1. Home
  2. Cisco Systems
  3. Providing VPN access to police department and to vendors with PIX and ISA 2000

Providing VPN access to police department and to vendors with PIX and ISA 2000

Hello

I have a PIX 515UR with the inside interface connected to an ISA firewall that connects to my LAN. It works great for me because I use PPTP passthru, but I need to give police and vendors VPN access and I want to use the Cisco VPN client so I can ensure the remote client has the latest virus signatures, etc. Also, my network will ne audited by a third party next year so I want the best possible solution. The problem is that I cannot currently use the PIX for VPN because users would to VPN twice, once for the PIX and again to get through ISA. I was thinking of using one of the free DMZ ports on the PIX and connecting that to a port on the Catalyst 4507 which already has about

15 VLANS. By connecting the PIX DMZ directly to our network I would bypass ISA 2000 for VPN users but still have the protection of the PIX firewall. The default gateway on our 4507 points to the ISA server, so I'm not sure if this will cause a problem for return traffic. We do have money for a dedicated VPN device which I could install paralell to the PIX, but it would have to also provide firewall protection. Would the DMZ idea work? I know it would mean that both the inside interface and the DMZ would both be connected to our LAN, I'm just not sure if that's a good or bad thing.

Thanks Ned Hart

Reply to
Ned
Loading thread data ...

connects to my LAN. It works great for me because I use PPTP passthru, but I need to give police and vendors VPN access and I want to use the Cisco VPN client so I can ensure the remote client has the latest virus signatures, etc. Also, my network will ne audited by a third party next year so I want the best possible solution. The problem is that I cannot currently use the PIX for VPN because users would to VPN twice, once for the PIX and again to get through ISA. I was thinking of using one of the free DMZ ports on the PIX and connecting that to a port on the Catalyst 4507 which already has about 15 VLANS. By connecting the PIX DMZ directly to our network I would bypass ISA 2000 for VPN users but still have the protection of the PIX firewall. The default gateway on our 4507 points to the ISA server, so I'm not sure if this will cause a problem for return traffic. We do have money for a dedi cated VPN device which I could install paralell to the PIX, but it would have to also provide firewall protection. Would the DMZ idea work? I know it would mean that both the inside interface and the DMZ would both be connected to our LAN, I'm just not sure if that's a good or bad thing.

A) PIX doesn't allow to have 2 addresses belonging to the same range on 2 different interfaces. So you can not do that unless the "outside" interface of the ISA and the inside of the PIX use a "ghost" or "for connection" network. In that case the PIX would see 2 different nets on inside and DMZ.

My solutions are

1) Move from ISA to PIX for both PTPP clients (PIX can act as PTPP server AFAIK) and VPN ones; 2) Terminate VPN client on the PIX and "trust" the network assigned to VPNclient on the ISA; I see that solution if you have the "ghost" net I spoke above.

HTH

Alex.

P.S. Maybe a diagram with the topology can help. I'm not expert of ISA.

Reply to
AM

Not in PIX 7.0, PIX 7.1, or PIX 7.2, at least not yet.

Reply to
Walter Roberson

Hi Alex

Thanks for the response. I'm considering purchasing a second vpn/firewall and connecting it directly to my lan. Do you see any problems with this?

Thanks

AM wrote:

that connects to my LAN. It works great for me because I use PPTP passthru, but I need to give police and vendors VPN access and I want to use the Cisco VPN client so I can ensure the remote client has the latest virus signatures, etc. Also, my network will ne audited by a third party next year so I want the best possible solution. The problem is that I cannot currently use the PIX for VPN because users would to VPN twice, once for the PIX and again to get through ISA. I was thinking of using one of the free DMZ ports on the PIX and connecting that to a port on the Catalyst 4507 which already has about 15 VLANS. By connecting the PIX DMZ directly to our network I would bypass ISA 2000 for VPN users but still have the protection of the PIX firewall. The default gateway on our 4507 points to the ISA server, so I'm not sure if this will cause a problem for return traffic. We do have money for a dedi

to also provide firewall protection. Would the DMZ idea work? I know it would mean that both the inside interface and the DMZ would both be connected to our LAN, I'm just not sure if that's a good or bad thing.

different interfaces. So you can not do that

"ghost" or "for connection" network. In that

AFAIK) and VPN ones;

VPNclient on the ISA; I see that solution if you

Reply to
Ned

Hello

I created a diagram and posted it on a friend's website. It shows the current configuration. I'm hoping the diagram might help with suggestions. I do have a spare PIX 501 and I was thinking of purchaseing a VPN concentrator and using this in paralell with the existing config.

formatting link
Thanks

AM wrote:

that connects to my LAN. It works great for me because I use PPTP passthru, but I need to give police and vendors VPN access and I want to use the Cisco VPN client so I can ensure the remote client has the latest virus signatures, etc. Also, my network will ne audited by a third party next year so I want the best possible solution. The problem is that I cannot currently use the PIX for VPN because users would to VPN twice, once for the PIX and again to get through ISA. I was thinking of using one of the free DMZ ports on the PIX and connecting that to a port on the Catalyst 4507 which already has about 15 VLANS. By connecting the PIX DMZ directly to our network I would bypass ISA 2000 for VPN users but still have the protection of the PIX firewall. The default gateway on our 4507 points to the ISA server, so I'm not sure if this will cause a problem for return traffic. We do have money for a dedi

to also provide firewall protection. Would the DMZ idea work? I know it would mean that both the inside interface and the DMZ would both be connected to our LAN, I'm just not sure if that's a good or bad thing.

different interfaces. So you can not do that

"ghost" or "for connection" network. In that

AFAIK) and VPN ones;

VPNclient on the ISA; I see that solution if you

Reply to
Ned

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.