VPN concentrator and open ports

[zillah]

I have not configured VPN before, we have got Cisco VPN concentrator 3000 at work , it is working fine.

I have got mobile PC (with Cisco PC client ) that is looking to access its correspondent server in the DMZ area (192.168.101.204) at work 's network, through VPN concentrator.

How can i reserver an internal ip for that mobile PC based om its MAC address,,,the reason I am doing that to reserve the specific private ip address for that mobile PC

We use safeword Token for authentication

How can I configure that on VPN ?

On PIX, I have got no problem to configure ACL from inside to DMZ.

[thehorse13]

If you're using IPSec with the Cisco client, you need to assign a pool of addresses to dole out to your remote clients. You don't do this based on MAC address. The VPN concentrator will hand out IPs from the available pool that you configure for use with IPSec clients. That said, select a range of IPs that:

a) Are not in use within your organization (i.e., don't assign IPSec NAT pools from an active DHCP range)
b) Are RFC 1918 compliant
c) Will be able to route within your network.

Reading the admin deployment guide may also be something you may want to do as well. Hint, hint.

--TH13

[zencoder]

th13 get back to work deploying that shiny new authentication solution.

There are some devices and products you can purchase COTS that will let you assign a "static DHCP IP address" (i.e., certain IP's from the 'pool' are reserved for specific MACs). Whether your concentrator supports this, I do not know. Sounds like a question for the VPN Administrator to answer for you.

[thehorse13]

The older Cisco VPNs I've worked with simply allowed you to define an IPSec NAT pool. There was no support for such goodness as MAC mapping to endpoints. Newer high end concentrators do this. Given that there are 6 models in the 3000 series, only the poster can tell us which model he has and if it supports this feature set. Again, that admin guide is pretty handy for questions like this.

http://www.cisco.com/en/US/products/...ries_home.html



--TH13

[zillah]

Given that there are 6 models in the 3000 series, only the poster can tell us which model he has

3030

Again, that admin guide is pretty handy for questions like this.

I will go through it

[zillah]

Again, that admin guide is pretty handy for questions like this.

I found this :
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml

under the heading below

Assign a Specific IP Address to a User
----------------------------------------
In order to assign a static IP address for the remote VPN user every time they connect to the VPN 3000 Series Concentrator, choose: Configuration > User Management > Users > Modify ipsecuser2 > identity.

My question i am using production box (to avoid screw up whole system), does it affect if i want to create a specific group and assign specific ip address to a user

On my PIX (VPN running paralled to the PIX, i.e it is not behind nor inforn of the PIX) what I have got these lines of configurations which are related to the VPN concentrator

nat (inside) 1 10.2.2.0 255.255.255.0 0 0,,,,,,,,ip for VPN pool as seen in figure
nat (inside) 1 172.168.1.0 255.255.255.0 0 0,,,,,,,,,not related to VPN
nat (inside) 1 192.168.0.0 255.255.0.0 0 0,,,,,,,,,not related to VPN

global (outside) 1 10.1.1.150-10.1.1.155
global (outside) 1 10.1.1.156

route inside 10.2.2.0 255.255.255.0 192.168.55.254 1,,,,,,,,,,,,,192.168.55.254, is the VPN Ethernet 1 ip address.

http://img204.imageshack.us/img204/7306/vpnpooleu1.jpg

What I am thinking to do, are below (please any comment) :

1- I want to modify the current group (see my VPN figure ) to be from range 10.2.2.1-10.2.2.9 instead of 10.2.2.1-10.2.2.10
2- Create another group called : " mobile_users "
3- Create a user called : " commuter "
4- Assign the user " commuter " to the group " mobile_user "
5- Assign ip address 10.2.2.2 to the user " commuter "

6- In the cisco site that I have posted , it syas: tick option for " User address from Authentication Server ",,,,I do not think this will apply to me ?

again since I am using production box, I have to assure that the modification above does not screw up the whole system

[thehorse13]

1) *NEVER* test configurations on a production box, especially during working hours.
2) *NEVER* test configurations on a production box, especially during working hours.

That said, get a test box or if you absolutely can't, back up all your configs and then come into work at 6am on a Sunday and do your testing.

1- I want to modify the current group (see my VPN figure ) to be from range 10.2.2.1-10.2.2.9 instead of 10.2.2.1-10.2.2.10

You want to decrease your range by one address?

In the cisco site that I have posted , it syas: tick option for " User address from Authentication Server ",,,,I do not think this will apply to me ?

I don't know and neither will anyone else here. Are you using an auth server?

2- Create another group called : " mobile_users "
3- Create a user called : " commuter "
4- Assign the user " commuter " to the group " mobile_user "
5- Assign ip address 10..2.2.2 to the user " commuter "

You can do this but remember that admistrative overhead will eventually catch up with you as you add more users.

--TH13

[zillah]

1) *NEVER* test configurations on a production box, especially during working hours.
2) *NEVER* test configurations on a production box, especially during working hours.

Yes of course I am not going to do that during working hours.

You want to decrease your range by one address?

Yes

[thehorse13]

Then make the change, save config, done.

[zillah]

I have got mobile PC (with Cisco PC client ) that is looking to access its correspondent server in the DMZ area (192.168.101.204) at work 's network, through VPN concentrator.

My intial plan was to allow the the mobile PC (which can be used by many users, not only one),,,,therefore I was looking to assgin the specific ip address to that mobile PC,,,,but since there is no such an option with VPN concentrator to authenticate through MAC address, we could not use that plan.
Now If I have got 4 users (commuter, pfan, jsmith, amike) within the group " mobile_users ",,,if user "commuter" access the mobile PC he will get the specific ip address (10.2.2.10) that we dedicated for his group,,,,that is fine.

But if another user (pfan, jsmith, amike) in the same time (as user "commuter" accessing mobile PC) want to access the VPN from his laptop (not mobile PC),,,,what ip will he get ?

Is it from the general pool (10.2.2.1-10.2.2.9) ? because 10.2.2.10 is used by user "commuter" ?