RE: [fw-wiz] How AAA in PIX Firewall ?

From: Ray Burkholder (
Date: 12/07/03

  • Next message: Keith Anderson: "RE: [fw-wiz] PIX DMZ inter-access via outside IP address"
    To: <>
    Date: Sun, 7 Dec 2003 00:25:30 -0500

    1) Cisco has a VPN client pack with 100 clients for a few hundred dollars.
    PIX 501's should run you in the $500 to $700 range each in quantity. I'd
    recommend them if you have small offices to handle, otherwise use the VPN
    client pack. Be sure your central size has a VPN hardware accelerator for
    handling multiple units. A PIX 515 with the accellerator or a 3600 series
    router with an accelerator should suffice.

    2) Windows 2000 server has a Radius server built in which will authenticate
    against Active Directory. Alternatively, you can use a Linux box running
    FreeRadius will authenticate with Active Directory in LDAP mode. I'm not
    sure exactly what type of URL filtering you wish to do, so these may now
    work quite right for you. Authentication and logging works well in either

    Ray Burkholder
    704 576 5101

    > >
    > > 1) The problem of use site-to-site VPN is that I need to buy 1 PIX
    > > Firewall
    > > peer remote office (Total of 15 PIX 501) and this is more
    > expensive that
    > > individual VPN, or not ?
    > >
    > > 2)I need AAA for controlling users access to the Internet.
    > My network is
    > > Microsoft Windows Network with 2 Domain Controller and I need to
    > > Authenticate, filter URL and log the activity of the user
    > that will use
    > > NAT
    > > trough the PIX , How can I do that ? I know that exist RADIUS server
    > > software, but the problems is if they do that, and what of
    > this SERVER do
    > > it
    > > ?
    > > In case of controlling remote access to the firewall I only need
    > > authentication.
    > >

    Scanned for viruses and dangerous content at and is believed to be clean.
    firewall-wizards mailing list

  • Next message: Keith Anderson: "RE: [fw-wiz] PIX DMZ inter-access via outside IP address"

    Relevant Pages

    • VPN 3005 to IAS authentication failure...
      ... Getting the following error when trying to authenticate VPN 3005 to ... I am trying to setup IAS on 2003 box that is sitting behind Pix. ... I want the concentrator to authenticate group against internal db on ...
    • Re: VPN 3005 to IAS authentication failure...
      ... Call it something like "VPN Users" or similar. ... install IAS using the Add/Remove Programs icon in Control Panel. ... we can now configure the PIX firewall as a RADIUS client. ... Any user that should be allowed to authenticate on a VPN connection will ...
    • Re: Cached credentials and password expiration
      ... I believe that when the machine account is hosed ... > access to a domain controller during the logon process. ... > are connected to the VPN on a very regular basis, ... Doesn't it authenticate the user through AD? ...
    • Re: VPN Broke
      ... So you're just trying to get the previous PPTP VPN connection to work again? ... I'd try re-running the Configure Remote Access wizard in the Server Mgmt ... test button to see if it can authenticate to IAS, ...
    • Re: Authenticating users through firewalls VPN
      ... Grab DrTCP and try reducing the MTU size. ... VPN to my internal network. ... it won't authenticate me so will not let me, for example, browse the ...