RE: [fw-wiz] How AAA in PIX Firewall ?

From: Adel Guia Cruz (aguia_at_fifomi.gob.mx)
Date: 12/04/03

Next message: peter bartoli: "Re: [fw-wiz] full IPSEC tunnels on PIX and NAT ..."

Previous message: Jeroen De Corel: "RE: [fw-wiz] OT: Sniffers"
Maybe in reply to: Adel Guia Cruz: "[fw-wiz] How AAA in PIX Firewall ?"
Next in thread: Wes Noonan: "RE: [fw-wiz] How AAA in PIX Firewall ?"
Reply: Wes Noonan: "RE: [fw-wiz] How AAA in PIX Firewall ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: mailinglists@wjnconsulting.com, 'Adel Guia Cruz' <aguia@fifomi.gob.mx>, firewall-wizards@honor.icsalabs.com
Date: Wed, 3 Dec 2003 17:51:22 -0600

1) The problem of use site-to-site VPN is that I need to buy 1 PIX Firewall
peer remote office (Total of 15 PIX 501) and this is more expensive that
individual VPN, or not ?

2)I need AAA for controlling users access to the Internet. My network is
Microsoft Windows Network with 2 Domain Controller and I need to
Authenticate, filter URL and log the activity of the user that will use NAT
trough the PIX , How can I do that ? I know that exist RADIUS server
software, but the problems is if they do that, and what of this SERVER do it
?
In case of controlling remote access to the firewall I only need
authentication.

Thanks and I´m sorry because my English is not good, my native language is
Spanish

ADEL

-----Mensaje original-----
De: Wes Noonan [mailto:mailinglists@wjnconsulting.com]
Enviado el: miércoles, 03 de diciembre de 2003 14:55
Para: 'Adel Guia Cruz'; firewall-wizards@honor.icsalabs.com
Asunto: RE: [fw-wiz] How AAA in PIX Firewall ?

1) The PIX 506 should work fine, as long as you don't need more than 2
interfaces, failover or more than 25 VPN peers. You mention that you need
75, but you might be better served using site-to-site VPN connections
instead of individual VPNs for each user. If you really need 75 VPN peers
though, then you have to go with a 515 or larger.
2) Are you wanting AAA for controlling access to the firewall or controlling
user access to the internet. If the prior you can use local usernames or
RADIUS for authentication. If the latter, you can still use RADIUS for
authentication though I believe that you largely give up the ability to do
authorization or accounting without TACACS+.

HTH

Wes Noonan
Mailinglists@wjnconsulting.com
http://www.wjnconsulting.com

> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com [mailto:firewall-wizards-
> admin@honor.icsalabs.com] On Behalf Of Adel Guia Cruz
> Sent: Wednesday, December 03, 2003 13:45
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] How AAA in PIX Firewall ?
>
> I need to implement a Firewall, VPN and IDS solution in my Central Office
> network. The network structure is one Central Office with 150 nodes (50
> nodes need Internet access) and 15 Remote Small Office with 5 node peer
> Remote Office.
>
> The Central Office have only one internet connection HDSL 256Kbps and the
> remote office are connected to Central Office thought Internet.
>
> I think that Cisco PIX Firewall is a good choice but I need some advise:
>
> 1- How to implement AAA (Authentication, Authorization, Accounting) in
> PIX firewall. I now that Cisco have the "Cisco Secure Access Control
> Server"
> for AAA but is very expensive. Is possible to implement AAA without "Cisco
> Secure ACS" in PIX firewall, if is possible what will bee the limitations
> ?
> 2- Is PIX 506 sufficient to me, or I need the next PIX 515-UR? I need
> at
> less 75 concurrent VPN connections.
>
> Thanks
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: peter bartoli: "Re: [fw-wiz] full IPSEC tunnels on PIX and NAT ..."

Previous message: Jeroen De Corel: "RE: [fw-wiz] OT: Sniffers"
Maybe in reply to: Adel Guia Cruz: "[fw-wiz] How AAA in PIX Firewall ?"
Next in thread: Wes Noonan: "RE: [fw-wiz] How AAA in PIX Firewall ?"
Reply: Wes Noonan: "RE: [fw-wiz] How AAA in PIX Firewall ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Terminal services and VB.Net Solution?
... use the VPN functionality that comes with Windows server to have the ... at the remote office -- a firewall like Cisco or SonicWall. ... intranet over VPN? ...
(microsoft.public.dotnet.languages.vb)
Re: Joining a remote user without VPN
... our PIX firewall. ... firewall in another city, and they would like to join their laptop to ... Sure, if you open about 29 ports to the outside world, which is what AD ... Use a VPN. ...
(microsoft.public.windows.server.active_directory)
RE: Remote Office VPNs
... Why not use a Firewall like a SonicWall Pro 200 or 300 at the main office ... the entire remote office is protected and you can easily set up ... >2) Should I just go with a IP based VPN from an ISP? ... or symantec appliance and allowing split tunneling (internet access directly ...
(Security-Basics)
RE: Sandboxing
... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ...
(Focus-IDS)
Re: VPN Firewall for new webserver
... > I'm setting up a webserver at a colocation and I need to put a VPN ... You're not going to get a quality firewall for that amount, ... and D-Link makes a DI-804HV unit ... users access to the SQL server, let them do it through a VPN session. ...
(comp.security.firewalls)