z.z.z" will do.

janjen · ‎10-09-2003

Thanks for your reply's its very helpfull. Do you know if its possible to let the pix dhcpserver reserve a ip addresse for a specific mac adresse? If users are using laptops that they bring from work to home it is very unhandy to change from dhcp to fixed ip addresse.

johan.strandloof · ‎10-17-2003

No, I don't think that is possible - like on a Windows DHCP-server.

What you could do is install a software on the laptop that makes moving btwn networks less of a hassle. There are many available; IP Changer, IP Switcher, MultiNetwork Manager - to name a few.

IBM Laptops comes with such a tool called IBM Access Connections.

jreimer · ‎10-16-2003

I am in the process of setting up a VPN process exactly like this. The Software VPN client is working good right now to our VPN3005 concentrator, but I am installing IP Phones out in the field. The HW solution is the only way to go then.

I was concerned about the "family" access to the VPN, but it looks like the access-list will work.

MY question to you is, did you set up different VPN keys for each remote? I am wondering if it would be easier for me to use the VPN 3005 instead of the PIX... The PIX is more powerful, but I only have 30 remotes.

Thanks.

shawn1315 · ‎12-03-2003

If this VPN tunnel is up all the time, couldn't you just assign a static IP address to the computer which is supposed to access the tunnel and restrict the NAT 0 statement to that IP address only instead of the whole remote network, and do a mirror image on the corporate-side FW to allow traffic for that one computer to return?

Home network side PIX

access-list inside_outbound_nat0_acl permit ip 172.16.1.5 255.255.255.0 192.168.1.0 255.255.255.0

Corporate side PIX

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 172.16.1.5 255.255.255.0

Just curious.