Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Security issues...

Hi

I have a customer with a VPN-concentrator at the Main Office and a number of customers with Pix 501 at home connected to each customers private xDSL. The Pix 501 is initiating a RemoteAccess-VPN (not fully lan2lan due to dynamic public IP on the xDSL) towards the central VPN-concentrator.

All works fine. But when the customers kids connects their private PC:s to the Pix501 to reach internet, they have full IP-connectivity to the main office network. That is _no good_ by obvious reasons (trojans, viri....).

My idea to solve this is to define a single Ip on home office network to initiate the VPN-tunnel. The problem is that if I configure the work-pc at home for a static IP it wont work when the customers carries their laptop to main office an pluds it into that network with dhcp.

Another idea to solve this was to make a static dhcp-lease in the pix dhcp-server so that the work-pc is still running dhcp but will always get the same IP (the IP that I define in the VPN-tunnel and nat0 access-list).

Then I found out that the pix dhcp-server doesnt support static entries.

Is there any other way to make this? All I wanna do is to make sure that on the home-LAN only one defined PC will be able to communicate thru the VPN-tunnel.

Thanks in advance!

Regards Jimmy

3 REPLIES

Re: VPN Security issues...

Well the very first thing I would do would be to deny any MAC address from passing traffic on the PIC except the work PC. CHeck out this link.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#85697

Then do some extra authetication to hinder the kiddies if they get on mom's laptop like:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#29250

I am not sure but I think you can also shut down the other ports of the PIX 501 so that only one port on the inside works.

Anyone else with some ideas?

Please remember to rate any postings that help you out.

New Member

Re: VPN Security issues...

Hello

To deny MAC-addresses is one good way that i haven´t thought of. But, my problem is that I DO want the kiddies to surf the internet, I just dont wanna let their PCs communicate thru the VPN-tunnel.

I have an access-list for specifying vpn-traffic (from local lan to main office lan), used both for nat 0 and crypto map xxx yyy match address...). Is there any way for me to make an MAC-address filtering in this access-list?

You think that I can shut down all but one port in the inside of pix 501? I have never seen anything about such an feature. Do you have more information?

But still, I do want "the kiddies" to access internet thru the pix501, I just wanna make sure that the only pc on local lan that can reach main office servers is moms laptop.

Any more feedback from anyone about this issue wuold be great.

Regards

Jimmy

Re: VPN Security issues...

Then you will want to do splut-tunneling on the PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094cf8.shtml

This will send all HTTP traffic out through the provider and not through the tunnel. This policy is defined on the concentrator and pushed out to the PIX

On the Concentrator go to Configuration | User Management | Groups | Modify |Client Config

Look for the Split-Tunneling Policy. This will let the kiddies out.

I would still do xauth though.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/ipsec/advanced.htm#18067

347
Views
0
Helpful
3
Replies