Providing VPN access to police department and to vendors with PIX and ISA 2000

Hello

I have a PIX 515UR with the inside interface connected to an ISA
firewall that connects to my LAN. It works great for me because I use
PPTP passthru, but I need to give police and vendors VPN access and I
want to use the Cisco VPN client so I can ensure the remote client has
the latest virus signatures, etc. Also, my network will ne audited by
a third party next year so I want the best possible solution. The
problem is that I cannot currently use the PIX for VPN because users
would to VPN twice, once for the PIX and again to get through ISA. I
was thinking of using one of the free DMZ ports on the PIX and
connecting that to a port on the Catalyst 4507 which already has about
15 VLANS. By connecting the PIX DMZ directly to our network I would
bypass ISA 2000 for VPN users but still have the protection of the PIX
firewall. The default gateway on our 4507 points to the ISA server, so
I'm not sure if this will cause a problem for return traffic. We do
have money for a dedicated VPN device which I could install paralell to
the PIX, but it would have to also provide firewall protection. Would
the DMZ idea work? I know it would mean that both the inside interface
and the DMZ would both be connected to our LAN, I'm just not sure if
that's a good or bad thing.

Thanks
Ned Hart

 

cated VPN device which I could install paralell to the PIX, but it would have to also provide firewall protection. Would the DMZ idea work? I know it would mean that both the inside interface and the DMZ would both be connected to our LAN, I'm just not sure if that's a good or bad thing.

A) PIX doesn't allow to have 2 addresses belonging to the same range on 2 different interfaces. So you can not do that
unless the "outside" interface of the ISA and the inside of the PIX use a "ghost" or "for connection" network. In that
case the PIX would see 2 different nets on inside and DMZ.

My solutions are

1) Move from ISA to PIX for both PTPP clients (PIX can act as PTPP server AFAIK) and VPN ones;
2) Terminate VPN client on the PIX and "trust" the network assigned to VPNclient on the ISA; I see that solution if you
have the "ghost" net I spoke above.

HTH

Alex.

P.S.
Maybe a diagram with the topology can help.
I'm not expert of ISA.

 

Not in PIX 7.0, PIX 7.1, or PIX 7.2, at least not yet.

 

Hi Alex

Thanks for the response. I'm considering purchasing a second
vpn/firewall and connecting it directly to my lan. Do you see any
problems with this?

Thanks

 

Hello

I created a diagram and posted it on a friend's website. It shows the
current configuration.
I'm hoping the diagram might help with suggestions. I do have a spare
PIX 501 and I was thinking of purchaseing a VPN concentrator and using
this in paralell with the existing config.
http://www.citytechnical.com/Fg42_1.gif

Thanks