[fw-wiz] Pix 501 & 506 PixOS 7.0 compatability

From: Jimmy Sadri (jimmys_at_myesn.com)
Date: 10/20/05

  • Next message: David West: "[fw-wiz] SecureClient netbios broadcast on office mode connection"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 19 Oct 2005 22:12:03 -0700
    
    

    Hi all,

            Does anyone on this list know if Cisco
    is ever planning a 7.0 release for the 501 and 506
    Pix hardware? I was a Beta tester for 7.0 when it
    was in the Beta stage and when I asked them about it
    (back in March) they said that there would be support
    for the 501 and 506 in a follow on release but they
    didn't say when. I was wondering if anyone has any
    info on when or if this will ever happen?

    ================================================
    Jimmy Sadri CISSP, CCSP, CCNP, MCSE, MCSA
    Network Engineer
    Network Security Analyst
    CBK Instructor
    Consultant

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Joe Dollard
    Sent: Thursday, October 13, 2005 5:52 PM
    To: Paul Melson
    Cc: 'Hughes, Chris'; firewall-wizards@honor.icsalabs.com
    Subject: Re: [fw-wiz] Pix VPN endpoint and split-tunnel

    Paul Melson wrote:

    >-----Original Message-----
    >Subject: [fw-wiz] Pix VPN endpoint and split-tunnel
    >
    >
    >
    >>I am trying to configure a cisco pix as a vpn endpoint for the cisco vpn
    >>
    >>
    >client and
    >
    >
    >>would like to force the client to use the corporate network for internet
    >>
    >>
    >access. I
    >
    >
    >>don't want to allow split-tunnel. I cant find any info on how to do this.
    >>
    >>
    >Is split
    >
    >
    >>tunnel the only way to give a vpn client internet access once they are
    >>
    >>
    >connected?
    >
    >The short answer is yes. PIX-fu rule #1: the PIX is not a router. It
    can't
    >take traffic that arrives on one interface and pass it back out that same
    >interface, even when the traffic arrives via VPN tunnel. That said, you
    can
    >sort of solve this problem by having the clients use a proxy server while
    >connected via full tunnel. There may or may not be an elegant way to
    >automate this for your road warriors, but this would really be independent
    >of anything the PIX or VPN client do. (Think login scripts, Group Policy,
    >etc.)
    >
    >
    While I haven't tried this yet, it's my understanding that with PIX 7.0
    this is possible to do with the same-security-traffic command.
    According to the PIX documentation
    (http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_t
    xt/s.htm#wp2668461)
    this allows you to "permit communication between interfaces with equal
    security levels".

    Regards,
    Joe

    >If it's a big enough issue that you're willing to spend time and resources
    >on it, I would recommend looking at the VPN3K concentrators (or ASA 5500?).
    >They can do exactly what you're asking for, plus they possess a number of
    >other features for managing VPN client users that the PIX doesn't have.
    >(Like dynamic VPN profile assignment via RADIUS.)
    >
    >PaulM
    >
    >
    >_______________________________________________
    >firewall-wizards mailing list
    >firewall-wizards@honor.icsalabs.com
    >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >!DSPAM:434ef8c7629211057510504!
    >
    >
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: David West: "[fw-wiz] SecureClient netbios broadcast on office mode connection"

    Relevant Pages

    • RE: [fw-wiz] Pix VPN endpoint and split-tunnel
      ... The 7.0 PIX code supports forwarding VPN traffic out the same interface that ... Another reply I got here from Simon expressed the possibility that PIX 7.x ... even when the traffic arrives via VPN tunnel. ... of anything the PIX or VPN client do. ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Pix VPN endpoint and split-tunnel
      ... Its much cheaper than an ASA, can hang off another interface, etc. ... > Another reply I got here from Simon expressed the possibility that PIX ... PIX 7.0 supports hub and spoke VPN routing, but only hub and spoke; ... > of anything the PIX or VPN client do. ...
      (Firewall-Wizards)
    • Re: PIX to PIX VPN problem
      ... I am trying to establish a VPN tunnel between 2 PIX 506E's. ... Crypto map tag: CRYPTO_MAP, local addr. ... fixup protocol dns maximum-length 700 ...
      (comp.dcom.sys.cisco)
    • Re: VPN Assistance
      ... This will expose port 1723 on th Pix to only these ... Glad it's working - now try to convince the client that using the Cisco ... client is more secure than using PPTP. ... IPSec VPN ...
      (microsoft.public.windows.server.sbs)
    • VPN - Cisco PIX to Checkpoing FW-1 troubleshooting
      ... I was trying to establish VPN between a pix and a checkpoint. ... isakmp policy 10 authentication pre-share ...
      (comp.security.firewalls)