From: Larry Roberts (groupstudy@american-hero.com)
Date: Thu May 26 2005 - 12:25:50 GMT-3
If your using a concentrator you can assign an access-list ( filter-list
) that would define what traffic can and can't pass per Group. By
forcing users into a specific group then you can control what they get
access to, but only with the granularity of an access-list.
If your terminating your VPN clients on a PIX, nothing that I know of,
or at least can think of, would allow you to restrict what they can and
can't do. I haven't played with Production 7.x code however so that may
be possible in the new release.
C.Sammarcellino@sirtisistemi.it wrote:
> It is possible control what resources your VPN clients can access with
> the filter list on the VPN without intervention on the PIX.
>
> The filtering on the VPN in more scalable because you can set it for
> gruop or for user.
>
> Bye
>
> ----------------------------------------
> -----------------------------------
> Ciro Sammarcellino
> CCIE R&S N. 13622
> CCSP (Cisco Certificate Security Professional)
> INFOSEC Professional certificate (under NSA/CNSS directive)
> Supporto Specialistico Networking
> Sirti Sistemi S.p.A.
> Via A. Benigni, 25
> 00156 Rome (Italy)
> Cell.: ++39 3356426305
> Tel.: ++39 06-82880304
> Tel.: ++39 02-95886880
> Fax.: ++39 06-821899
> e-mail: c.sammarcellino@sirtisistemi.it
> -------------------------------------
> --------------------------------------
>
> "Le informazioni contenute nel presente e-mail e nei documenti
> eventualmente allegati possono essere confidenziali e in ogni caso
> riservate al destinatario/i della stessa. La loro diffusione,
> distribuzione e/o copiatura da parte di terzi h proibita. Nel caso avete
> ricevuto questa comunicazione per errore, Vi preghiamo di informare
> immediatamente il mittente del messaggio e di distruggere questo e-mail.
>
> This e-mail may contain confidential and/or privileged information. If
> you are not the intended recipient (or have received this e-mail in
> error) please notify the sender immediately and destroy this e-mail. Any
> copying, disclosure or distribution of the material in this e-mail is
> strictly forbidden."
>
> -----nobody@groupstudy.com wrote: -----
>
> To: Larry Roberts <groupstudy@american-hero.com>
> From: Vazman <vazman@gmail.com>
> Sent by: nobody@groupstudy.com
> Date: 05/25/2005 09:04PM
> cc: Nguyen Hoa <hoanh.it@ct-in.com.vn>, Cisco certification
> <ccielab@groupstudy.com>
> Subject: Re: PIX and VPN Concentrator !
>
> When you have the pix and concentrator in a parallel setup, you have
> couple of options also. You can connect the inside interface of the
> concentrator to your internal network or to a separate interface on
> the pix. Connecting it to a separate interface on the pix, allows you
> to control what resources your VPN clients can access.
>
> On 5/25/05, Larry Roberts <groupstudy@american-hero.com> wrote:
> > It really is a matter of preference.
> >
> > Having the Concentrator behind the PIX does provide additional
> security
> > by forcing traffic to traverse the Firewall. It does this at the
> expense
> > of having a single point of failure for both devices however. If
> you do
> > this and the PIX fails then you loose both remote access and the
> Firewall.
> >
> > Most deployments that I have done, or have been around have the PIX
> and
> > the Concentrator in parallel. Downside to this is that it your
> > concentrator is now directly exposed to the internet, however the
> > filtering on the Concentrator really minimizes the exposure.
> >
> > I don't know of any templates and a quick search on Cisco didn't
> reveal
> > any, however you can treat these as two seperate devices for
> > configuration purposes.
> >
> > You best bet would be to look through the configuration guides :
> >
> > PIX v6.3
> >
> http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config
> /index.htm
> >
> > Concentrator v 4.7
> >
> http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_7/config/index
> .htm
> >
> > Let us know how you do or of any questions you have.
> >
> > Larry
> >
> >
> >
> > Nguyen Hoa wrote:
> > > Hi all
> > >
> > > I have one PIX for Firewall function and one VPN Concentrator
> 3030 for
> > > remote-access VPN connections
> > >
> > > How can I deploy this case ?
> > >
> > > 1. PIX place parallel with Concentrator
> > > 2. Concentrator place behind PIX
> > >
> > > Which solution is better and easy to config ? And where could I
> find the
> > > config template for this scenario ?
> > >
> > > Tks !
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:02 GMT-3