[fw-wiz] An interesting VPN problem

From: Jonas Anden (dajudge_at_home.se)
Date: 08/28/03

  • Next message: mailinglists_at_bock.nu: "[fw-wiz] tests about latency" 
    To: firewall-wizards@honor.icsalabs.com
Date: 28 Aug 2003 10:27:58 +0200

    Hi all you Wizes out there. I've got a bit of a problem that I think you
    might help me solve...

    I've got two Cisco PIX 501 with the latest software (6.3.1). We're
    trying to use them to set up a remote site with *all* client traffic on
    the remote network being redirected through the site-to-site tunnel
    (including the traffic that should ultimately end up on the Internet).
    Traffic from the remote network not targeted for the local network
    should be routed through a firewall reachable from the local network.

    My network looks like this:

    [L-NET]<-+--->[FW]<---+->[B-GW]<-->[INET]<-->[R-PIX]<-->[R-NET]
             | |
             +-->[L-PIX]<-+

    L-NET - The network at the central site
            Net=192.168.20.0/24

    FW - Firewall protecting the entire network and
            providing user authentication for Internet access.
            Inside IP=192.168.20.1
            Outside IP=10.0.0.2

    L-PIX - Local tunnel endpoint at the central site.
            Connected to both the internal network at
            the central site and the Internet.
            Inside IP=192.168.20.2
            Outside IP=10.0.0.3

    B-GW - Border gateway of central site.
            IP=10.0.0.1

    INET - Internet

    R-PIX - PIX as border router of remote network.
            Inside IP=192.168.21.1
            Outside IP=10.10.0.2

    R-Net - Remote network.
            Net=192.168.21.0/24

    Now, what I want to do is first set up a tunnel between the two networks
    (L-NET and R-NET). Computers on L-NET has a default gateway of
    192.168.20.1, accessing Internet through FW. FW Provides access control
    for these users. FW also has a static route to route traffic to R-NET
    through the L-PIX.

    Computers on R-NET has the PIX inside IP (192.168.21.1) as the default
    gateway. All their traffic (including the traffic that should end up on
    the Internet,) should be transmitted through the tunnel. For the client
    traffic exiting the tunnel on L-NET, there needs to be a default gateway
    set to 192.168.20.1, so that their Internet traffic also exits through
    FW, and FW can provide access control for these users.

    It is absolutely vital that the traffic does not exit directly to the
    Internet at either PIX. All client traffic bound for the Internet *must*
    be routed through the firewall at the central site (FW).

    I've managed to set up a Site-to-Site VPN between the two PIXes,
    establishing network connectivity between the two networks, but I have
    found no solution to applying a default gateway for the traffic going
    from the remote network to Internet. The traffic needs to be
    source-routed in some way, or the clients on the remote network will not
    be able to access the Internet (or any of the other routed networks I've
    got set up here) at all.

    Is this at all possible to do with two PIXes? As far as I can tell, the
    remote PIX is doing what it should; forwarding *all* traffic through the
    tunnel. But the local PIX doesn't know what to do with the packets to
    the Internet, to it just drops them.

    If this is not possible with the PIXes, could anyone recommend a
    solution? I've done experiments with a Linux box with FreeS/WAN and got
    that to work (using source routing), but I'd like to use a peripheral
    for this job.

      // J

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: mailinglists_at_bock.nu: "[fw-wiz] tests about latency"

    Relevant Pages

    • [fw-wiz] Followup: An interesting VPN problem
      ... - Repeat above steps for the remote PIX, ... all traffic on the remote network is pushed ... > (including the traffic that should ultimately end up on the Internet). ... > that to work (using source routing), but I'd like to use a peripheral ...
      (Firewall-Wizards)
    • Re: mysterous connection problem for PIX 501 Networking
      ... there are two computers will be ... disconnected from internet. ... computers in LAN and 1 network printer. ... Until you upgrade the license count, you can telnet into the PIX ...
      (comp.dcom.sys.cisco)
    • Re: PIX506 - ACL Help
      ... the Cisco IOS firewall, not the PIX. ... a wildcard mask in a production system like I once did. ... So how do I ACL for the inside to access the 192.168.2.1 gateway, while denying access to all other IPs on this network. ... Meaning I can not access the 2.0 network, but also can not access the internet, or I can access the internet, while also able to access the LAN. ...
      (comp.dcom.sys.cisco)
    • Re: OWA Issues w/ small Bus. 2003 server
      ... network telnet to the Public IP of your pix on port 80. ... you only have 1 NIC in your SBS Server? ... You must configure a firewall to secure your local network from the ... firewall to users on the Internet: ...
      (microsoft.public.exchange.admin)
    • Re: VPN and Internet Connection
      ... Can't access the internal server when remote client establishes VPN ... Can't access the Internet while using VPN Can't access the remote network after ... ...
      (microsoft.public.windowsxp.network_web)