Help with VPNs - Client and Site-to-Site
mrT4pres
Member Posts: 2 ■□□□□□□□□□
First off, great site! Now here's my issue...
Not sure if 506e will work with this but, how do you configure PIX to allow users to VPN into one PIX and still access other subnets (tunnels)? At the moment, I have users VPNing into PIXs to gain access to resources to that particular subnet - would like users to connect to one PIX instead.
Not sure if 506e will work with this but, how do you configure PIX to allow users to VPN into one PIX and still access other subnets (tunnels)? At the moment, I have users VPNing into PIXs to gain access to resources to that particular subnet - would like users to connect to one PIX instead.
"Never interrupt your enemy when he is making a mistake."
- Napoleon Bonaparte
- Napoleon Bonaparte
Comments
-
sprkymrk Member Posts: 4,884 ■■■□□□□□□□I can't help you specifically on the PIX, but just maybe in general theory and see if you can apply it to the PIX.
I have my users terminate their VPN on the external interface of the firewall, then I pass the traffic up to the proxies (ie - the firewal rule set) and create rules that allow them access to various resourses. One thing is that the VPN uses a Universal tunnel rather than a split-arm tunnel. That way once they launch the VPN ALL their traffic flows through it, not just the traffic destined for my network.
That way I don't have to create multiple tunnels, just one tunnel that is pointing to the external interface. I don't like the idea of using VPN passthrough on my borders.
I'm not sure if that was helpful or not.... I wish I knew more about the PIX.All things are possible, only believe. -
Ahriakin Member Posts: 1,799 ■■■■■■■■□□Pre 7.x traffic cannot pass between interfaces of the same security level, which poses a big problem for VPNs. If you have alternate routes to the subnets you need to access from the VPN then it's not an issue but you cannot have users on one subnet come in via the pix outside interface/VPN tak directly to other subnets/VPNs that also terminate on that interface. This can be enabled on 7.xWe responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
-
mrT4pres Member Posts: 2 ■□□□□□□□□□I see..well, i was able to find the following link, which appears it would help with my situation:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml
Just as you said, it can be enabled on 7.x. Hopefully there aren't too many disadvantages to enabling this feature. If anyone is currently using this VPN feature, i would appreciate some feedback before implementing it on our network."Never interrupt your enemy when he is making a mistake."
- Napoleon Bonaparte