We are replacing our current Guardian firewalls with Cisco Pix firewalls and I am having a hard time coming up with a strategy that works for us.
What we do currently is define access by machine name. This way, a PC can be allocated a dynamic address yet still get the proper access. If necessary, this would be my fallback method of working.
We would like to move to a system where access to the internet is controlled according to the username as logged into Active Directory. The admins can get lots of access reagrdless of which terminal they are on but the data monkeys' can be more controlled.
I have looked at IAS for a solution but it is very much geared to providing access to the neetwork by remote users - we need to do it the other way yound.
We also need to control access on numerous protocols, I am not just talking web access. I might want to let some people watch streamed cricket or play halflife but not everybody.
Inbound access is only going to be to specific machines with static addresses and is not too complicated. It would be nice to have "groups" of
access rather than specify individual protocols for each user or machine but thay may not be possible.
Any help, pointers, books will be great as I am swimming out of my depth on this one.
Re: PIX 515-R and Microsoft IAS (but not necessarily)
Looks like you need to do RADIUS authentication from the PIX for the outbound connections. You can pick whatever RADIUS server you like although CiscoSecure ACS NT and Micrsoft IAS work well. Either will allow you to leverage your existing NT user base. You will have the felxibility to group your users and even provide access restrictions by apply per-user acls from the RADIUS server.
Look at the Security Tech Tips on CCO for more information on configuring the PIX for this authentication.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...