We have a PIX 515, with 3 interfaces -- outside, inside, and dmz. The 515 inside interface connects only to a 2600 router. the router has two other subnets (one a local switch and the other a private T1 to another location.
I want to be able to VPN into the LAN and be able to work as if I was connected there which means I need access to resources in the DMZ also. (some of our intranet apps our on in the DMZ because they also have public components).
I understand that the 515 acting as a VPN server can't do this because it can't hairpin -- the VPN tunnel terminates on the inside interface and if the packet is addressed for the DMZ interface, it would have route back through the same interface that it was delivered to. (appearently PIX OS 7.0 will support this when it comes out)
By using the 2600, is there a way to do this now?
1) is there a way to get the 515 to send DMZ addressed packets (only when they come from the VPN) to the 2600 which can hairpin as thus send them back to the 515 as regular packets.
2) can a 2651 be a VPN server? Then we could have the 515 just pass the VPN traffic through to it?
3) what (inexpensive) hardware could we add to this setup to make it work? I think an expensive VPN concentrator would be one solution.
4) I am thinking of just getting rid of the DMZ and putting the web and other internet servers on the inside interface. Is that acceptable, even if not ideal?
Thanks for you advice.
--BobG
I want to be able to VPN into the LAN and be able to work as if I was connected there which means I need access to resources in the DMZ also. (some of our intranet apps our on in the DMZ because they also have public components).
I understand that the 515 acting as a VPN server can't do this because it can't hairpin -- the VPN tunnel terminates on the inside interface and if the packet is addressed for the DMZ interface, it would have route back through the same interface that it was delivered to. (appearently PIX OS 7.0 will support this when it comes out)
By using the 2600, is there a way to do this now?
1) is there a way to get the 515 to send DMZ addressed packets (only when they come from the VPN) to the 2600 which can hairpin as thus send them back to the 515 as regular packets.
2) can a 2651 be a VPN server? Then we could have the 515 just pass the VPN traffic through to it?
3) what (inexpensive) hardware could we add to this setup to make it work? I think an expensive VPN concentrator would be one solution.
4) I am thinking of just getting rid of the DMZ and putting the web and other internet servers on the inside interface. Is that acceptable, even if not ideal?
Thanks for you advice.
--BobG
