RE: Pix 501 & 506 PixOS 7.0 compatability

["Alan Holmes" <aholmes () jrholmes com>]

The info I got from a Cisco Security SE is that the 501 and 506 will support
7.0 but with a subset of the features available in the 515.

No date on the release :(

Alan 

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Jimmy Sadri
Sent: Thursday, October 20, 2005 12:12 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Pix 501 & 506 PixOS 7.0 compatability

Hi all,

        Does anyone on this list know if Cisco
is ever planning a 7.0 release for the 501 and 506 Pix hardware?  I was a
Beta tester for 7.0 when it was in the Beta stage and when I asked them
about it (back in March) they said that there would be support for the 501
and 506 in a follow on release but they didn't say when.  I was wondering if
anyone has any info on when or if this will ever happen?



================================================
Jimmy Sadri  CISSP, CCSP, CCNP, MCSE, MCSA Network Engineer Network Security
Analyst CBK Instructor Consultant

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Joe Dollard
Sent: Thursday, October 13, 2005 5:52 PM
To: Paul Melson
Cc: 'Hughes, Chris'; firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Pix VPN endpoint and split-tunnel

Paul Melson wrote:

> -----Original Message-----
> Subject: [fw-wiz] Pix VPN endpoint and split-tunnel
>
>  
>
> > I am trying to configure a cisco pix as a vpn endpoint for the cisco 
> > vpn
> >    
> client and
>  
>
> > would like to force the client to use the corporate network for 
> > internet
> >    
> access.  I
>  
>
> > don't want to allow split-tunnel.  I cant find any info on how to do this.
> >    
> Is split
>  
>
> > tunnel the only way to give a vpn client internet access once they are
> >    
> connected?
>
> The short answer is yes.  PIX-fu rule #1: the PIX is not a router.  It
can't
> take traffic that arrives on one interface and pass it back out that 
> same interface, even when the traffic arrives via VPN tunnel.  That 
> said, you
can
> sort of solve this problem by having the clients use a proxy server 
> while connected via full tunnel.  There may or may not be an elegant 
> way to automate this for your road warriors, but this would really be 
> independent of anything the PIX or VPN client do.  (Think login 
> scripts, Group Policy,
> etc.)
>  
While I haven't tried this yet, it's my understanding that with PIX 7.0 this
is possible to do with the same-security-traffic command.  
According to the PIX documentation
(http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_t
xt/s.htm#wp2668461)
this allows you to "permit communication between interfaces with equal
security levels".

Regards,
Joe

> If it's a big enough issue that you're willing to spend time and 
> resources on it, I would recommend looking at the VPN3K concentrators (or
ASA 5500?).
> They can do exactly what you're asking for, plus they possess a number 
> of other features for managing VPN client users that the PIX doesn't have.
> (Like dynamic VPN profile assignment via RADIUS.)
>
> PaulM
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
> !DSPAM:434ef8c7629211057510504!
>
>  
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards