Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1151
Views
0
Helpful
3
Replies

VPN Security issues...

jilahbg
Level 1
Level 1

‎12-09-2003 05:07 AM

Hi

I have a customer with a VPN-concentrator at the Main Office and a number of customers with Pix 501 at home connected to each customers private xDSL. The Pix 501 is initiating a RemoteAccess-VPN (not fully lan2lan due to dynamic public IP on the xDSL) towards the central VPN-concentrator.

All works fine. But when the customers kids connects their private PC:s to the Pix501 to reach internet, they have full IP-connectivity to the main office network. That is _no good_ by obvious reasons (trojans, viri....).

My idea to solve this is to define a single Ip on home office network to initiate the VPN-tunnel. The problem is that if I configure the work-pc at home for a static IP it wont work when the customers carries their laptop to main office an pluds it into that network with dhcp.

Another idea to solve this was to make a static dhcp-lease in the pix dhcp-server so that the work-pc is still running dhcp but will always get the same IP (the IP that I define in the VPN-tunnel and nat0 access-list).

Then I found out that the pix dhcp-server doesnt support static entries.

Is there any other way to make this? All I wanna do is to make sure that on the home-LAN only one defined PC will be able to communicate thru the VPN-tunnel.

Thanks in advance!

Regards Jimmy

Labels:
0 Helpful
3 Replies 3

travis-dennis_2
Level 7
Level 7

‎12-09-2003 05:39 AM

Well the very first thing I would do would be to deny any MAC address from passing traffic on the PIC except the work PC. CHeck out this link.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#85697

Then do some extra authetication to hinder the kiddies if they get on mom's laptop like:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#29250

I am not sure but I think you can also shut down the other ports of the PIX 501 so that only one port on the inside works.

Anyone else with some ideas?

Please remember to rate any postings that help you out.

0 Helpful

jilahbg
Level 1
Level 1
In response to travis-dennis_2

‎12-09-2003 06:30 AM

Hello

To deny MAC-addresses is one good way that i haven´t thought of. But, my problem is that I DO want the kiddies to surf the internet, I just dont wanna let their PCs communicate thru the VPN-tunnel.

I have an access-list for specifying vpn-traffic (from local lan to main office lan), used both for nat 0 and crypto map xxx yyy match address...). Is there any way for me to make an MAC-address filtering in this access-list?

You think that I can shut down all but one port in the inside of pix 501? I have never seen anything about such an feature. Do you have more information?

But still, I do want "the kiddies" to access internet thru the pix501, I just wanna make sure that the only pc on local lan that can reach main office servers is moms laptop.

Any more feedback from anyone about this issue wuold be great.

Regards

Jimmy

0 Helpful

travis-dennis_2
Level 7
Level 7
In response to jilahbg

‎12-09-2003 07:04 AM

Then you will want to do splut-tunneling on the PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094cf8.shtml

This will send all HTTP traffic out through the provider and not through the tunnel. This policy is defined on the concentrator and pushed out to the PIX

On the Concentrator go to Configuration | User Management | Groups | Modify |Client Config

Look for the Split-Tunneling Policy. This will let the kiddies out.

I would still do xauth though.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/ipsec/advanced.htm#18067

0 Helpful
Customers Also Viewed These Support Documents