Use the AAA commands on the PIX with a Windows Radius or Cisco CSACS
server. The AAA command will require all inbound and/or outbound
traffic to be authenticated (username & pw, cert, etc). The VPN should
be terminating at your PIX and all traffic will be authenticated after
that.
You can require authentication for hosts, groups, or subnets.
Here is an example statement:
aaa authentication include any inbound 0 0 0 0 Radius
- This only is used for http, telnet, or FTP if any other application
is needed fro authentication then a virtual service can be created on
the PIX with the "virtual http/FTP/telnet ip_address" command. Then use
the other means for setting up the ACL's and VPN parameters.
If more info is needed to get it set up, the complete details are
available on the Cisco site for this.
-----Original Message-----
From: Arek Slominski [ <mailto:aslom@paytel.pl>
mailto:aslom@paytel.pl]
Sent: Tuesday, August 17, 2004 8:53 AM
To: firewalls@securityfocus.com
Subject: PIX - VPN with IPSec
Hi Guys,
Our company plans to establish an IPSec VPN tunnel to one of
our customers. Some resources should be shared for the
customer and the easiest way is to let secured access to the
data via Internet. We prepared testing environment with
PIX515 and Linksys VPN router. The data are crypted fine but
there is no access control within the VPN channel.
We added PIX command "sysopt connection permit-ipsec" on PIX
and it let's all inbound traffic from Linksys router via
IPSec tunnel, nothing even acls!!! I do not want all inbound
traffic welcome to my LAN behind PIX - all I need is for
example access to one web server inside.
Pls, advise how to fix it.
Regards
Arek
