Can PIX 501 be VPN terminator inside another firewall?

I'm new to the PIX, but I've done some basic modifications to Cisco
routers in the past, and even taken a router configuration class with
IOS 11.2. I can see this is enough different that I need help.

PIX Version 6.3(5)

I would like to install a PIX 501 behind an existing firewall and have
it only act as a VPN server.
The existing firewall has 2 interfaces, one using cable and the other
DSL. Both internet addresses are static. In case it matters, the
firewall is a Nexland ISB 800 Pro.
The LAN is currently 192.168.1.x/24. The firewall is using
192.168.1.250 as its inside address. I've been told all IP addresses on
the LAN have been statically assigned and are at .100 and above.
The idea is to install the 501 purely to act as a VPN server to the
Cisco VPN Client. (I believe 1 proposed user has 4.6 installed and I
have 4.8 installed.) All proposed use is via the software client.
Currently there are only 3 proposed users and 2 of us are only for
support purposes.
I would like VPN users to have full access to all systems on the LAN
once the tunnel is established.

Is what I propose possible? If so, can I make it work without all the
LAN IP addresses being changed? Does someone have such a configuration
I could use as a template?

Help! This is supposed to be installed on the 24th and I'm afraid I
won't have this ready.

 

do you have a choice with respect to equipment - ie do you have a Cisco
router which could be used as a VPN server ?

 

No. I already have a PIX 501 and that's what I need to use, unless it
just can't be done, and then I'm out the cost of the PIX.

 

Are you expecting the IPsec packets coming from the VPN clients to go
into and come out of the same PIX interface to the existing LAN that is
behind the firewall (i.e. a VPN server on-a-stick) ?

If so I do not think that is possible with 6.x software. It is
possible with PIX 7.x software but for that you need a PIX 515 or above
(different price range.

It may be possible on an IOS based router but that would have to be
researched.

 

Does your firewall support a DMZ port ? Is it in use ?

Will your firewall suppport IPSEC pass thru to the DMZ port?

If it does then you may be able to connect one port (outside) of the
PIX to the DMZ port and the other PIX 501 port (insice) to yoru
192.168.1.x LAN

 

The LAN is a class C, but could it be segmented and part of it used for
VPN? Does the 501 support that? Could I make the PIX 501 outside
address something like 192.168.30.30 and make the inside 192.168.1.252/30?

 

AFAIK PIX only accepts classful netmasks i.e for 192.168.1.x it wants
255.255.255.0

 

Yes, both DMZ and virtual servers are supported by the firewall. I
don't know if the DMZ is in use, since this firewall is about 50 miles
away and my contact there is not in today. I assume everything passes
through with DMZ.
If it helps, the manual for the firewall is:
http://www.nexland.ch/downloads/manuals/ProAll_Manual.pdf

Thanks!

 

I scan the docs for your firewall and that DMZ feature is not a
separate physicall port to which an IP address can be assigned. It
basically expose an inside host to the outside port.

Are all of the LAN device directly connected to the 8 port hub
contained in firewall ?

 

I would have to say no. It's a small company, but not small enough to
only have 8 network devices. I suspect 2 to 4 Windows servers, perhaps
12 to 15 network printers, and around 30 workstations. It's been over
10 years since I've been out there, but they always had a high
proportions of printers to users.

 

Probably the only way to deploy the PIX 501 behind the existing
firewall would be to put in a smaller router in parallel with the PIX
with them both landing on common segments.

 

No, that is not correct. The PIX does not even require the
mask bits to be consequative.

The PIX defaults to classful addresses if the mask is not
specified, even in some circumstances that one would think the
PIX could easily deduce the proper mask.

In particular in PIX before PIX 6.3 (I think it was)
dynamic IPs handed out to the VPN client were assumed to be
classful, so a new mask option was added to 'ip local pool'
and corresponding updates were made to the VPN client.