Re: [fw-wiz] Followup: An interesting VPN problem

From: Luke Butcher (luke.butcher_at_alphawest.com.au)
Date: 09/03/03

  • Next message: Victoria of Borg: "Re: Re: [fw-wiz] Use of firewalls in networks of today (Was: Re: Setting up H323 IP telephony etc )" 
    To: Jonas Anden <dajudge@home.se>
Date: Wed, 03 Sep 2003 08:36:42 +1000

    On Tue, 2003-09-02 at 01:51, Jonas Anden wrote:.

    > One comment though: I'm also using dhcp relaying for the IP address
    > assignments. Strange enough; the relayed DHCP does *not* go through the
    > tunnel (bypassing routing rules). So I had to set up a two-step
    > relaying; the remote pix relays to the external IP of the local pix,
    > which has relays into the local dhcp server.

    For what it's worth, I have seen problem doing DHCP relay over a VPN
    tunnel.
    After much discussion with Cisco the solution was to upgrade to the
    bleeding edge at the time (12.2.16). That however was on an 803 using
    IOS. There maybe similar problems on the PIXes.

    Also the setup was slightly different to yours in that, at the remote
    end, net traffic was going straight out, the VPN was only for private
    address space. Basically the vpn crypto match was occuring before the
    DHCP broadcast request was converted to a directed broadcast. Hence it
    was being pushed out to the net and never getting a reply.

    Maybe some food for thought.

    Luke Butcher
    Network/Security Consultant 

    --
Alphawest Disclaimer
---------------------------------------------------------------------------
If this communication is not intended for you and you are not an authorised
recipient of this email you are prohibited by law from dealing with or
relying on the email or any file attachments. This prohibition includes
reading, printing, copying, re-transmitting, disseminating, storing or in
any other way dealing or acting in reliance on the information.
If you have received this email in error, we request you contact Alphawest 
immediately by returning the email to postmaster@alphawest.com.au and
destroy the original. This email is confidential and may contain privileged
client information. Alphawest  has taken reasonable steps to ensure the
accuracy and integrity of all its communications, including electronic
communications, but accepts no liability for materials transmitted.
---------------------------------------------------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Victoria of Borg: "Re: Re: [fw-wiz] Use of firewalls in networks of today (Was: Re: Setting up H323 IP telephony etc )"