We have a remote site that needs to connect back to the corporate office's Win2K server. We are in the process of implementing a VPN, however this site needs access before the VPN is in place. We had thought to have the individual machines on the remote LAN load up the Dial-up VPN drivers and establish connections back to the Win2K server.
Our problem: Our vendor claims that this is not possible with the Cisco PIX that is currently providing access for the remote LAN to the internet. The stated reason is that the PIX firewall rules are all or nothing, and so to open outbound connections up to corporate, they would also have to open all inbound connections into the PIX. This seems like an awfully strange way to build a network edge device, but I must admit that I am not familiar with the PIX devices directly.
Any thoughts on the matter? Both Corporate and Remote have fixed IP addresses. Also this is extremely temporary until we get the VPN stuff tested in our testing lab.
Your vendor is not correct. You can use access lists on PIX firewall's in much the same way you can use them on routers. On a per interface basis. In it's simplest form this means you can apply an access list to the inside interface for all outgoing traffic, and another (different) access list for the outside interface for incoming traffic. You can certainly configure a PIX to allow PPTP or IPSEC traffic through from the Internet and nothing else.
That said, if you are trying to use this Win2k server from behind the firewall using PAT you will probably come into problems.Might be easier to use the border devices to create a LAN to LAN VPN.
The only solution I can see you working is putting a VPN capable device either side of the Win2K box. My guess would be the easiest way to do it would be to put the device inside the Win2K and do a static translation to it. Not sure if this is possible though, Win2K not my strong point.
Are you using xDSL or similar to connect the Win2K server to the Internet ?Is it possible to replace it with a router or firewall ?
Still not sure I agree with the Vendor. It's usually the NAT or PAT the PIX does, that causes problems with Microsoft VPN's. This will not be fixed by opening all ports on the PIX.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :