Pix 501 & 506 PixOS 7.0 compatability

["Jimmy Sadri" <jimmys () myesn com>]

Hi all,

        Does anyone on this list know if Cisco
is ever planning a 7.0 release for the 501 and 506 
Pix hardware?  I was a Beta tester for 7.0 when it 
was in the Beta stage and when I asked them about it
(back in March) they said that there would be support 
for the 501 and 506 in a follow on release but they 
didn't say when.  I was wondering if anyone has any 
info on when or if this will ever happen?



================================================ 
Jimmy Sadri  CISSP, CCSP, CCNP, MCSE, MCSA
Network Engineer 
Network Security Analyst 
CBK Instructor 
Consultant

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Joe Dollard
Sent: Thursday, October 13, 2005 5:52 PM
To: Paul Melson
Cc: 'Hughes, Chris'; firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Pix VPN endpoint and split-tunnel

Paul Melson wrote:

> -----Original Message-----
> Subject: [fw-wiz] Pix VPN endpoint and split-tunnel
>
>  
>
> > I am trying to configure a cisco pix as a vpn endpoint for the cisco vpn
> >    
> client and 
>  
>
> > would like to force the client to use the corporate network for internet
> >    
> access.  I 
>  
>
> > don't want to allow split-tunnel.  I cant find any info on how to do this.
> >    
> Is split 
>  
>
> > tunnel the only way to give a vpn client internet access once they are
> >    
> connected?
>
> The short answer is yes.  PIX-fu rule #1: the PIX is not a router.  It
can't
> take traffic that arrives on one interface and pass it back out that same
> interface, even when the traffic arrives via VPN tunnel.  That said, you
can
> sort of solve this problem by having the clients use a proxy server while
> connected via full tunnel.  There may or may not be an elegant way to
> automate this for your road warriors, but this would really be independent
> of anything the PIX or VPN client do.  (Think login scripts, Group Policy,
> etc.)
>  
While I haven't tried this yet, it's my understanding that with PIX 7.0 
this is possible to do with the same-security-traffic command.  
According to the PIX documentation 
(http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_t
xt/s.htm#wp2668461)  
this allows you to "permit communication between interfaces with equal 
security levels".

Regards,
Joe

> If it's a big enough issue that you're willing to spend time and resources
> on it, I would recommend looking at the VPN3K concentrators (or ASA 5500?).
> They can do exactly what you're asking for, plus they possess a number of
> other features for managing VPN client users that the PIX doesn't have.
> (Like dynamic VPN profile assignment via RADIUS.)
>
> PaulM
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
> !DSPAM:434ef8c7629211057510504!
>
>  
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards