RE: [fw-wiz] An interesting VPN problem

From: Ben Nagy (
Date: 08/29/03

  • Next message: Marko Kupiainen: "[fw-wiz] PIX 515 and Cisco VPN client from inside"
    To: "'Jonas Anden'" <>, <>
    Date: Fri, 29 Aug 2003 10:37:04 +0200

    Why can't you just tell L-PIX to route to via on the
    inside interface? If all it does is tunnel it doesn't need any other default
    gateway does it? It has statics for R-Net, and you can add a static on the
    out interface for the real IP of R-PIX.

    I assume that this is a stupid question, but it's early here.

    In any case, don't source route. At the very worst, put a cheap router
    inside L-PIX and L-FW and you will easily be able to solve your problems.


    > -----Original Message-----
    > From:
    > [] On Behalf
    > Of Jonas Anden
    > Sent: Thursday, August 28, 2003 10:28 AM
    > To:
    > Hi all you Wizes out there. I've got a bit of a problem that
    > I think you
    > might help me solve...
    > I've got two Cisco PIX 501 with the latest software (6.3.1). We're
    > trying to use them to set up a remote site with *all* client
    > traffic on
    > the remote network being redirected through the site-to-site tunnel
    > (including the traffic that should ultimately end up on the Internet).
    > Traffic from the remote network not targeted for the local network
    > should be routed through a firewall reachable from the local network.
    > My network looks like this:
    > [L-NET]<-+--->[FW]<---+->[B-GW]<-->[INET]<-->[R-PIX]<-->[R-NET]
    > | |
    > +-->[L-PIX]<-+
    > L-NET - The network at the central site
    > Net=
    > FW - Firewall protecting the entire network and
    > providing user authentication for Internet access.
    > Inside IP=
    > Outside IP=
    > L-PIX - Local tunnel endpoint at the central site.
    > Connected to both the internal network at
    > the central site and the Internet.
    > Inside IP=
    > Outside IP=
    > B-GW - Border gateway of central site.
    > IP=
    > INET - Internet
    > R-PIX - PIX as border router of remote network.
    > Inside IP=
    > Outside IP=
    > R-Net - Remote network.
    > Net=
    > Now, what I want to do is first set up a tunnel between the
    > two networks
    > (L-NET and R-NET). Computers on L-NET has a default gateway of
    >, accessing Internet through FW. FW Provides
    > access control
    > for these users. FW also has a static route to route traffic to R-NET
    > through the L-PIX.
    > Computers on R-NET has the PIX inside IP ( as the default
    > gateway. All their traffic (including the traffic that should
    > end up on
    > the Internet,) should be transmitted through the tunnel. For
    > the client
    > traffic exiting the tunnel on L-NET, there needs to be a
    > default gateway
    > set to, so that their Internet traffic also exits through
    > FW, and FW can provide access control for these users.
    > It is absolutely vital that the traffic does not exit directly to the
    > Internet at either PIX. All client traffic bound for the
    > Internet *must*
    > be routed through the firewall at the central site (FW).
    > I've managed to set up a Site-to-Site VPN between the two PIXes,
    > establishing network connectivity between the two networks, but I have
    > found no solution to applying a default gateway for the traffic going
    > from the remote network to Internet. The traffic needs to be
    > source-routed in some way, or the clients on the remote
    > network will not
    > be able to access the Internet (or any of the other routed
    > networks I've
    > got set up here) at all.
    > Is this at all possible to do with two PIXes? As far as I can
    > tell, the
    > remote PIX is doing what it should; forwarding *all* traffic
    > through the
    > tunnel. But the local PIX doesn't know what to do with the packets to
    > the Internet, to it just drops them.
    > If this is not possible with the PIXes, could anyone recommend a
    > solution? I've done experiments with a Linux box with
    > FreeS/WAN and got
    > that to work (using source routing), but I'd like to use a peripheral
    > for this job.
    > // J
    > _______________________________________________
    > firewall-wizards mailing list

    firewall-wizards mailing list

  • Next message: Marko Kupiainen: "[fw-wiz] PIX 515 and Cisco VPN client from inside"