RE: [fw-wiz] How AAA in PIX Firewall ?

From: Ray Burkholder (
Date: 12/07/03

  • Next message: Keith Anderson: "RE: [fw-wiz] PIX DMZ inter-access via outside IP address"
    To: <>
    Date: Sun, 7 Dec 2003 00:25:30 -0500

    1) Cisco has a VPN client pack with 100 clients for a few hundred dollars.
    PIX 501's should run you in the $500 to $700 range each in quantity. I'd
    recommend them if you have small offices to handle, otherwise use the VPN
    client pack. Be sure your central size has a VPN hardware accelerator for
    handling multiple units. A PIX 515 with the accellerator or a 3600 series
    router with an accelerator should suffice.

    2) Windows 2000 server has a Radius server built in which will authenticate
    against Active Directory. Alternatively, you can use a Linux box running
    FreeRadius will authenticate with Active Directory in LDAP mode. I'm not
    sure exactly what type of URL filtering you wish to do, so these may now
    work quite right for you. Authentication and logging works well in either

    Ray Burkholder
    704 576 5101

    > >
    > > 1) The problem of use site-to-site VPN is that I need to buy 1 PIX
    > > Firewall
    > > peer remote office (Total of 15 PIX 501) and this is more
    > expensive that
    > > individual VPN, or not ?
    > >
    > > 2)I need AAA for controlling users access to the Internet.
    > My network is
    > > Microsoft Windows Network with 2 Domain Controller and I need to
    > > Authenticate, filter URL and log the activity of the user
    > that will use
    > > NAT
    > > trough the PIX , How can I do that ? I know that exist RADIUS server
    > > software, but the problems is if they do that, and what of
    > this SERVER do
    > > it
    > > ?
    > > In case of controlling remote access to the firewall I only need
    > > authentication.
    > >

    Scanned for viruses and dangerous content at and is believed to be clean.
    firewall-wizards mailing list

  • Next message: Keith Anderson: "RE: [fw-wiz] PIX DMZ inter-access via outside IP address"