12-09-2003 05:07 AM
Hi
I have a customer with a VPN-concentrator at the Main Office and a number of customers with Pix 501 at home connected to each customers private xDSL. The Pix 501 is initiating a RemoteAccess-VPN (not fully lan2lan due to dynamic public IP on the xDSL) towards the central VPN-concentrator.
All works fine. But when the customers kids connects their private PC:s to the Pix501 to reach internet, they have full IP-connectivity to the main office network. That is _no good_ by obvious reasons (trojans, viri....).
My idea to solve this is to define a single Ip on home office network to initiate the VPN-tunnel. The problem is that if I configure the work-pc at home for a static IP it wont work when the customers carries their laptop to main office an pluds it into that network with dhcp.
Another idea to solve this was to make a static dhcp-lease in the pix dhcp-server so that the work-pc is still running dhcp but will always get the same IP (the IP that I define in the VPN-tunnel and nat0 access-list).
Then I found out that the pix dhcp-server doesnt support static entries.
Is there any other way to make this? All I wanna do is to make sure that on the home-LAN only one defined PC will be able to communicate thru the VPN-tunnel.
Thanks in advance!
Regards Jimmy
12-09-2003 05:39 AM
Well the very first thing I would do would be to deny any MAC address from passing traffic on the PIC except the work PC. CHeck out this link.
Then do some extra authetication to hinder the kiddies if they get on mom's laptop like:
I am not sure but I think you can also shut down the other ports of the PIX 501 so that only one port on the inside works.
Anyone else with some ideas?
Please remember to rate any postings that help you out.
12-09-2003 06:30 AM
Hello
To deny MAC-addresses is one good way that i haven´t thought of. But, my problem is that I DO want the kiddies to surf the internet, I just dont wanna let their PCs communicate thru the VPN-tunnel.
I have an access-list for specifying vpn-traffic (from local lan to main office lan), used both for nat 0 and crypto map xxx yyy match address...). Is there any way for me to make an MAC-address filtering in this access-list?
You think that I can shut down all but one port in the inside of pix 501? I have never seen anything about such an feature. Do you have more information?
But still, I do want "the kiddies" to access internet thru the pix501, I just wanna make sure that the only pc on local lan that can reach main office servers is moms laptop.
Any more feedback from anyone about this issue wuold be great.
Regards
Jimmy
12-09-2003 07:04 AM
Then you will want to do splut-tunneling on the PIX
This will send all HTTP traffic out through the provider and not through the tunnel. This policy is defined on the concentrator and pushed out to the PIX
On the Concentrator go to Configuration | User Management | Groups | Modify |Client Config
Look for the Split-Tunneling Policy. This will let the kiddies out.
I would still do xauth though.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/ipsec/advanced.htm#18067
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide