RE: [fw-wiz] An interesting VPN problem

From: Ben Nagy (ben_at_iagu.net)
Date: 08/29/03

  • Next message: Marko Kupiainen: "[fw-wiz] PIX 515 and Cisco VPN client from inside" 
    To: "'Jonas Anden'" <dajudge@home.se>, <firewall-wizards@honor.icsalabs.com>
Date: Fri, 29 Aug 2003 10:37:04 +0200

    Why can't you just tell L-PIX to route to 0.0.0.0 via 192.168.20.1 on the
    inside interface? If all it does is tunnel it doesn't need any other default
    gateway does it? It has statics for R-Net, and you can add a static on the
    out interface for the real IP of R-PIX.

    I assume that this is a stupid question, but it's early here.

    In any case, don't source route. At the very worst, put a cheap router
    inside L-PIX and L-FW and you will easily be able to solve your problems.

    ben

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    > Of Jonas Anden
    > Sent: Thursday, August 28, 2003 10:28 AM
    > To: firewall-wizards@honor.icsalabs.com
    >
    > Hi all you Wizes out there. I've got a bit of a problem that
    > I think you
    > might help me solve...
    >
    > I've got two Cisco PIX 501 with the latest software (6.3.1). We're
    > trying to use them to set up a remote site with *all* client
    > traffic on
    > the remote network being redirected through the site-to-site tunnel
    > (including the traffic that should ultimately end up on the Internet).
    > Traffic from the remote network not targeted for the local network
    > should be routed through a firewall reachable from the local network.
    >
    > My network looks like this:
    >
    >
    > [L-NET]<-+--->[FW]<---+->[B-GW]<-->[INET]<-->[R-PIX]<-->[R-NET]
    > | |
    > +-->[L-PIX]<-+
    >
    >
    > L-NET - The network at the central site
    > Net=192.168.20.0/24
    >
    > FW - Firewall protecting the entire network and
    > providing user authentication for Internet access.
    > Inside IP=192.168.20.1
    > Outside IP=10.0.0.2
    >
    > L-PIX - Local tunnel endpoint at the central site.
    > Connected to both the internal network at
    > the central site and the Internet.
    > Inside IP=192.168.20.2
    > Outside IP=10.0.0.3
    >
    > B-GW - Border gateway of central site.
    > IP=10.0.0.1
    >
    > INET - Internet
    >
    > R-PIX - PIX as border router of remote network.
    > Inside IP=192.168.21.1
    > Outside IP=10.10.0.2
    >
    > R-Net - Remote network.
    > Net=192.168.21.0/24
    >
    > Now, what I want to do is first set up a tunnel between the
    > two networks
    > (L-NET and R-NET). Computers on L-NET has a default gateway of
    > 192.168.20.1, accessing Internet through FW. FW Provides
    > access control
    > for these users. FW also has a static route to route traffic to R-NET
    > through the L-PIX.
    >
    > Computers on R-NET has the PIX inside IP (192.168.21.1) as the default
    > gateway. All their traffic (including the traffic that should
    > end up on
    > the Internet,) should be transmitted through the tunnel. For
    > the client
    > traffic exiting the tunnel on L-NET, there needs to be a
    > default gateway
    > set to 192.168.20.1, so that their Internet traffic also exits through
    > FW, and FW can provide access control for these users.
    >
    > It is absolutely vital that the traffic does not exit directly to the
    > Internet at either PIX. All client traffic bound for the
    > Internet *must*
    > be routed through the firewall at the central site (FW).
    >
    > I've managed to set up a Site-to-Site VPN between the two PIXes,
    > establishing network connectivity between the two networks, but I have
    > found no solution to applying a default gateway for the traffic going
    > from the remote network to Internet. The traffic needs to be
    > source-routed in some way, or the clients on the remote
    > network will not
    > be able to access the Internet (or any of the other routed
    > networks I've
    > got set up here) at all.
    >
    > Is this at all possible to do with two PIXes? As far as I can
    > tell, the
    > remote PIX is doing what it should; forwarding *all* traffic
    > through the
    > tunnel. But the local PIX doesn't know what to do with the packets to
    > the Internet, to it just drops them.
    >
    > If this is not possible with the PIXes, could anyone recommend a
    > solution? I've done experiments with a Linux box with
    > FreeS/WAN and got
    > that to work (using source routing), but I'd like to use a peripheral
    > for this job.
    >
    > // J
    >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Marko Kupiainen: "[fw-wiz] PIX 515 and Cisco VPN client from inside"

    Relevant Pages

    • Re: One computer on 2 networks
      ... On the server take the new "internet Nic" and set it up properly for the ... Create a static route in the OS's routing table that uses the LAN Router ... don't work in the Network Admin Dept. I'm a developer. ...
      (microsoft.public.windows.server.networking)
    • Re: One computer on 2 networks
      ... don't work in the Network Admin Dept. I'm a developer. ... I am working on a project where we need to expose to the internet the ... a Web Server, VPN Server, Remote Desktop. ... So the correct route add syntax would be: ...
      (microsoft.public.windows.server.networking)
    • Re: Weird net connection problem
      ... Lets say that you have your own /24 network that ... The internet knows nothing. ... my sloppy writing - I mean the set of routers that go to make up ... for the high-speed route from the Tunnel to St Pancras not only cut the ...
      (uk.comp.sys.mac)
    • Re: How to add static routes to ISA Server
      ... I think that the route add should be: ... you want it to represent the whole network and also the subnet should be ... If you want to make your VPN clients like internal users, ... internal network" and "Internet access") so your VPN clients will be ...
      (microsoft.public.isa)
    • Re: [ubuntu-za] network problem
      ... i was having troble with my network, but i could conect to the ... when i rebooted i could not connect to the internet:< ... You can type "route" at the ... I think) to see which interface is used to send information out. ...
      (Debian-User)