1. Home
  2. Cisco Systems
  3. Can PIX 501 be VPN terminator inside another firewall?

Can PIX 501 be VPN terminator inside another firewall?

I'm new to the PIX, but I've done some basic modifications to Cisco routers in the past, and even taken a router configuration class with IOS 11.2. I can see this is enough different that I need help.

PIX Version 6.3(5)

I would like to install a PIX 501 behind an existing firewall and have it only act as a VPN server. The existing firewall has 2 interfaces, one using cable and the other DSL. Both internet addresses are static. In case it matters, the firewall is a Nexland ISB 800 Pro. The LAN is currently 192.168.1.x/24. The firewall is using

192.168.1.250 as its inside address. I've been told all IP addresses on the LAN have been statically assigned and are at .100 and above. The idea is to install the 501 purely to act as a VPN server to the Cisco VPN Client. (I believe 1 proposed user has 4.6 installed and I have 4.8 installed.) All proposed use is via the software client. Currently there are only 3 proposed users and 2 of us are only for support purposes. I would like VPN users to have full access to all systems on the LAN once the tunnel is established.

Is what I propose possible? If so, can I make it work without all the LAN IP addresses being changed? Does someone have such a configuration I could use as a template?

Help! This is supposed to be installed on the 24th and I'm afraid I won't have this ready.

Reply to
VMS Guy
Loading thread data ...

do you have a choice with respect to equipment - ie do you have a Cisco router which could be used as a VPN server ?

Reply to
Merv

Reply to
VMS Guy

Are you expecting the IPsec packets coming from the VPN clients to go into and come out of the same PIX interface to the existing LAN that is behind the firewall (i.e. a VPN server on-a-stick) ?

If so I do not think that is possible with 6.x software. It is possible with PIX 7.x software but for that you need a PIX 515 or above (different price range.

It may be possible on an IOS based router but that would have to be researched.

Reply to
Merv

Does your firewall support a DMZ port ? Is it in use ?

Will your firewall suppport IPSEC pass thru to the DMZ port?

If it does then you may be able to connect one port (outside) of the PIX to the DMZ port and the other PIX 501 port (insice) to yoru

192.168.1.x LAN
Reply to
Merv

Reply to
VMS Guy

AFAIK PIX only accepts classful netmasks i.e for 192.168.1.x it wants

255.255.255.0
Reply to
Merv

Reply to
VMS Guy

I scan the docs for your firewall and that DMZ feature is not a separate physicall port to which an IP address can be assigned. It basically expose an inside host to the outside port.

Are all of the LAN device directly connected to the 8 port hub contained in firewall ?

Reply to
Merv

I would have to say no. It's a small company, but not small enough to only have 8 network devices. I suspect 2 to 4 Windows servers, perhaps

12 to 15 network printers, and around 30 workstations. It's been over 10 years s> I scan the docs for your firewall and that DMZ feature is not a
Reply to
VMS Guy

Probably the only way to deploy the PIX 501 behind the existing firewall would be to put in a smaller router in parallel with the PIX with them both landing on common segments.

Reply to
Merv

No, that is not correct. The PIX does not even require the mask bits to be consequative.

The PIX defaults to classful addresses if the mask is not specified, even in some circumstances that one would think the PIX could easily deduce the proper mask.

In particular in PIX before PIX 6.3 (I think it was) dynamic IPs handed out to the VPN client were assumed to be classful, so a new mask option was added to 'ip local pool' and corresponding updates were made to the VPN client.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.