XPost: comp.dcom.sys.cisco   
   From: alaundry@qwest.net   
      
   I'd recommend setting up a VPN concerntrator.   I had a similiar situation   
   (and used the same TS workaround!) - CompanyA, CompanyB, and CompanyC   
   connected via a PIX 515 and 2 PIX 506s.  I could VPN successfully to   
   CompanyA, but I could not access anything at CompanyB/C due to the PIX   
   limitations.  I setup a VPN3005 at CompanyA and all is well.   
      
    - Mark   
      
   "Jon Doe"  wrote in message   
   news:3eydnVm6h8KaUpDZnZ2dnUVZ_tGdnZ2d@comcast.com...   
   > I'm really hoping some of the PIX firewall experts might be able to help   
   > me   
   > here, and I hope my explanation of the situation will be of help.   
   >   
   > The initial scenario is that I'm in companyA, and companyB is a vendor of   
   > ours for whom we host servers and other network equipment. When   
   > communicating with companyB, we use private IP's instead of going out via   
   > the internet. We're able to do this because companyB has a PIX506 firewall   
   > who's outside interface is directly connected to one of our (companyA)   
   > VLANs. We route the traffic to that outside interface and from there, that   
   > PIX506 sends it to a router (also at our location) with a DS3 connection   
   > to   
   > companyB's main network (offsite).   
   >   
   > In order to reach companyB's PIX506, traffic coming from companyA goes   
   > through a PIX525 Firewall via a DMZ with a security level of 1 (so it's   
   > the   
   > route statements on the PIX525 that sends it out the DMZ to the PIX506). I   
   > should also mention that companyA's PIX525 has VPN set up on it. Ok, I   
   > really hope this helps... though I'm sure it would've been easier if I   
   > knew   
   > how to draw and effective picture on here.   
   >   
   > So now here's the problem: this network works fine when the users trying   
   > to   
   > reach companyB from companyA are coming from the "inside" network of the   
   > PIX525. However users using VPN are unable to get there. It seems to me   
   > that   
   > since VPN users come in from the "outside" interface of the PIX525   
   > (security0), they're unable to be sent right back out again through the   
   > DMZ   
   > (security1).   
   >   
   > Is there any way at all that VPN users (who use the cisco VPN client)   
   > might   
   > able to go out though this DMZ in question? I should mention here that   
   > these   
   > VPN users are able to access pretty much everything on the "inside"   
   > networks   
   > and all the DMZ's on the PIX 525 (we have about 6 DMZ's). My assumption is   
   > that this is not going to be possible with the current PIX configuration   
   > (using version 6.3(4)). Would PIX version 7.x.x help? Or would moving VPN   
   > users off the PIX to something like an ASA5500 help? For now, I've told   
   > VPN   
   > users to TS into a server on the "inside" network in order for this to   
   > work,   
   > but I'm desperate for a permanent solution where VPN users will have the   
   > same access to companyB that "inside" users do.   
   >   
   > Thanks a lot in advance!   
   >   
   >   
   >   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)