?
Solved

Using a spare PIX as a standalone VPN server

Posted on 2004-03-24
4
Medium Priority
?
288 Views
Last Modified: 2010-04-17
Our network consists of a Cisco 6500 at our edge which has an FWSM blade as our firewall.    The FWSM doesn't have VPN capability and the VPN blade for the 6500 costs mucho $$$.    I have a couple of PIX 520's that aren't doing anything and would like to put them to use as a VPN server.    Since we're already behind a firewall, the outside interface of the PIX is actually on the same network as the inside of our FWSM.   The inside network of the PIX is just a nat'd network with private IP space.  
Simple diagram:

<Internet>--<FWSM>--Internal Network---<PIX>--internal pix net


 I can get the Cisco VPN client to connect to the PIX just fine, and can see things on the inside interface of the PIX.  (In reality there is nothing there on the inside interface, but I simply have a test server behind it right now just for test purposes)   but what I need it to do is see things on the outside interface of the pix.   I can't put the PIX at our edge due to the FWSM, nor would I want to due to the huge performance differences.    Everything I've read about this says to use split tunneling to access things outside of the pix, but the whole point of this is to securly access our internal network, which happens to be outside of the pix.   If I have to put the pix in parallel with the FWSM I suppose I can, but if there's a way I can  use the model I've diagramed above I'd sure love to hear about it.
0
Comment
Question by:mikemasse
  • 2
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 10671311
Putting it in parallel with FWSM is your best bet.
Unlike a router, a PIX will NOT bounce traffic back out the same interface it came in on.
In your case, your Internal network is actually your VPN PIX's Outside interface. Since your VPN terminates on that interface, you can't access anything on the outside "dmz", only what is connected to the inside interface.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10682984
Any progress, thoughts, questions?

0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question