XPost: comp.dcom.sys.cisco   
   From: jdoe@comcast.net   
      
   I'm really hoping some of the PIX firewall experts might be able to help me   
   here, and I hope my explanation of the situation will be of help.   
      
   The initial scenario is that I'm in companyA, and companyB is a vendor of   
   ours for whom we host servers and other network equipment. When   
   communicating with companyB, we use private IP's instead of going out via   
   the internet. We're able to do this because companyB has a PIX506 firewall   
   who's outside interface is directly connected to one of our (companyA)   
   VLANs. We route the traffic to that outside interface and from there, that   
   PIX506 sends it to a router (also at our location) with a DS3 connection to   
   companyB's main network (offsite).   
      
   In order to reach companyB's PIX506, traffic coming from companyA goes   
   through a PIX525 Firewall via a DMZ with a security level of 1 (so it's the   
   route statements on the PIX525 that sends it out the DMZ to the PIX506). I   
   should also mention that companyA's PIX525 has VPN set up on it. Ok, I   
   really hope this helps... though I'm sure it would've been easier if I knew   
   how to draw and effective picture on here.   
      
   So now here's the problem: this network works fine when the users trying to   
   reach companyB from companyA are coming from the "inside" network of the   
   PIX525. However users using VPN are unable to get there. It seems to me that   
   since VPN users come in from the "outside" interface of the PIX525   
   (security0), they're unable to be sent right back out again through the DMZ   
   (security1).   
      
   Is there any way at all that VPN users (who use the cisco VPN client) might   
   able to go out though this DMZ in question? I should mention here that these   
   VPN users are able to access pretty much everything on the "inside" networks   
   and all the DMZ's on the PIX 525 (we have about 6 DMZ's). My assumption is   
   that this is not going to be possible with the current PIX configuration   
   (using version 6.3(4)). Would PIX version 7.x.x help? Or would moving VPN   
   users off the PIX to something like an ASA5500 help? For now, I've told VPN   
   users to TS into a server on the "inside" network in order for this to work,   
   but I'm desperate for a permanent solution where VPN users will have the   
   same access to companyB that "inside" users do.   
      
   Thanks a lot in advance!   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)