I have a customer with a VPN-concentrator at the Main Office and a number of customers with Pix 501 at home connected to each customers private xDSL. The Pix 501 is initiating a RemoteAccess-VPN (not fully lan2lan due to dynamic public IP on the xDSL) towards the central VPN-concentrator.
All works fine. But when the customers kids connects their private PC:s to the Pix501 to reach internet, they have full IP-connectivity to the main office network. That is _no good_ by obvious reasons (trojans, viri....).
My idea to solve this is to define a single Ip on home office network to initiate the VPN-tunnel. The problem is that if I configure the work-pc at home for a static IP it wont work when the customers carries their laptop to main office an pluds it into that network with dhcp.
Another idea to solve this was to make a static dhcp-lease in the pix dhcp-server so that the work-pc is still running dhcp but will always get the same IP (the IP that I define in the VPN-tunnel and nat0 access-list).
Then I found out that the pix dhcp-server doesnt support static entries.
Is there any other way to make this? All I wanna do is to make sure that on the home-LAN only one defined PC will be able to communicate thru the VPN-tunnel.
To deny MAC-addresses is one good way that i haven´t thought of. But, my problem is that I DO want the kiddies to surf the internet, I just dont wanna let their PCs communicate thru the VPN-tunnel.
I have an access-list for specifying vpn-traffic (from local lan to main office lan), used both for nat 0 and crypto map xxx yyy match address...). Is there any way for me to make an MAC-address filtering in this access-list?
You think that I can shut down all but one port in the inside of pix 501? I have never seen anything about such an feature. Do you have more information?
But still, I do want "the kiddies" to access internet thru the pix501, I just wanna make sure that the only pc on local lan that can reach main office servers is moms laptop.
Any more feedback from anyone about this issue wuold be great.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...