I have a multi-interfaced pix, the interface description is as follows:
Outside -> 10MB to ISP
Inside -> main vlan
dmz -> webservers, etc..
lab1 -> test application servers
lab2 -> test application servers
guest wireless -> open wireless access (connected to Cisco WAP)
The open wireless has only access to the internet, not any of the trusted networks. This is an untrusted interface (security lvl 1). The outside interface is security lvl 0.
I want to be able to allow vpn access from the wireless into the trusted networks just like vpn from the outside (internet) will be treated.
I guess that the pix sees a vpn connection attempt from one of its interfaces to another one.
The client times out connecting from the wireless to the pix outside interface IP.
The pix merely logs this:
Jan 20 2009 13:38:23: %PIX-7-710005: UDP request discarded from 192.168.20.5/1346 to GuestWireless:yy.yy.yy.yy/500
yy.yy.yy.yy = outside interface IP
the pix is also the dhcp server for the wireless network connections.
Can this even be done? If so, what am I missing?
The wireless leg of the PIX is security level 1 and the outside interface is security level 0. Would that not mean that vpn is being initiated from a higher security interface to a lower one? yes but the traffic is in the clear - requested to terminate a VPN connection from an interface locally attached to the PIX effectivly in the inside of the device. Pretty sure PIX will refuse the connection it recevies on the outside interface from the guest wireless interface.
Not it's not the same, something like:-
crypto isakmp enable GuestWireless - this tells the PIX to listen and accept ISAKMP/VPN connections made TO the GuestWireless interface from ANY device connected to that interface.