09-28-2007 05:07 AM - edited 02-21-2020 10:19 AM
I have the following topology. R1 with firewall features, R2 and ACS belong to Customer A, while R3 with firewall features and VPN concentrator belong to Customer B.
User--Internet--R1FW---R2--R3FW--VPNConcentrator |
ACS
The requirement is for User which is a mobile user of Customer A to connect to Customer?s B VPN concentrator and open a IPSEC connection using Cisco VPN client.
User must also be authenticated when entering Customer A network and I am considering proxy authentication. So, before opening the vpn client, the user will initiate an http connection to R1 and authenticate itself to the ACS server using a username/password. If authentication is successful, an entry will be downloaded to the R1 inbound access-list to allow traffic from the IP of the authenticated user to the IP of the VPN concentrator.
The problem is that Customer B needs to know the IP addresses of users with vpn clients so that it can allow only traffic from this IP passing through R3 FW.
Since this is a mobile user it can connect from different places so he does not use a single IP.
Here are my thoughts/questions to address this issue:
1. Is it possible to assign User with a static IP when authentication with the ACS along with proxy authentication?
2. Can I use NAT outside at R1 so I translate user IP to a static IP? Do you see any issue with this implementation?
3. Is there another solution to achieve the above: 1. authentication of mobile users and static IP assignment?
Thanks,
Evi
12-13-2007 07:01 PM
Does the Concentrator have connectivity with Cust A's ACS server? I assume so. The best way to assign the remote client an IP address is to use an IP pool which is attached to the VPN user's group. Then Cust B would be able to build fw rules around this subnet. Be sure to use NARs to permit only authentication to the VPN and not any other RADIUS/TACACS+ clients. HTH.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide