Providing VPN access to police department and to vendors with PIX and ISA 2000

Discussion in 'Cisco' started by Ned, Aug 18, 2006.

  1. Ned

    Ned Guest

    Hello

    I have a PIX 515UR with the inside interface connected to an ISA
    firewall that connects to my LAN. It works great for me because I use
    PPTP passthru, but I need to give police and vendors VPN access and I
    want to use the Cisco VPN client so I can ensure the remote client has
    the latest virus signatures, etc. Also, my network will ne audited by
    a third party next year so I want the best possible solution. The
    problem is that I cannot currently use the PIX for VPN because users
    would to VPN twice, once for the PIX and again to get through ISA. I
    was thinking of using one of the free DMZ ports on the PIX and
    connecting that to a port on the Catalyst 4507 which already has about
    15 VLANS. By connecting the PIX DMZ directly to our network I would
    bypass ISA 2000 for VPN users but still have the protection of the PIX
    firewall. The default gateway on our 4507 points to the ISA server, so
    I'm not sure if this will cause a problem for return traffic. We do
    have money for a dedicated VPN device which I could install paralell to
    the PIX, but it would have to also provide firewall protection. Would
    the DMZ idea work? I know it would mean that both the inside interface
    and the DMZ would both be connected to our LAN, I'm just not sure if
    that's a good or bad thing.

    Thanks
    Ned Hart
    Ned, Aug 18, 2006
    #1
    1. Advertising

  2. Ned

    AM Guest

    Re: Providing VPN access to police department and to vendors withPIX and ISA 2000

    Ned wrote:

    > Hello
    >
    > I have a PIX 515UR with the inside interface connected to an ISA firewall that connects to my LAN. It works great for me because I use PPTP passthru, but I need to give police and vendors VPN access and I want to use the Cisco VPN client so I can ensure the remote client has the latest virus signatures, etc. Also, my network will ne audited by a third party next year so I want the best possible solution. The problem is that I cannot currently use the PIX for VPN because users would to VPN twice, once for the PIX and again to get through ISA. I was thinking of using one of the free DMZ ports on the PIX and connecting that to a port on the Catalyst 4507 which already has about 15 VLANS. By connecting the PIX DMZ directly to our network I would bypass ISA 2000 for VPN users but still have the protection of the PIX firewall. The default gateway on our 4507 points to the ISA server, so I'm not sure if this will cause a problem for return traffic. We do have money for a dedi

    cated VPN device which I could install paralell to the PIX, but it would have to also provide firewall protection. Would the DMZ idea work? I know it would mean that both the inside interface and the DMZ would both be connected to our LAN, I'm just not sure if that's a good or bad thing.
    > Thanks
    > Ned Hart



    A) PIX doesn't allow to have 2 addresses belonging to the same range on 2 different interfaces. So you can not do that
    unless the "outside" interface of the ISA and the inside of the PIX use a "ghost" or "for connection" network. In that
    case the PIX would see 2 different nets on inside and DMZ.

    My solutions are

    1) Move from ISA to PIX for both PTPP clients (PIX can act as PTPP server AFAIK) and VPN ones;
    2) Terminate VPN client on the PIX and "trust" the network assigned to VPNclient on the ISA; I see that solution if you
    have the "ghost" net I spoke above.

    HTH

    Alex.

    P.S.
    Maybe a diagram with the topology can help.
    I'm not expert of ISA.
    AM, Aug 18, 2006
    #2
    1. Advertising

  3. Re: Providing VPN access to police department and to vendors withPIX and ISA 2000

    In article <3MlFg.74589$>, AM <> wrote:

    >1) Move from ISA to PIX for both PTPP clients (PIX can act as PTPP
    >server AFAIK) and VPN ones;


    Not in PIX 7.0, PIX 7.1, or PIX 7.2, at least not yet.
    Walter Roberson, Aug 18, 2006
    #3
  4. Ned

    Ned Guest

    Hi Alex

    Thanks for the response. I'm considering purchasing a second
    vpn/firewall and connecting it directly to my lan. Do you see any
    problems with this?

    Thanks


    AM wrote:
    > Ned wrote:
    >
    > > Hello
    > >
    > > I have a PIX 515UR with the inside interface connected to an ISA firewall that connects to my LAN. It works great for me because I use PPTP passthru, but I need to give police and vendors VPN access and I want to use the Cisco VPN client so I can ensure the remote client has the latest virus signatures, etc. Also, my network will ne audited by a third party next year so I want the best possible solution. The problem is that I cannot currently use the PIX for VPN because users would to VPN twice, once for the PIX and again to get through ISA. I was thinking of using one of the free DMZ ports on the PIX and connecting that to a port on the Catalyst 4507 which already has about 15 VLANS. By connecting the PIX DMZ directly to our network I would bypass ISA 2000 for VPN users but still have the protection of the PIX firewall. The default gateway on our 4507 points to the ISA server, so I'm not sure if this will cause a problem for return traffic. We do have money for a dedi

    > cated VPN device which I could install paralell to the PIX, but it would have to also provide firewall protection. Would the DMZ idea work? I know it would mean that both the inside interface and the DMZ would both be connected to our LAN, I'm just not sure if that's a good or bad thing.
    > > Thanks
    > > Ned Hart

    >
    >
    > A) PIX doesn't allow to have 2 addresses belonging to the same range on 2 different interfaces. So you can not do that
    > unless the "outside" interface of the ISA and the inside of the PIX use a "ghost" or "for connection" network. In that
    > case the PIX would see 2 different nets on inside and DMZ.
    >
    > My solutions are
    >
    > 1) Move from ISA to PIX for both PTPP clients (PIX can act as PTPP server AFAIK) and VPN ones;
    > 2) Terminate VPN client on the PIX and "trust" the network assigned to VPNclient on the ISA; I see that solution if you
    > have the "ghost" net I spoke above.
    >
    > HTH
    >
    > Alex.
    >
    > P.S.
    > Maybe a diagram with the topology can help.
    > I'm not expert of ISA.
    Ned, Aug 19, 2006
    #4
  5. Ned

    Ned Guest

    Hello

    I created a diagram and posted it on a friend's website. It shows the
    current configuration.
    I'm hoping the diagram might help with suggestions. I do have a spare
    PIX 501 and I was thinking of purchaseing a VPN concentrator and using
    this in paralell with the existing config.
    http://www.citytechnical.com/Fg42_1.gif

    Thanks


    AM wrote:
    > Ned wrote:
    >
    > > Hello
    > >
    > > I have a PIX 515UR with the inside interface connected to an ISA firewall that connects to my LAN. It works great for me because I use PPTP passthru, but I need to give police and vendors VPN access and I want to use the Cisco VPN client so I can ensure the remote client has the latest virus signatures, etc. Also, my network will ne audited by a third party next year so I want the best possible solution. The problem is that I cannot currently use the PIX for VPN because users would to VPN twice, once for the PIX and again to get through ISA. I was thinking of using one of the free DMZ ports on the PIX and connecting that to a port on the Catalyst 4507 which already has about 15 VLANS. By connecting the PIX DMZ directly to our network I would bypass ISA 2000 for VPN users but still have the protection of the PIX firewall. The default gateway on our 4507 points to the ISA server, so I'm not sure if this will cause a problem for return traffic. We do have money for a dedi

    > cated VPN device which I could install paralell to the PIX, but it would have to also provide firewall protection. Would the DMZ idea work? I know it would mean that both the inside interface and the DMZ would both be connected to our LAN, I'm just not sure if that's a good or bad thing.
    > > Thanks
    > > Ned Hart

    >
    >
    > A) PIX doesn't allow to have 2 addresses belonging to the same range on 2 different interfaces. So you can not do that
    > unless the "outside" interface of the ISA and the inside of the PIX use a "ghost" or "for connection" network. In that
    > case the PIX would see 2 different nets on inside and DMZ.
    >
    > My solutions are
    >
    > 1) Move from ISA to PIX for both PTPP clients (PIX can act as PTPP server AFAIK) and VPN ones;
    > 2) Terminate VPN client on the PIX and "trust" the network assigned to VPNclient on the ISA; I see that solution if you
    > have the "ghost" net I spoke above.
    >
    > HTH
    >
    > Alex.
    >
    > P.S.
    > Maybe a diagram with the topology can help.
    > I'm not expert of ISA.
    Ned, Aug 21, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dejan Gambin
    Replies:
    0
    Views:
    746
    Dejan Gambin
    Oct 16, 2003
  2. Warren Turner
    Replies:
    0
    Views:
    2,154
    Warren Turner
    Jan 9, 2004
  3. Chris Davies
    Replies:
    6
    Views:
    1,485
    Chris Davies
    Jun 15, 2004
  4. Arben Qarkaxhija

    PIX - InterscanViruswall - ISA Server 2000

    Arben Qarkaxhija, Jun 30, 2004, in forum: Cisco
    Replies:
    3
    Views:
    688
    Walter Roberson
    Jul 2, 2004
  5. Terry Cole
    Replies:
    0
    Views:
    391
    Terry Cole
    Jan 18, 2007
Loading...

Share This Page