RE: [fw-wiz] Pix 501 & 506 PixOS 7.0 compatability

From: Alan Holmes (aholmes_at_jrholmes.com)
Date: 10/26/05

  • Next message: Paul Melson: "RE: [fw-wiz] Pix VPN endpoint and split-tunnel" 
    To: "'Jimmy Sadri'" <jimmys@myesn.com>, <firewall-wizards@honor.icsalabs.com>
Date: Wed, 26 Oct 2005 15:48:30 -0500

    The info I got from a Cisco Security SE is that the 501 and 506 will support
    7.0 but with a subset of the features available in the 515.

    No date on the release :(

    Alan

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Jimmy Sadri
    Sent: Thursday, October 20, 2005 12:12 AM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] Pix 501 & 506 PixOS 7.0 compatability

    Hi all,

            Does anyone on this list know if Cisco
    is ever planning a 7.0 release for the 501 and 506 Pix hardware? I was a
    Beta tester for 7.0 when it was in the Beta stage and when I asked them
    about it (back in March) they said that there would be support for the 501
    and 506 in a follow on release but they didn't say when. I was wondering if
    anyone has any info on when or if this will ever happen?

    ================================================
    Jimmy Sadri CISSP, CCSP, CCNP, MCSE, MCSA Network Engineer Network Security
    Analyst CBK Instructor Consultant

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Joe Dollard
    Sent: Thursday, October 13, 2005 5:52 PM
    To: Paul Melson
    Cc: 'Hughes, Chris'; firewall-wizards@honor.icsalabs.com
    Subject: Re: [fw-wiz] Pix VPN endpoint and split-tunnel

    Paul Melson wrote:

    >-----Original Message-----
    >Subject: [fw-wiz] Pix VPN endpoint and split-tunnel
    >
    >
    >
    >>I am trying to configure a cisco pix as a vpn endpoint for the cisco
    >>vpn
    >>
    >>
    >client and
    >
    >
    >>would like to force the client to use the corporate network for
    >>internet
    >>
    >>
    >access. I
    >
    >
    >>don't want to allow split-tunnel. I cant find any info on how to do this.
    >>
    >>
    >Is split
    >
    >
    >>tunnel the only way to give a vpn client internet access once they are
    >>
    >>
    >connected?
    >
    >The short answer is yes. PIX-fu rule #1: the PIX is not a router. It
    can't
    >take traffic that arrives on one interface and pass it back out that
    >same interface, even when the traffic arrives via VPN tunnel. That
    >said, you
    can
    >sort of solve this problem by having the clients use a proxy server
    >while connected via full tunnel. There may or may not be an elegant
    >way to automate this for your road warriors, but this would really be
    >independent of anything the PIX or VPN client do. (Think login
    >scripts, Group Policy,
    >etc.)
    >
    >
    While I haven't tried this yet, it's my understanding that with PIX 7.0 this
    is possible to do with the same-security-traffic command.
    According to the PIX documentation
    (http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_t
    xt/s.htm#wp2668461)
    this allows you to "permit communication between interfaces with equal
    security levels".

    Regards,
    Joe

    >If it's a big enough issue that you're willing to spend time and
    >resources on it, I would recommend looking at the VPN3K concentrators (or
    ASA 5500?).
    >They can do exactly what you're asking for, plus they possess a number
    >of other features for managing VPN client users that the PIX doesn't have.
    >(Like dynamic VPN profile assignment via RADIUS.)
    >
    >PaulM
    >
    >
    >_______________________________________________
    >firewall-wizards mailing list
    >firewall-wizards@honor.icsalabs.com
    >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >!DSPAM:434ef8c7629211057510504!
    >
    >
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul Melson: "RE: [fw-wiz] Pix VPN endpoint and split-tunnel"

    Relevant Pages

    • [NEWS] Cisco PIX Multiple Vulnerabilities
      ... Beyond Security would like to welcome Tiscali World Online ... The Cisco PIX Firewall provides robust, ... These vulnerabilities are documented as Cisco bug ID ...
      (Securiteam)
    • [fw-wiz] Cisco VPN Client Behind a Cisco PIX or Router
      ... I have configured a Cisco VPN Client to connect to a Cisco PIX ... isakmp policy 10 authentication pre-share ...
      (Firewall-Wizards)
    • Cisco boxes
      ... I am reviewing security controls over the Cisco router, PIX, and IDS boxes ... I make a recommendation that telnet should not be used. ... are the following very critical to security? ... How is Cisco IDS 2410? ...
      (comp.security.firewalls)
    • Local Lan Access not working
      ... Our head Office is using a Cisco Pix 515e Firewall behind a Cisco 827 ... One of our Directors connects into the company LAN from his home LAN ... using his company laptop and the VPN client. ...
      (comp.dcom.sys.cisco)
    • Re: no internet when connected to pix with vpn client
      ... Take a look at this Configuring Cisco Secure PIX and VPN Client Doc: ...
      (comp.dcom.sys.cisco)