After demonstrating how easy it is to sniff traffic on unknown/unsecured wireless networks, I find myself needing to come up with a solution for the problem.
Since all of our laptop users have the Cisco VPN client installed, we thought about setting up a Pix firewall with VPN configured to act as a gateway to the Internet when users are "forced" to use unsecured wireless in the various parks and restaurants around the NYC area. I understand that Pix version 7 allows traffic to come in and out of the same interface now, so it would seem that this task is logically possible.
I would like to set up the firewall so that when users connect to wireless networks, they can connect to the firewall using VPN so that all wireless traffic is encrypted. The firewall will then act as a gateway to the Internet. For the test, I loaded version Pix 7.02 on a spare 506e, so I only have command-line access. Once the test is complete and I can demonstrate the results to the executive staff, we will get funded to buy an ASA 5510 just for the employees around NYC to use. I have configured the 506e for VPN access (without split tunneling of course) and its working like a charm, but I cannot get out to the Internet once I am connected. The VPN configuration is posted below. Any assistance will be greatly appreciated.
access-list net_vpn_net extended permit ip 192.168.80.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list net_vpn_net extended permit ip any 10.2.2.0 255.255.255.0
Cisco does not support Version 7 on the 506e. Version 7 can be installed and operate on a 506e since it only requires 5MB of flash, but you do not have enough flash left to install the Cisco Adaptive Security Device Manager (ASDM). That is why I am doing everything from the command line.
I will try the "same-security-traffic permit intra-interface" command and report back the results. Thanks for the information.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :