Can PIX 501 be VPN terminator inside another firewall?

Discussion in 'Cisco' started by VMS Guy, Feb 18, 2006.

  1. VMS Guy

    VMS Guy Guest

    I'm new to the PIX, but I've done some basic modifications to Cisco
    routers in the past, and even taken a router configuration class with
    IOS 11.2. I can see this is enough different that I need help.

    PIX Version 6.3(5)

    I would like to install a PIX 501 behind an existing firewall and have
    it only act as a VPN server.
    The existing firewall has 2 interfaces, one using cable and the other
    DSL. Both internet addresses are static. In case it matters, the
    firewall is a Nexland ISB 800 Pro.
    The LAN is currently 192.168.1.x/24. The firewall is using
    192.168.1.250 as its inside address. I've been told all IP addresses on
    the LAN have been statically assigned and are at .100 and above.
    The idea is to install the 501 purely to act as a VPN server to the
    Cisco VPN Client. (I believe 1 proposed user has 4.6 installed and I
    have 4.8 installed.) All proposed use is via the software client.
    Currently there are only 3 proposed users and 2 of us are only for
    support purposes.
    I would like VPN users to have full access to all systems on the LAN
    once the tunnel is established.

    Is what I propose possible? If so, can I make it work without all the
    LAN IP addresses being changed? Does someone have such a configuration
    I could use as a template?

    Help! This is supposed to be installed on the 24th and I'm afraid I
    won't have this ready.
     
    VMS Guy, Feb 18, 2006
    #1
    1. Advertisements

  2. VMS Guy

    Merv Guest

    do you have a choice with respect to equipment - ie do you have a Cisco
    router which could be used as a VPN server ?
     
    Merv, Feb 18, 2006
    #2
    1. Advertisements

  3. VMS Guy

    VMS Guy Guest

    No. I already have a PIX 501 and that's what I need to use, unless it
    just can't be done, and then I'm out the cost of the PIX.
     
    VMS Guy, Feb 18, 2006
    #3
  4. VMS Guy

    Merv Guest

    Are you expecting the IPsec packets coming from the VPN clients to go
    into and come out of the same PIX interface to the existing LAN that is
    behind the firewall (i.e. a VPN server on-a-stick) ?

    If so I do not think that is possible with 6.x software. It is
    possible with PIX 7.x software but for that you need a PIX 515 or above
    (different price range.

    It may be possible on an IOS based router but that would have to be
    researched.
     
    Merv, Feb 18, 2006
    #4
  5. VMS Guy

    Merv Guest

    Does your firewall support a DMZ port ? Is it in use ?

    Will your firewall suppport IPSEC pass thru to the DMZ port?

    If it does then you may be able to connect one port (outside) of the
    PIX to the DMZ port and the other PIX 501 port (insice) to yoru
    192.168.1.x LAN
     
    Merv, Feb 18, 2006
    #5
  6. VMS Guy

    VMS Guy Guest

    The LAN is a class C, but could it be segmented and part of it used for
    VPN? Does the 501 support that? Could I make the PIX 501 outside
    address something like 192.168.30.30 and make the inside 192.168.1.252/30?
     
    VMS Guy, Feb 18, 2006
    #6
  7. VMS Guy

    Merv Guest

    AFAIK PIX only accepts classful netmasks i.e for 192.168.1.x it wants
    255.255.255.0
     
    Merv, Feb 18, 2006
    #7
  8. VMS Guy

    VMS Guy Guest

    Yes, both DMZ and virtual servers are supported by the firewall. I
    don't know if the DMZ is in use, since this firewall is about 50 miles
    away and my contact there is not in today. I assume everything passes
    through with DMZ.
    If it helps, the manual for the firewall is:
    http://www.nexland.ch/downloads/manuals/ProAll_Manual.pdf

    Thanks!
     
    VMS Guy, Feb 18, 2006
    #8
  9. VMS Guy

    Merv Guest

    I scan the docs for your firewall and that DMZ feature is not a
    separate physicall port to which an IP address can be assigned. It
    basically expose an inside host to the outside port.

    Are all of the LAN device directly connected to the 8 port hub
    contained in firewall ?
     
    Merv, Feb 18, 2006
    #9
  10. VMS Guy

    VMS Guy Guest

    I would have to say no. It's a small company, but not small enough to
    only have 8 network devices. I suspect 2 to 4 Windows servers, perhaps
    12 to 15 network printers, and around 30 workstations. It's been over
    10 years since I've been out there, but they always had a high
    proportions of printers to users.
     
    VMS Guy, Feb 19, 2006
    #10
  11. VMS Guy

    Merv Guest

    Probably the only way to deploy the PIX 501 behind the existing
    firewall would be to put in a smaller router in parallel with the PIX
    with them both landing on common segments.
     
    Merv, Feb 19, 2006
    #11
  12. No, that is not correct. The PIX does not even require the
    mask bits to be consequative.

    The PIX defaults to classful addresses if the mask is not
    specified, even in some circumstances that one would think the
    PIX could easily deduce the proper mask.

    In particular in PIX before PIX 6.3 (I think it was)
    dynamic IPs handed out to the VPN client were assumed to be
    classful, so a new mask option was added to 'ip local pool'
    and corresponding updates were made to the VPN client.
     
    Walter Roberson, Feb 25, 2006
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.