PIX Help: Got a "scratcher"

I'm really hoping some of the PIX firewall experts might be able to help me here, and I hope my explanation of the situation will be of help.

The initial scenario is that I'm in companyA, and companyB is a vendor of ours for whom we host servers and other network equipment. When communicating with companyB, we use private IP's instead of going out via the internet. We're able to do this because companyB has a PIX506 firewall who's outside interface is directly connected to one of our (companyA) VLANs. We route the traffic to that outside interface and from there, that PIX506 sends it to a router (also at our location) with a DS3 connection to companyB's main network (offsite).

In order to reach companyB's PIX506, traffic coming from companyA goes through a PIX525 Firewall via a DMZ with a security level of 1 (so it's the route statements on the PIX525 that sends it out the DMZ to the PIX506). I should also mention that companyA's PIX525 has VPN set up on it. Ok, I really hope this helps... though I'm sure it would've been easier if I knew how to draw and effective picture on here.

So now here's the problem: this network works fine when the users trying to reach companyB from companyA are coming from the "inside" network of the PIX525. However users using VPN are unable to get there. It seems to me that since VPN users come in from the "outside" interface of the PIX525 (security0), they're unable to be sent right back out again through the DMZ (security1).

Is there any way at all that VPN users (who use the cisco VPN client) might able to go out though this DMZ in question? I should mention here that these VPN users are able to access pretty much everything on the "inside" networks and all the DMZ's on the PIX 525 (we have about 6 DMZ's). My assumption is that this is not going to be possible with the current PIX configuration (using version 6.3(4)). Would PIX version 7.x.x help? Or would moving VPN users off the PIX to something like an ASA5500 help? For now, I've told VPN users to TS into a server on the "inside" network in order for this to work, but I'm desperate for a permanent solution where VPN users will have the same access to companyB that "inside" users do.

Thanks a lot in advance!

Reply to
Jon Doe
Loading thread data ...

If I understand the situation correctly, there are a couple of ways to do this. You need to modify a the rules so that VPN traffic is permitted to be directly routed from your VPN pool to company b, or alternately you can use NAT to make the traffic appear as if it originated from a subnet that is on the permitted list. Just my 2 cents.

Reply to
eoverby

I'd recommend setting up a VPN concerntrator. I had a similiar situation (and used the same TS workaround!) - CompanyA, CompanyB, and CompanyC connected via a PIX 515 and 2 PIX 506s. I could VPN successfully to CompanyA, but I could not access anything at CompanyB/C due to the PIX limitations. I setup a VPN3005 at CompanyA and all is well.

- Mark

Reply to
news.qwest.net

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.