Re: [fw-wiz] full IPSEC tunnels on PIX and NAT ...

From: Miha Vitorovic (mvitorovic_at_nil.si)
Date: 12/03/03

  • Next message: Wes Noonan: "RE: [fw-wiz] How AAA in PIX Firewall ?" 
    To: firewall-wizards@honor.icsalabs.com, firewall-wizards-admin@honor.icsalabs.com
Date: Wed, 3 Dec 2003 08:38:03 +0100

    Peter,

    For one thing, the PIX can not route out through the same interface, the
    packet comes into the device. So, if your VPNs terminate on the outside
    interface (and they do according to the config), there is no way that the
    PIX will route the packets to the Internet, which also connected to the
    outside interface. That's just the way PIXen are :-)

    Regards, 

    ---
  Miha Vitorovic
  Inženir v tehničnem področju
  Customer Support Engineer
   NIL Data Communications,  Tivolska cesta 48,  1000 Ljubljana,  Slovenia
   Phone +386 1 4746 500      Fax +386 1 4746 501     http://www.NIL.si
firewall-wizards-admin@honor.icsalabs.com wrote on 29.11.2003 21:39:55:
> 
> ... hello, and thank you in advance for any help you might be able to 
> offer.
> 
> I've got a PIX that I'm using for just a couple of clients to VPN into, 
> and would really like to get full tunnels working so that all their 
> traffic goes over the tunnel and then out to the internet.
> 
> I've scoured all of Cisco's documentation, and can't find anything I'm 
> doing wrong, but I seem to be stuck with the following kind of error 
> message:
> 
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Wes Noonan: "RE: [fw-wiz] How AAA in PIX Firewall ?"

    Relevant Pages

    • Re: Pix 501 Tunnelling problem
      ... You may also need to add the deny rule to your Crypto Access-List ... otherwise the PIX will still try to send the packets over the VPN. ... but the packet never exits the outside interface. ...
      (comp.dcom.sys.cisco)
    • Re: Pix 501 Tunnelling problem
      ... You may also need to add the deny rule to your Crypto Access-List ... otherwise the PIX will still try to send the packets over the VPN. ... but the packet never exits the outside interface. ...
      (comp.dcom.sys.cisco)
    • Re: ISA 2004 Routing
      ... goes from the interface where you receive the packet to the interface on ... your network where you want the packet to go. ... > connected to my PIX. ... > I have one NIC setup in the 192.168.1.0 subnet and another NIC setup on ...
      (microsoft.public.isaserver)
    • Re: PIX7.x/ASA and icmp redirects
      ... I'm not certain, but for the PIX at least, I would find it quite ... go with support for ICMP Redirect require that the packet be ... packet through provided that at least one component of the path ... that went back out on the interface. ...
      (comp.dcom.sys.cisco)
    • Re: Interesting problem with pix 515 UR
      ... Consider diabling Proxy arp on inside interface. ... This pix have only 2 ethernet interfaces; i have connected the ethernet0via a cross cable ... fixup protocol dns maximum-length 512 ... ntp server 194.100.206.70 source outside ...
      (comp.dcom.sys.cisco)