|
Posted by news.qwest.net on March 17, 2006, 10:31 am
If you were Registered and logged in, you could reply and use other advanced thread options
(and used the same TS workaround!) - CompanyA, CompanyB, and CompanyC
connected via a PIX 515 and 2 PIX 506s. I could VPN successfully to
CompanyA, but I could not access anything at CompanyB/C due to the PIX
limitations. I setup a VPN3005 at CompanyA and all is well.
- Mark
> I'm really hoping some of the PIX firewall experts might be able to help
> me
> here, and I hope my explanation of the situation will be of help.
>
> The initial scenario is that I'm in companyA, and companyB is a vendor of
> ours for whom we host servers and other network equipment. When
> communicating with companyB, we use private IP's instead of going out via
> the internet. We're able to do this because companyB has a PIX506 firewall
> who's outside interface is directly connected to one of our (companyA)
> VLANs. We route the traffic to that outside interface and from there, that
> PIX506 sends it to a router (also at our location) with a DS3 connection
> to
> companyB's main network (offsite).
>
> In order to reach companyB's PIX506, traffic coming from companyA goes
> through a PIX525 Firewall via a DMZ with a security level of 1 (so it's
> the
> route statements on the PIX525 that sends it out the DMZ to the PIX506). I
> should also mention that companyA's PIX525 has VPN set up on it. Ok, I
> really hope this helps... though I'm sure it would've been easier if I
> knew
> how to draw and effective picture on here.
>
> So now here's the problem: this network works fine when the users trying
> to
> reach companyB from companyA are coming from the "inside" network of the
> PIX525. However users using VPN are unable to get there. It seems to me
> that
> since VPN users come in from the "outside" interface of the PIX525
> (security0), they're unable to be sent right back out again through the
> DMZ
> (security1).
>
> Is there any way at all that VPN users (who use the cisco VPN client)
> might
> able to go out though this DMZ in question? I should mention here that
> these
> VPN users are able to access pretty much everything on the "inside"
> networks
> and all the DMZ's on the PIX 525 (we have about 6 DMZ's). My assumption is
> that this is not going to be possible with the current PIX configuration
> (using version 6.3(4)). Would PIX version 7.x.x help? Or would moving VPN
> users off the PIX to something like an ASA5500 help? For now, I've told
> VPN
> users to TS into a server on the "inside" network in order for this to
> work,
> but I'm desperate for a permanent solution where VPN users will have the
> same access to companyB that "inside" users do.
>
> Thanks a lot in advance!
>
>
>
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map