[fw-wiz] Pix 501 & 506 PixOS 7.0 compatability
From: Jimmy Sadri (jimmys_at_myesn.com)
Date: 10/20/05
- Previous message: Subha Venkataramanan: "[fw-wiz] Traffic Shaping in Fortinet"
- In reply to: Joe Dollard: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"
- Next in thread: Greg Spath: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Wed, 19 Oct 2005 22:12:03 -0700
Hi all,
Does anyone on this list know if Cisco
is ever planning a 7.0 release for the 501 and 506
Pix hardware? I was a Beta tester for 7.0 when it
was in the Beta stage and when I asked them about it
(back in March) they said that there would be support
for the 501 and 506 in a follow on release but they
didn't say when. I was wondering if anyone has any
info on when or if this will ever happen?
================================================
Jimmy Sadri CISSP, CCSP, CCNP, MCSE, MCSA
Network Engineer
Network Security Analyst
CBK Instructor
Consultant
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Joe Dollard
Sent: Thursday, October 13, 2005 5:52 PM
To: Paul Melson
Cc: 'Hughes, Chris'; firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Pix VPN endpoint and split-tunnel
Paul Melson wrote:
>-----Original Message-----
>Subject: [fw-wiz] Pix VPN endpoint and split-tunnel
>
>
>
>>I am trying to configure a cisco pix as a vpn endpoint for the cisco vpn
>>
>>
>client and
>
>
>>would like to force the client to use the corporate network for internet
>>
>>
>access. I
>
>
>>don't want to allow split-tunnel. I cant find any info on how to do this.
>>
>>
>Is split
>
>
>>tunnel the only way to give a vpn client internet access once they are
>>
>>
>connected?
>
>The short answer is yes. PIX-fu rule #1: the PIX is not a router. It
can't
>take traffic that arrives on one interface and pass it back out that same
>interface, even when the traffic arrives via VPN tunnel. That said, you
can
>sort of solve this problem by having the clients use a proxy server while
>connected via full tunnel. There may or may not be an elegant way to
>automate this for your road warriors, but this would really be independent
>of anything the PIX or VPN client do. (Think login scripts, Group Policy,
>etc.)
>
>
While I haven't tried this yet, it's my understanding that with PIX 7.0
this is possible to do with the same-security-traffic command.
According to the PIX documentation
(http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_t
xt/s.htm#wp2668461)
this allows you to "permit communication between interfaces with equal
security levels".
Regards,
Joe
>If it's a big enough issue that you're willing to spend time and resources
>on it, I would recommend looking at the VPN3K concentrators (or ASA 5500?).
>They can do exactly what you're asking for, plus they possess a number of
>other features for managing VPN client users that the PIX doesn't have.
>(Like dynamic VPN profile assignment via RADIUS.)
>
>PaulM
>
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>!DSPAM:434ef8c7629211057510504!
>
>
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Subha Venkataramanan: "[fw-wiz] Traffic Shaping in Fortinet"
- In reply to: Joe Dollard: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"
- Next in thread: Greg Spath: "Re: [fw-wiz] Pix VPN endpoint and split-tunnel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
