RE: [fw-wiz] An interesting VPN problem
From: Ben Nagy (ben_at_iagu.net)
To: "'Jonas Anden'" <email@example.com>, <firstname.lastname@example.org> Date: Fri, 29 Aug 2003 10:37:04 +0200
Why can't you just tell L-PIX to route to 0.0.0.0 via 192.168.20.1 on the
inside interface? If all it does is tunnel it doesn't need any other default
gateway does it? It has statics for R-Net, and you can add a static on the
out interface for the real IP of R-PIX.
I assume that this is a stupid question, but it's early here.
In any case, don't source route. At the very worst, put a cheap router
inside L-PIX and L-FW and you will easily be able to solve your problems.
> -----Original Message-----
> From: email@example.com
> [mailto:firstname.lastname@example.org] On Behalf
> Of Jonas Anden
> Sent: Thursday, August 28, 2003 10:28 AM
> To: email@example.com
> Hi all you Wizes out there. I've got a bit of a problem that
> I think you
> might help me solve...
> I've got two Cisco PIX 501 with the latest software (6.3.1). We're
> trying to use them to set up a remote site with *all* client
> traffic on
> the remote network being redirected through the site-to-site tunnel
> (including the traffic that should ultimately end up on the Internet).
> Traffic from the remote network not targeted for the local network
> should be routed through a firewall reachable from the local network.
> My network looks like this:
> | |
> L-NET - The network at the central site
> FW - Firewall protecting the entire network and
> providing user authentication for Internet access.
> Inside IP=192.168.20.1
> Outside IP=10.0.0.2
> L-PIX - Local tunnel endpoint at the central site.
> Connected to both the internal network at
> the central site and the Internet.
> Inside IP=192.168.20.2
> Outside IP=10.0.0.3
> B-GW - Border gateway of central site.
> INET - Internet
> R-PIX - PIX as border router of remote network.
> Inside IP=192.168.21.1
> Outside IP=10.10.0.2
> R-Net - Remote network.
> Now, what I want to do is first set up a tunnel between the
> two networks
> (L-NET and R-NET). Computers on L-NET has a default gateway of
> 192.168.20.1, accessing Internet through FW. FW Provides
> access control
> for these users. FW also has a static route to route traffic to R-NET
> through the L-PIX.
> Computers on R-NET has the PIX inside IP (192.168.21.1) as the default
> gateway. All their traffic (including the traffic that should
> end up on
> the Internet,) should be transmitted through the tunnel. For
> the client
> traffic exiting the tunnel on L-NET, there needs to be a
> default gateway
> set to 192.168.20.1, so that their Internet traffic also exits through
> FW, and FW can provide access control for these users.
> It is absolutely vital that the traffic does not exit directly to the
> Internet at either PIX. All client traffic bound for the
> Internet *must*
> be routed through the firewall at the central site (FW).
> I've managed to set up a Site-to-Site VPN between the two PIXes,
> establishing network connectivity between the two networks, but I have
> found no solution to applying a default gateway for the traffic going
> from the remote network to Internet. The traffic needs to be
> source-routed in some way, or the clients on the remote
> network will not
> be able to access the Internet (or any of the other routed
> networks I've
> got set up here) at all.
> Is this at all possible to do with two PIXes? As far as I can
> tell, the
> remote PIX is doing what it should; forwarding *all* traffic
> through the
> tunnel. But the local PIX doesn't know what to do with the packets to
> the Internet, to it just drops them.
> If this is not possible with the PIXes, could anyone recommend a
> solution? I've done experiments with a Linux box with
> FreeS/WAN and got
> that to work (using source routing), but I'd like to use a peripheral
> for this job.
> // J
> firewall-wizards mailing list
firewall-wizards mailing list