VPN solution required for the following..

Philbert

Hi folks,

I need to install a client-to-site VPN solution for a client with several remote workers who will periodically need to synchronise an application on their PC/Laptop with the database on the server. They would need to synchronise regularly through out the day but the tunnel would not need to be maintained for very long. Just a few minutes at most. There should be no more than 6-8 concurrent tunnels at any point in the day.

The server is a Windows Server SBS 2003 SP2 and all clients would be running Windows XP/2K. The servers only purpose is to host the database application and is effectively “stand alone”. The server is sitting behind a stable Eircom broadband “business starter” connection (3Mb/384k), the router is a Netopia Cayman 3346.

All clients would connect through a variety of connections such as DSL, dial up and satellite.

I was looking at the Netgear Prosafe VPN Firewall range but I have read some terrible reviews of their products. The server is in an isolated remote location, and not accessible during the day so the uptime of the VPN device is vital. Other products I am looking at are the 3Com OfficeConnect VPN Firewall and the Billion BiGuard 10. The budget, as usual, is as low as possible!

Please, any suggestions? Similar successful deployments?

Much appreciated..

joePC

Hi Phil,

I'd recommend a Cisco ASA or Second hand PIX to terminate your DSL line and install the Cisco VPN client on your users PC's

All the users would need to do is connect the VPN client and SYNC the application.

Do you use Exchange for your mail server?

Very easy to setup and very effective, I ran with this design for a while but decided to make my remote users applcations public so they can access everything over the web. No more phone calls :-)

Sponge Bob

If SBS can access internet then you can try Hamachi VPN

server brings up hamachi at 8am and then runs the command ip config /all > hamachi.txt

ipconfig /all lists a 5.n.n.n ip address once hamachi is up

run a bat to parse the hamachi.txt file for the 5.n.n.n address and email this to the staff as that days IP, they then run hamachi themselves to connect to it and presto VPN

server brings down hamachi at night once there is no need for VPN and up again the next day

if staff member leaves stop emailing them the IP address obviously

Philbert

Hi Joe,

Exchange is installed on this machine but is not used. The server is literally only used to host the database.

Yes, I had considered the Cisco Pix as I have used it on another site but I thought it was too pricy. Looking at second hand options, what would you think of this? Is it correct the 501 will only allow 2 concurrent connections?

joePC

I have a decommissioned PIX 501 in the office, I'll do a few tests on it today, If it has the necessary software I'll sell it to you (Cheaper than ebay)

Is the database hosted on MS SQL / MYSQL / POSTGRESQL ?

Sponge Bob

The pix is good albeit constrained on a DSL line , its really designed for Leased line as it normally has a public IP on its Outside interface , with DSL it will have a private .

Make sure its running Pix OS 7 or above and that you use cisco client version 4.5 or so which is rock solid. OS 7 has the ASDM java based management interface which is excellent .


(edit) if the PIX can handle PPPoE then its feasible to put the dsl router in bridging mode and assign the public to the pix that way

Philbert

Thanks Joe, I am very interested.

The database will be FirebirdSQL. The actual synchronisation will be managed by a component of the CRM software. As i said, it would need to support at most 5 or 6 concurrent connections and there would be at most 12 unique remote workers connecting during the day.

Sponge Bob I appreciate your comments. Hitachi looks interesting and i already use LogMeIn but if I can get a Pix up and running I would be very happy.

joePC

Ok I have it running now, I can only upgrade the IOS to 63(4), its currently on 63(1) I don’t have the 7+ IOS.

If you’re comfortable using the CLI to configure then it’s not a problem.

Let me know and I'll get it setup.

joePC

Scrap that found 7.0(2) will install now...

Philbert

Thanks Joe. Standing by..

Sponge Bob

not sure if a 501 has enough memory to run os 7 and the separate adsm install.

if it does install OS7 then it will support pppoe on the outside interface .

If it does ADSM too its a doddle to set up a VPN using the VPN wizard in the ADSM , otherwise you need to command line create one

finally create a split tunnel on the pix otherwise the remote user 'loses' their home network while the VPN is up ( it appears again when they drop) .

joePC

Very tight on space 8mb, Looks like 7.X isnt supported on the PIX 501, Ok so I have a Cisco PIX 501 6.3(1)

AndrewMc

Philbert wrote:

The budget, as usual, is as low as possible!

Please, any suggestions? Similar successful deployments?

As low a budget as possible? Try OpenVPN (free): http://www.openvpn.net/

Several users here, Linux server and a mix of Linux and Windows clients. It appears to work with a Windows server, too (but haven't used it that way myself).

Philbert

joePC wrote:

Very tight on space 8mb, Looks like 7.X isnt supported on the PIX 501, Ok so I have a Cisco PIX 501 6.3(1)

Joe is there a Web interface for 6.3 because I have to say I wouldnt be to confident working witht the CLI. Is there much to it?

Also, can you tell me why in any literature I have read on the Pix 501 (and its not much ) it says it only supports a maximum of 2 interfaces? Is this referring to the number of concurrent VPN connections or something else?

Thanks.

joePC

Its means there are only two configurable interfaces e.g. WAN ports, from memory it can handle well over 50 connections anyway its running with an unlimited license. 6.3 doesn't have the ASDM gui, so its all command line, for what you want to do its sounds like a very straight forward config.

Here is how you would configure the PIX for the VPN client.

Philbert

Thanks Joe. Will PM.

joePC

PPPOE Config

ob

Why don't you just use routing and romote access on the Windows server? Set it up to allow incoming vpn connections. You can forward all vpn traffic from the netwopia router to the windows server. And being SBS, there'll be a nice handy wizard for it.

Very little configuragtion, and no cost.

murf

AndrewMc wrote:

As low a budget as possible? Try OpenVPN (free): http://www.openvpn.net/

Several users here, Linux server and a mix of Linux and Windows clients. It appears to work with a Windows server, too (but haven't used it that way myself).

Indeed. Haven't installed the server bit on Windows, but it runs real well on a linux box. 12-20 concurrent connections, some of them stay on 24/7.

Mix of Windows and Linux clients connecting in from around the world.

_CreeD_

You can load the ADSM predecessor, the PDM, onto a 501 running 6.x as your GUI - works great. The lowest 7.x supported PIX is the 515, though you can force it onto a 506 with no GUI. The VPN connection is limited by your License and ultimately the resources free on the 501. You may want to consider an ASA 5505 instead as it is more powerful, supports WebVPN etc. and brand new is price competitively with the 501. Plus it has the advantage of being able to act as a central hub between multiple remote sites/clients (Pre 7.x PIX firewall VPNs could not let one remote client/site communicate with another, they could only talk to devices/services at the central site).
I would not enable Split Tunneling as it's a major security risk. Any would-be attacker can use a compromised remote client to bunnyhop into your network this way (i.e. the client connects, the attacker access that PC over the net and then uses it to bounce through your firewall and into the live network). If the client is compromised but split-tunneling is not enabled you at least mitigate live tampering, any damage would have to come from an automated system installed on that client.
DSL isn't an issue either. Put the modem/router into bridged mode and tell your PIX/ASA to autoconfigure on the outside interface (also use the setroute command to allow it to take it's default gateway from the DSL unit/ISP), it will take the DSL's assigned public IP as it's own. If you have an existing DHCP server set the PIX internal interface IP as the client Default Gateway, or use the DHCP server service on the PIX itself.

In essence, a 5505 with the Cisco VPN client is relatively easy to manage through the GUI, can interact with your Domain login accounts for authentication, is very stable/mature and full featured.

wandererz

philbert,

I don't understand why people recommend Cisco Pix's & Hamachi & all that nonsense to someone who isn't familiar with VPN's or Cisco configs.

What you want is something simple to setup & easy to manage.
Take a look at this http://www.checkpoint.com/products/vpn-1_edge/index.html

Web interface can be found here:
http://www.sofaware.com/upload/Demo/Edge/index.html

I've got about 60 odd sites setup with these.

_CreeD_

Perhaps because they work well, are extensively documented, mature and extremely secure soutions. There's a simple wizard for VPN setup within the PDM. It's kind've funny that after your initial point you send him to Checkpoint, another corporate firewall/vpn vendor....It all comes down to how much work you want to do up front vs. management later.

wandererz

Reason is that for people who aren't familiar & don't have the time to learn this stuff sometimes what's needed is something dead simple.

I came across a site last week where they made a complete hash of a simple pix501 setup. Ended up with 205 viruses/trojans etc. on their SBS server and and 42 open ports on the firewall.

So called IT admin (outsourced) should be shot or at the very least taken to court.

ntlbell

wandererz wrote:

Reason is that for people who aren't familiar & don't have the time to learn this stuff sometimes what's needed is something dead simple.

I came across a site last week where they made a complete hash of a simple pix501 setup. Ended up with 205 viruses/trojans etc. on their SBS server and and 42 open ports on the firewall.

So called IT admin (outsourced) should be shot or at the very least taken to court.

some idiot makes a baws of a pix config so this guy should get a checkpoint?

I have to say you're reasoning seems slightly off.

bushy...

wandererz wrote:

Reason is that for people who aren't familiar & don't have the time to learn this stuff sometimes what's needed is something dead simple.

I came across a site last week where they made a complete hash of a simple pix501 setup. Ended up with 205 viruses/trojans etc. on their SBS server and and 42 open ports on the firewall.

So called IT admin (outsourced) should be shot or at the very least taken to court.

So did you fix the pix501 or change it ?

tech

windows RRas or a sonicwall TZ 180 ??

coolio_64

if a pc uses a router like lets say draytec broadband router and the machine is an 98 machine
the clients log in remotely using the client that comes with xp

would you call the 98 machine the server
all that is configured on the 98 machine is the router to accept connections

p.s. just new to vpn connections