setting up pix as vpn server in public address environment

15 pts.
In our network all of our addresses are public per the policy of our ISP, (the state of washington). In order to use a pix for the inner firewall I had to incorporate a cisco hack to exclude all addresses from NATing. This was done with a standard access list following cisco instructions. Now I want to deploy VPNs on the pix using a microsoft radius server and microsoft certificates with cisco easy VPN clients. I haven't found instructions for this combination yet. When I ran the cisco wizard to configure the pix as a VPN server it errored out. The dump shows the wizard tried to add an extended ACE to the standard ACL I created to avoid NATing and this was refused. Can I change the standard ACL recommended by cisco to an extended ACL without breaking the NAT exclusion function? Also, I'm not sure how to set up the client and pix to use certificates. I don't know what certificates to use and couldn't find information from cisco. I would appreciate any information to help deploy these VPNs. Thanks. rt

Answer Wiki

Thanks. We'll let you know when a new response is added.

The ACL hack worked. We were able to do VPNs with shared secrets but haven’t figured out the certificate part. Since this must be deployed tomorrow I am reluctantly going with shared secrets.
Unless I find an answer before my job ends here I expect the college will just stay with the shared secret solution.

Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Dane Sauve
    Generally I do not post on blogs, but I would like to say that this post really forced me to do so! really nice post.
    0 pointsBadges:
  • Genderhayes
    Put the VPNC totally inside the network. Have the PIX allow IKE and IPSec to the VPNC,  doing NAT from the internal VPNC public address to an address out of the Internet public address block for the site  putting the VPNC in parallel with the PIX is that this offloads work from the PIX the VPN and your remote users. If you connect the VPNC to a Remote Access DMZ interface on the PIX, you're putting more work on the PIX, but also possibly obtaining benefits from ACL's, NAT, etc
    10,730 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: