[fw-wiz] Pix 501 & 506 PixOS 7.0 compatability

From: Jimmy Sadri (jimmys_at_myesn.com)
Date: 10/20/05

  • Next message: David West: "[fw-wiz] SecureClient netbios broadcast on office mode connection"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 19 Oct 2005 22:12:03 -0700
    
    

    Hi all,

            Does anyone on this list know if Cisco
    is ever planning a 7.0 release for the 501 and 506
    Pix hardware? I was a Beta tester for 7.0 when it
    was in the Beta stage and when I asked them about it
    (back in March) they said that there would be support
    for the 501 and 506 in a follow on release but they
    didn't say when. I was wondering if anyone has any
    info on when or if this will ever happen?

    ================================================
    Jimmy Sadri CISSP, CCSP, CCNP, MCSE, MCSA
    Network Engineer
    Network Security Analyst
    CBK Instructor
    Consultant

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Joe Dollard
    Sent: Thursday, October 13, 2005 5:52 PM
    To: Paul Melson
    Cc: 'Hughes, Chris'; firewall-wizards@honor.icsalabs.com
    Subject: Re: [fw-wiz] Pix VPN endpoint and split-tunnel

    Paul Melson wrote:

    >-----Original Message-----
    >Subject: [fw-wiz] Pix VPN endpoint and split-tunnel
    >
    >
    >
    >>I am trying to configure a cisco pix as a vpn endpoint for the cisco vpn
    >>
    >>
    >client and
    >
    >
    >>would like to force the client to use the corporate network for internet
    >>
    >>
    >access. I
    >
    >
    >>don't want to allow split-tunnel. I cant find any info on how to do this.
    >>
    >>
    >Is split
    >
    >
    >>tunnel the only way to give a vpn client internet access once they are
    >>
    >>
    >connected?
    >
    >The short answer is yes. PIX-fu rule #1: the PIX is not a router. It
    can't
    >take traffic that arrives on one interface and pass it back out that same
    >interface, even when the traffic arrives via VPN tunnel. That said, you
    can
    >sort of solve this problem by having the clients use a proxy server while
    >connected via full tunnel. There may or may not be an elegant way to
    >automate this for your road warriors, but this would really be independent
    >of anything the PIX or VPN client do. (Think login scripts, Group Policy,
    >etc.)
    >
    >
    While I haven't tried this yet, it's my understanding that with PIX 7.0
    this is possible to do with the same-security-traffic command.
    According to the PIX documentation
    (http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_t
    xt/s.htm#wp2668461)
    this allows you to "permit communication between interfaces with equal
    security levels".

    Regards,
    Joe

    >If it's a big enough issue that you're willing to spend time and resources
    >on it, I would recommend looking at the VPN3K concentrators (or ASA 5500?).
    >They can do exactly what you're asking for, plus they possess a number of
    >other features for managing VPN client users that the PIX doesn't have.
    >(Like dynamic VPN profile assignment via RADIUS.)
    >
    >PaulM
    >
    >
    >_______________________________________________
    >firewall-wizards mailing list
    >firewall-wizards@honor.icsalabs.com
    >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >!DSPAM:434ef8c7629211057510504!
    >
    >
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: David West: "[fw-wiz] SecureClient netbios broadcast on office mode connection"