Using a spare PIX as a standalone VPN server
Posted on 2004-03-24
Our network consists of a Cisco 6500 at our edge which has an FWSM blade as our firewall. The FWSM doesn't have VPN capability and the VPN blade for the 6500 costs mucho $$$. I have a couple of PIX 520's that aren't doing anything and would like to put them to use as a VPN server. Since we're already behind a firewall, the outside interface of the PIX is actually on the same network as the inside of our FWSM. The inside network of the PIX is just a nat'd network with private IP space.
<Internet>--<FWSM>--Internal Network---<PIX>--internal pix net
I can get the Cisco VPN client to connect to the PIX just fine, and can see things on the inside interface of the PIX. (In reality there is nothing there on the inside interface, but I simply have a test server behind it right now just for test purposes) but what I need it to do is see things on the outside interface of the pix. I can't put the PIX at our edge due to the FWSM, nor would I want to due to the huge performance differences. Everything I've read about this says to use split tunneling to access things outside of the pix, but the whole point of this is to securly access our internal network, which happens to be outside of the pix. If I have to put the pix in parallel with the FWSM I suppose I can, but if there's a way I can use the model I've diagramed above I'd sure love to hear about it.