Solved

Using a spare PIX as a standalone VPN server

Posted on 2004-03-24
4
282 Views
Last Modified: 2010-04-17
Our network consists of a Cisco 6500 at our edge which has an FWSM blade as our firewall.    The FWSM doesn't have VPN capability and the VPN blade for the 6500 costs mucho $$$.    I have a couple of PIX 520's that aren't doing anything and would like to put them to use as a VPN server.    Since we're already behind a firewall, the outside interface of the PIX is actually on the same network as the inside of our FWSM.   The inside network of the PIX is just a nat'd network with private IP space.  
Simple diagram:

<Internet>--<FWSM>--Internal Network---<PIX>--internal pix net


 I can get the Cisco VPN client to connect to the PIX just fine, and can see things on the inside interface of the PIX.  (In reality there is nothing there on the inside interface, but I simply have a test server behind it right now just for test purposes)   but what I need it to do is see things on the outside interface of the pix.   I can't put the PIX at our edge due to the FWSM, nor would I want to due to the huge performance differences.    Everything I've read about this says to use split tunneling to access things outside of the pix, but the whole point of this is to securly access our internal network, which happens to be outside of the pix.   If I have to put the pix in parallel with the FWSM I suppose I can, but if there's a way I can  use the model I've diagramed above I'd sure love to hear about it.
0
Comment
Question by:mikemasse
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 10671311
Putting it in parallel with FWSM is your best bet.
Unlike a router, a PIX will NOT bounce traffic back out the same interface it came in on.
In your case, your Internal network is actually your VPN PIX's Outside interface. Since your VPN terminates on that interface, you can't access anything on the outside "dmz", only what is connected to the inside interface.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10682984
Any progress, thoughts, questions?

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question