Solved

Using a spare PIX as a standalone VPN server

Posted on 2004-03-24
4
281 Views
Last Modified: 2010-04-17
Our network consists of a Cisco 6500 at our edge which has an FWSM blade as our firewall.    The FWSM doesn't have VPN capability and the VPN blade for the 6500 costs mucho $$$.    I have a couple of PIX 520's that aren't doing anything and would like to put them to use as a VPN server.    Since we're already behind a firewall, the outside interface of the PIX is actually on the same network as the inside of our FWSM.   The inside network of the PIX is just a nat'd network with private IP space.  
Simple diagram:

<Internet>--<FWSM>--Internal Network---<PIX>--internal pix net


 I can get the Cisco VPN client to connect to the PIX just fine, and can see things on the inside interface of the PIX.  (In reality there is nothing there on the inside interface, but I simply have a test server behind it right now just for test purposes)   but what I need it to do is see things on the outside interface of the pix.   I can't put the PIX at our edge due to the FWSM, nor would I want to due to the huge performance differences.    Everything I've read about this says to use split tunneling to access things outside of the pix, but the whole point of this is to securly access our internal network, which happens to be outside of the pix.   If I have to put the pix in parallel with the FWSM I suppose I can, but if there's a way I can  use the model I've diagramed above I'd sure love to hear about it.
0
Comment
Question by:mikemasse
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 10671311
Putting it in parallel with FWSM is your best bet.
Unlike a router, a PIX will NOT bounce traffic back out the same interface it came in on.
In your case, your Internal network is actually your VPN PIX's Outside interface. Since your VPN terminates on that interface, you can't access anything on the outside "dmz", only what is connected to the inside interface.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10682984
Any progress, thoughts, questions?

0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA Troubleshooting: Easy way to determine an interface's next hop 18 104
Radius Debug Error 16 113
ip igmp join-group 8 73
adjusting startup config 6 55
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question