[fw-wiz] Pix 501 & 506 PixOS 7.0 compatability

From: Jimmy Sadri (jimmys_at_myesn.com)
Date: 10/20/05

  • Next message: David West: "[fw-wiz] SecureClient netbios broadcast on office mode connection"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 19 Oct 2005 22:12:03 -0700
    
    

    Hi all,

            Does anyone on this list know if Cisco
    is ever planning a 7.0 release for the 501 and 506
    Pix hardware? I was a Beta tester for 7.0 when it
    was in the Beta stage and when I asked them about it
    (back in March) they said that there would be support
    for the 501 and 506 in a follow on release but they
    didn't say when. I was wondering if anyone has any
    info on when or if this will ever happen?

    ================================================
    Jimmy Sadri CISSP, CCSP, CCNP, MCSE, MCSA
    Network Engineer
    Network Security Analyst
    CBK Instructor
    Consultant

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Joe Dollard
    Sent: Thursday, October 13, 2005 5:52 PM
    To: Paul Melson
    Cc: 'Hughes, Chris'; firewall-wizards@honor.icsalabs.com
    Subject: Re: [fw-wiz] Pix VPN endpoint and split-tunnel

    Paul Melson wrote:

    >-----Original Message-----
    >Subject: [fw-wiz] Pix VPN endpoint and split-tunnel
    >
    >
    >
    >>I am trying to configure a cisco pix as a vpn endpoint for the cisco vpn
    >>
    >>
    >client and
    >
    >
    >>would like to force the client to use the corporate network for internet
    >>
    >>
    >access. I
    >
    >
    >>don't want to allow split-tunnel. I cant find any info on how to do this.
    >>
    >>
    >Is split
    >
    >
    >>tunnel the only way to give a vpn client internet access once they are
    >>
    >>
    >connected?
    >
    >The short answer is yes. PIX-fu rule #1: the PIX is not a router. It
    can't
    >take traffic that arrives on one interface and pass it back out that same
    >interface, even when the traffic arrives via VPN tunnel. That said, you
    can
    >sort of solve this problem by having the clients use a proxy server while
    >connected via full tunnel. There may or may not be an elegant way to
    >automate this for your road warriors, but this would really be independent
    >of anything the PIX or VPN client do. (Think login scripts, Group Policy,
    >etc.)
    >
    >
    While I haven't tried this yet, it's my understanding that with PIX 7.0
    this is possible to do with the same-security-traffic command.
    According to the PIX documentation
    (http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_t
    xt/s.htm#wp2668461)
    this allows you to "permit communication between interfaces with equal
    security levels".

    Regards,
    Joe

    >If it's a big enough issue that you're willing to spend time and resources
    >on it, I would recommend looking at the VPN3K concentrators (or ASA 5500?).
    >They can do exactly what you're asking for, plus they possess a number of
    >other features for managing VPN client users that the PIX doesn't have.
    >(Like dynamic VPN profile assignment via RADIUS.)
    >
    >PaulM
    >
    >
    >_______________________________________________
    >firewall-wizards mailing list
    >firewall-wizards@honor.icsalabs.com
    >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >!DSPAM:434ef8c7629211057510504!
    >
    >
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: David West: "[fw-wiz] SecureClient netbios broadcast on office mode connection"

    Relevant Pages

    • RE: [fw-wiz] Pix VPN endpoint and split-tunnel
      ... The 7.0 PIX code supports forwarding VPN traffic out the same interface that ... Another reply I got here from Simon expressed the possibility that PIX 7.x ... even when the traffic arrives via VPN tunnel. ... of anything the PIX or VPN client do. ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Pix VPN endpoint and split-tunnel
      ... Its much cheaper than an ASA, can hang off another interface, etc. ... > Another reply I got here from Simon expressed the possibility that PIX ... PIX 7.0 supports hub and spoke VPN routing, but only hub and spoke; ... > of anything the PIX or VPN client do. ...
      (Firewall-Wizards)
    • Re: PIX to PIX VPN problem
      ... I am trying to establish a VPN tunnel between 2 PIX 506E's. ... Crypto map tag: CRYPTO_MAP, local addr. ... fixup protocol dns maximum-length 700 ...
      (comp.dcom.sys.cisco)
    • Re: VPN Assistance
      ... This will expose port 1723 on th Pix to only these ... Glad it's working - now try to convince the client that using the Cisco ... client is more secure than using PPTP. ... IPSec VPN ...
      (microsoft.public.windows.server.sbs)
    • Re: Another RWW versus VPN question
      ... And after Blackhat I wouldn't be trusting of Cisco PIX either. ... One could argue that after the CISCO/Michael Lynn Blackhat/Vegas issue that Cisco isn't that secure. ... With VPN access, the data could be pulled over the wire to my home users, they "could" introduce more risk to my network if they are not patched, updates and protected. ... I have a client that recently had a programmer from a large security based company come by and demo the Access database he is working on for them. ...
      (microsoft.public.windows.server.sbs)