RE: [fw-wiz] How AAA in PIX Firewall ?

From: Wes Noonan (mailinglists_at_wjnconsulting.com)
Date: 12/04/03

  • Next message: marcel.cook_at_convergys.com: "[fw-wiz] MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall"
    To: "'Adel Guia Cruz'" <aguia@fifomi.gob.mx>, <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 3 Dec 2003 20:03:57 -0600
    
    

    1) Not necessarily. You could go netopia or something similar for the remote
    sites. If not, the cost of 15 PIX 501's would be somewhere in the $6000-7000
    range which is about $3000 more give or take what a 515E-UR would cost.
    2) I would recommend setting up a content filtering server as that sounds
    more in line with what you really need. PIX supports Websense and N2H2 for
    content filtering.

    Don't sweat the English. It's better than my Spanish. :-)

    HTH

    Wes Noonan
    mailinglists@wjnconsulting.com
    http://www.wjnconsulting.com

    > -----Original Message-----
    > From: Adel Guia Cruz [mailto:aguia@fifomi.gob.mx]
    > Sent: Wednesday, December 03, 2003 17:51
    > To: mailinglists@wjnconsulting.com; 'Adel Guia Cruz'; firewall-
    > wizards@honor.icsalabs.com
    > Subject: RE: [fw-wiz] How AAA in PIX Firewall ?
    >
    > 1) The problem of use site-to-site VPN is that I need to buy 1 PIX
    > Firewall
    > peer remote office (Total of 15 PIX 501) and this is more expensive that
    > individual VPN, or not ?
    >
    > 2)I need AAA for controlling users access to the Internet. My network is
    > Microsoft Windows Network with 2 Domain Controller and I need to
    > Authenticate, filter URL and log the activity of the user that will use
    > NAT
    > trough the PIX , How can I do that ? I know that exist RADIUS server
    > software, but the problems is if they do that, and what of this SERVER do
    > it
    > ?
    > In case of controlling remote access to the firewall I only need
    > authentication.
    >
    > Thanks and I´m sorry because my English is not good, my native language
    > is
    > Spanish
    >
    > ADEL
    >
    > -----Mensaje original-----
    > De: Wes Noonan [mailto:mailinglists@wjnconsulting.com]
    > Enviado el: miércoles, 03 de diciembre de 2003 14:55
    > Para: 'Adel Guia Cruz'; firewall-wizards@honor.icsalabs.com
    > Asunto: RE: [fw-wiz] How AAA in PIX Firewall ?
    >
    >
    > 1) The PIX 506 should work fine, as long as you don't need more than 2
    > interfaces, failover or more than 25 VPN peers. You mention that you need
    > 75, but you might be better served using site-to-site VPN connections
    > instead of individual VPNs for each user. If you really need 75 VPN peers
    > though, then you have to go with a 515 or larger.
    > 2) Are you wanting AAA for controlling access to the firewall or
    > controlling
    > user access to the internet. If the prior you can use local usernames or
    > RADIUS for authentication. If the latter, you can still use RADIUS for
    > authentication though I believe that you largely give up the ability to do
    > authorization or accounting without TACACS+.
    >
    > HTH
    >
    > Wes Noonan
    > Mailinglists@wjnconsulting.com
    > http://www.wjnconsulting.com
    >
    >
    > > -----Original Message-----
    > > From: firewall-wizards-admin@honor.icsalabs.com [mailto:firewall-
    > wizards-
    > > admin@honor.icsalabs.com] On Behalf Of Adel Guia Cruz
    > > Sent: Wednesday, December 03, 2003 13:45
    > > To: firewall-wizards@honor.icsalabs.com
    > > Subject: [fw-wiz] How AAA in PIX Firewall ?
    > >
    > > I need to implement a Firewall, VPN and IDS solution in my Central
    > Office
    > > network. The network structure is one Central Office with 150 nodes (50
    > > nodes need Internet access) and 15 Remote Small Office with 5 node peer
    > > Remote Office.
    > >
    > > The Central Office have only one internet connection HDSL 256Kbps and
    > the
    > > remote office are connected to Central Office thought Internet.
    > >
    > > I think that Cisco PIX Firewall is a good choice but I need some advise:
    > >
    > > 1- How to implement AAA (Authentication, Authorization, Accounting)
    > in
    > > PIX firewall. I now that Cisco have the "Cisco Secure Access Control
    > > Server"
    > > for AAA but is very expensive. Is possible to implement AAA without
    > "Cisco
    > > Secure ACS" in PIX firewall, if is possible what will bee the
    > limitations
    > > ?
    > > 2- Is PIX 506 sufficient to me, or I need the next PIX 515-UR? I
    > need
    > > at
    > > less 75 concurrent VPN connections.
    > >
    > > Thanks
    > > _______________________________________________
    > > firewall-wizards mailing list
    > > firewall-wizards@honor.icsalabs.com
    > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: marcel.cook_at_convergys.com: "[fw-wiz] MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall"

    Relevant Pages

    • Sometimes it works sometimes it doesnt (VPN data issues)
      ... I am running a windows2k3 SBS server behind a linksys firewall. ... remote users having troubles connecting to our network. ... I figured this was a firewall issue blocking VPN data, ... the connection will stall and then starting the connection process ...
      (microsoft.public.windows.server.networking)
    • Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall
      ... > I am looking to purchase a new firewall appliance to replace a Linksys ... > I am currently providing Remote Access using the Remote Web Workspace ... Why not do it the simple easy way - let them VPN into the firewall, ... That's not what it means - they are talking about remote users as in ...
      (comp.security.firewalls)
    • RE: Firewalls on VPNs - Best Practice Advice
      ... Please help me know if you want to make the IT person manage the remote DC ... | previously been advised that Firewalling VPN ... | connections is not recommended, I've turned off Windows Firewall ...
      (microsoft.public.windowsxp.work_remotely)
    • Re: VPN Routers or XP VPN Clients
      ... you may want to consider an identical VPN firewall at each ... but not sure if he has remote sites. ... > Do I treat each workstation as a remote VPN client to the server (as you ...
      (microsoft.public.windows.server.sbs)
    • Re: Remote Access and ISA Server in SBS 2003?
      ... I am glad to hear the Remote Access Wizard is working fine now. ... there is no difference in VPN between SBS 4.5 and SBS ... Error Message: VPN Connection Error 800: Unable to Establish Connection ... the external NIC of the SBS Server. ...
      (microsoft.public.windows.server.sbs)