I have a PIX 515UR with the inside interface connected to an ISA firewall that connects to my LAN. It works great for me because I use PPTP passthru, but I need to give police and vendors VPN access and I want to use the Cisco VPN client so I can ensure the remote client has the latest virus signatures, etc. Also, my network will ne audited by a third party next year so I want the best possible solution. The problem is that I cannot currently use the PIX for VPN because users would to VPN twice, once for the PIX and again to get through ISA. I was thinking of using one of the free DMZ ports on the PIX and connecting that to a port on the Catalyst 4507 which already has about15 VLANS. By connecting the PIX DMZ directly to our network I would bypass ISA 2000 for VPN users but still have the protection of the PIX firewall. The default gateway on our 4507 points to the ISA server, so I'm not sure if this will cause a problem for return traffic. We do have money for a dedicated VPN device which I could install paralell to the PIX, but it would have to also provide firewall protection. Would the DMZ idea work? I know it would mean that both the inside interface and the DMZ would both be connected to our LAN, I'm just not sure if that's a good or bad thing.
Thanks Ned Hart