1. Home
  2. Networking Firewalls
  3. PIX help: Got a "scratcher"

PIX help: Got a "scratcher"

I'm really hoping some of the PIX firewall experts might be able to help me here, and I hope my explanation of the situation will be of help.

The initial scenario is that I'm in companyA, and companyB is a vendor of ours for whom we host servers and other network equipment. When communicating with companyB, we use private IP's instead of going out via the internet. We're able to do this because companyB has a PIX506 firewall who's outside interface is directly connected to one of our (companyA) VLANs. We route the traffic to that outside interface and from there, that PIX506 sends it to a router (also at our location) with a DS3 connection to companyB's main network (offsite).

In order to reach companyB's PIX506, traffic coming from companyA goes through a PIX525 Firewall via a DMZ with a security level of 1 (so it's the route statements on the PIX525 that sends it out the DMZ to the PIX506). I should also mention that companyA's PIX525 has VPN set up on it. Ok, I really hope this helps... though I'm sure it would've been easier if I knew how to draw and effective picture on here.

So now here's the problem: this network works fine when the users trying to reach companyB from companyA are coming from the "inside" network of the PIX525. However users using VPN are unable to get there. It seems to me that since VPN users come in from the "outside" interface of the PIX525 (security0), they're unable to be sent right back out again through the DMZ (security1).

Is there any way at all that VPN users (who use the cisco VPN client) might able to go out though this DMZ in question? I should mention here that these VPN users are able to access pretty much everything on the "inside" networks and all the DMZ's on the PIX 525 (we have about 6 DMZ's). My assumption is that this is not going to be possible with the current PIX configuration (using version 6.3(4)). Would PIX version 7.x.x help? Or would moving VPN users off the PIX to something like an ASA5500 help? For now, I've told VPN users to TS into a server on the "inside" network in order for this to work, but I'm desperate for a permanent solution where VPN users will have the same access to companyB that "inside" users do.

Thanks a lot in advance!

Reply to
Jon Doe
Loading thread data ...

The PIX firewall groupies tend to hang out in comp.dcom.sys.cisco .

What you want to do should be configurable in PIX 6.3(4).

The traditional restriction on a PIX is that packets that come in on a [logical] interface cannot go out the *same* [logical] interface. (PIX 7.0 adds an option to allow such things of at least one of the endpoints is a VPN.) There is no block in either version if -different- interfaces are involved: it's just a matter of setting up the correct ACLs and routes and translations and crypto maps.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.