Providing VPN access to police department and to vendors with PIX and ISA 2000

Discussion in 'Cisco' started by Ned, Aug 18, 2006.

  1. Ned

    Ned Guest

    Hello

    I have a PIX 515UR with the inside interface connected to an ISA
    firewall that connects to my LAN. It works great for me because I use
    PPTP passthru, but I need to give police and vendors VPN access and I
    want to use the Cisco VPN client so I can ensure the remote client has
    the latest virus signatures, etc. Also, my network will ne audited by
    a third party next year so I want the best possible solution. The
    problem is that I cannot currently use the PIX for VPN because users
    would to VPN twice, once for the PIX and again to get through ISA. I
    was thinking of using one of the free DMZ ports on the PIX and
    connecting that to a port on the Catalyst 4507 which already has about
    15 VLANS. By connecting the PIX DMZ directly to our network I would
    bypass ISA 2000 for VPN users but still have the protection of the PIX
    firewall. The default gateway on our 4507 points to the ISA server, so
    I'm not sure if this will cause a problem for return traffic. We do
    have money for a dedicated VPN device which I could install paralell to
    the PIX, but it would have to also provide firewall protection. Would
    the DMZ idea work? I know it would mean that both the inside interface
    and the DMZ would both be connected to our LAN, I'm just not sure if
    that's a good or bad thing.

    Thanks
    Ned Hart
     
    Ned, Aug 18, 2006
    #1
    1. Advertisements

  2. Ned

    AM Guest

    cated VPN device which I could install paralell to the PIX, but it would have to also provide firewall protection. Would the DMZ idea work? I know it would mean that both the inside interface and the DMZ would both be connected to our LAN, I'm just not sure if that's a good or bad thing.

    A) PIX doesn't allow to have 2 addresses belonging to the same range on 2 different interfaces. So you can not do that
    unless the "outside" interface of the ISA and the inside of the PIX use a "ghost" or "for connection" network. In that
    case the PIX would see 2 different nets on inside and DMZ.

    My solutions are

    1) Move from ISA to PIX for both PTPP clients (PIX can act as PTPP server AFAIK) and VPN ones;
    2) Terminate VPN client on the PIX and "trust" the network assigned to VPNclient on the ISA; I see that solution if you
    have the "ghost" net I spoke above.

    HTH

    Alex.

    P.S.
    Maybe a diagram with the topology can help.
    I'm not expert of ISA.
     
    AM, Aug 18, 2006
    #2
    1. Advertisements

  3. Not in PIX 7.0, PIX 7.1, or PIX 7.2, at least not yet.
     
    Walter Roberson, Aug 18, 2006
    #3
  4. Ned

    Ned Guest

    Hi Alex

    Thanks for the response. I'm considering purchasing a second
    vpn/firewall and connecting it directly to my lan. Do you see any
    problems with this?

    Thanks
     
    Ned, Aug 19, 2006
    #4
  5. Ned

    Ned Guest

    Hello

    I created a diagram and posted it on a friend's website. It shows the
    current configuration.
    I'm hoping the diagram might help with suggestions. I do have a spare
    PIX 501 and I was thinking of purchaseing a VPN concentrator and using
    this in paralell with the existing config.
    http://www.citytechnical.com/Fg42_1.gif

    Thanks
     
    Ned, Aug 21, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.