Firewall Wizards mailing list archives
RE: Pix 501 & 506 PixOS 7.0 compatability
From: "Alan Holmes" <aholmes () jrholmes com>
Date: Wed, 26 Oct 2005 15:48:30 -0500
The info I got from a Cisco Security SE is that the 501 and 506 will support 7.0 but with a subset of the features available in the 515. No date on the release :( Alan -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Jimmy Sadri Sent: Thursday, October 20, 2005 12:12 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Pix 501 & 506 PixOS 7.0 compatability Hi all, Does anyone on this list know if Cisco is ever planning a 7.0 release for the 501 and 506 Pix hardware? I was a Beta tester for 7.0 when it was in the Beta stage and when I asked them about it (back in March) they said that there would be support for the 501 and 506 in a follow on release but they didn't say when. I was wondering if anyone has any info on when or if this will ever happen? ================================================ Jimmy Sadri CISSP, CCSP, CCNP, MCSE, MCSA Network Engineer Network Security Analyst CBK Instructor Consultant -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Joe Dollard Sent: Thursday, October 13, 2005 5:52 PM To: Paul Melson Cc: 'Hughes, Chris'; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Pix VPN endpoint and split-tunnel Paul Melson wrote:
-----Original Message----- Subject: [fw-wiz] Pix VPN endpoint and split-tunnelI am trying to configure a cisco pix as a vpn endpoint for the cisco vpnclient andwould like to force the client to use the corporate network for internetaccess. Idon't want to allow split-tunnel. I cant find any info on how to do this.Is splittunnel the only way to give a vpn client internet access once they areconnected? The short answer is yes. PIX-fu rule #1: the PIX is not a router. It
can't
take traffic that arrives on one interface and pass it back out that same interface, even when the traffic arrives via VPN tunnel. That said, you
can
sort of solve this problem by having the clients use a proxy server while connected via full tunnel. There may or may not be an elegant way to automate this for your road warriors, but this would really be independent of anything the PIX or VPN client do. (Think login scripts, Group Policy, etc.)
While I haven't tried this yet, it's my understanding that with PIX 7.0 this is possible to do with the same-security-traffic command. According to the PIX documentation (http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_t xt/s.htm#wp2668461) this allows you to "permit communication between interfaces with equal security levels". Regards, Joe
If it's a big enough issue that you're willing to spend time and resources on it, I would recommend looking at the VPN3K concentrators (or
ASA 5500?).
They can do exactly what you're asking for, plus they possess a number of other features for managing VPN client users that the PIX doesn't have. (Like dynamic VPN profile assignment via RADIUS.) PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards !DSPAM:434ef8c7629211057510504!
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Pix VPN endpoint and split-tunnel Hughes, Chris (Oct 12)
- RE: Pix VPN endpoint and split-tunnel Paul Melson (Oct 13)
- Re: Pix VPN endpoint and split-tunnel Joe Dollard (Oct 19)
- Pix 501 & 506 PixOS 7.0 compatability Jimmy Sadri (Oct 26)
- RE: Pix 501 & 506 PixOS 7.0 compatability Paul Melson (Oct 31)
- RE: Pix 501 & 506 PixOS 7.0 compatability Alan Holmes (Oct 31)
- Re: Pix VPN endpoint and split-tunnel Joe Dollard (Oct 19)
- Re: Pix VPN endpoint and split-tunnel Greg Spath (Oct 26)
- RE: Pix VPN endpoint and split-tunnel Paul Melson (Oct 31)
- RE: Pix VPN endpoint and split-tunnel Paul Melson (Oct 13)
- Re: Pix VPN endpoint and split-tunnel Paul Pershing (Oct 20)
- <Possible follow-ups>
- RE: Pix VPN endpoint and split-tunnel Hughes, Chris (Oct 13)
- RE: Pix VPN endpoint and split-tunnel Alan Holmes (Oct 18)
- Re: Pix VPN endpoint and split-tunnel Jason Ostrom (Oct 20)
- RE: Pix VPN endpoint and split-tunnel Charlie Winckless (Oct 26)
- RE: Pix VPN endpoint and split-tunnel Brian Loe (Oct 31)
- RE: Pix VPN endpoint and split-tunnel Paul Melson (Oct 13)
- Re: Pix VPN endpoint and split-tunnel Victor Williams (Oct 18)