RE: [fw-wiz] Cisco Pix 515E Configuration

From: Joe Mazzotti (jmazzotti_at_mercyhousing.org)
Date: 12/13/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Defense in Depth to the Desktop" 
    To: <firewall-wizards@honor.icsalabs.com>
Date: Mon, 13 Dec 2004 14:06:32 -0700

    >> 1. The "problem" in which the PIX OS 6.x can not forward a packet
    back
    >> out the same interface that it received, known as hairpinning, is
    >> correct, but may not be an issue soon, assuming that it is your
    problem.
    >> This likely will not be an issue in PIX OS 7.0, from what I have
    heard.

    The hairpinning problem is a known issue, but I was under the impression
    that it was by design because it is a firewall. I hadn't heard that 7.0
    may fix this issue. Will this be a fix for VPN traffic only? If it was
    general hairpinning fix, then wouldn't the PIX just be a router with an
    advanced firewall set? I'm just curious.

    >> Also keep in mind that a Cisco VPN router, in addition to the VPN
    >> Concentrator, would also get around this problem, and has advantages
    >> such as supporting QoS for VoIP which the Concentrator may not offer.

    True. And to go a step further, if the switch that the PIX drops into
    is a layer 3 switch, then you need not get any more hardware. Just let
    it do the routing for you. One thing worth mentioning though, is that a
    VPN in general does not support QoS. VPN's may carry QoS tagged
    packets, but you're passing encrypted packets along an arbitrary source
    network (i.e. the Internet). So you can support QoS at either end of
    the connection, but not for the VPN connection itself. This COULD
    effect the voice quality with not many avenues to correct it.

    On Sat, 2004-12-11 at 16:29 -0500, Sanford Reed wrote:
    > I have done both.
    >
    > I have installed several 515E and the 506/506E PIXs. In all installs I
    have
    > used the same interface to connect direct to the Internet. It I called
    > 'split tunneling' in the PIX setup. Having to use a Proxy to get 'back
    out'
    > that your configuration is not setup for split tunneling so the
    outbound
    > ACL's don't include the VPN Client subnet as an allowed.
    >
    > As for the IP Phones, as I stated before I had this working using an
    Avaya
    > Switch. It uses 2 interfaces on the switch to establish the call but
    if the
    > IP extensions are on the same switch it then drops the "Control'
    channel and
    > continues the call via only the Voice channel. It still controls the
    call
    > thru the switch so the path is really IP Phone #1 -> VPN Client -> PIX
    ->
    > Switch -> PIX -> VPN client -> IP Phone. If I remember the Nortel
    setup
    > correctly, it works the same. I did have a lot of problems with the IP
    > Phones software getting it to recognize the VPN Client as the correct
    > interface to use because the PC running the client maintains its
    'real' IP
    > address for the network. It was finally solved by Avaya issuing new
    software
    > that had and 'override' setting that the user had to set each VPN
    Session to
    > match the assigned VPN address received. Once this occurred it took
    some
    > tweaking of the protocols that the Switch used to establish the VOIP
    Session
    > and everything works great.
    >
    > Sanford Reed
    > (V) 7575.406.7067
    >
    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Eric
    Gunnett
    > Sent: Tuesday, December 07, 2004 4:36 PM
    > To: firewall-wizards@honor.icsalabs.com;
    bruce_the_loon@worldonline.co.za
    > Subject: RE: [fw-wiz] Cisco Pix 515E Configuration
    >
    > That is the exact problem we are having. As I have found out.
    Our
    > phone switch is a Nortel and I have the admin of it looking in it.
    Otherwise
    > it looks like we will have to scrap the idea and move to a VPN
    connectrator
    > or reconfigure a section of our network in order to get the phone
    switch and
    > vpn working in conjunction.
    >
    >
    >
    > Eric Gunnett
    > System Administrator
    > Zoovy, Inc.
    > eric@zoovy.com
    >
    >
    > >>> "Bruce Smith" <bruce_the_loon@worldonline.co.za> 12/07/04 01:15PM
    >>>
    > Hi Eric
    >
    > As far as I am aware, the PIX will not route out via the same
    interface the
    > packet came in on. For example if I connect to our VPN from the
    Internet, I
    > cannot get direct access to the Internet unless I use the proxy server
    > inside the network. If I am wrong on this, can someone tell me what
    I've
    > misconfigured.
    >
    > So the ability for the two VPN clients to connect via the IP phone
    switch
    > depends on how the system works. If all traffic is routed explicitly
    to the
    > phone switch and out, you shouldn't have a problem if all ACLs are set
    up
    > correctly to allow the IP phone traffic. If the system only uses the
    switch
    > to setup the call and then the two hosts begin talking directly to
    each
    > other, as Skype does and a couple of IP phone systems I've seen, then
    I
    > guess you're buggered. But before you give up if the ip phones talk
    > directly, check whether the software can be configured to route all
    traffic
    > via the phone switch.
    >
    > Regards
    >
    > Bruce Smith
    > Firewall Administrator
    > Port Elizabeth Technikon
    >
    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Eric
    Gunnett
    > Sent: 03 December 2004 11:33 PM
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: [fw-wiz] Cisco Pix 515E Configuration
    >
    >
    > I am hoping someone can help me with this problem. I have a
    Cisco
    > 515E with 6.3 on it. I have configured to pix for vpn connections with
    > authenticaiton through a radius. My connections from Client -> Pix ->
    > Internal Network, work great. But we are using a phone switch that is
    trying
    > to pass of the ip phone connection between two clients that are
    connected
    > through the pix, such as VPN Client 1 -> Pix -> VPN Client 2, is this
    > possible. I have attached my config below.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Defense in Depth to the Desktop"

    Relevant Pages

    • Re: Configuring Cisco VPN Client / Windows XP
      ... Packets will use an interface based on the routing table. ... Generally speaking when the VPN is connected it will add a route to the ... flush the DNS Cache resolver to clear out the old DNS ... > cannot access the *same* pages on the computer with the VPN client ...
      (comp.dcom.vpn)
    • RE: [fw-wiz] Pix VPN endpoint and split-tunnel
      ... Its much cheaper than an ASA, can hang off another interface, etc. ... > Another reply I got here from Simon expressed the possibility that PIX ... PIX 7.0 supports hub and spoke VPN routing, but only hub and spoke; ... > of anything the PIX or VPN client do. ...
      (Firewall-Wizards)
    • Re: PIX 501: NAT VPN Clients to Inside?
      ... running the Cisco VPN client 4.x. ... Our network is seperated into VLANS, but uses public IP's for most ... The "Inside" interface has a public IP of 172.46.24.100, ...
      (comp.dcom.sys.cisco)
    • Re: Configuring Cisco VPN Client / Windows XP
      ... I did resolve it by reinstalling the VPN client. ... > Packets will use an interface based on the routing table. ...
      (comp.dcom.vpn)
    • Re: VPN Problems
      ... in the Cisco VPN Client Log I am getting: ... interface: outside ... port-object eq echo ... crypto dynamic-map RemoteVPNDynmap 10 set transform-set RemoteVPNSet ...
      (comp.dcom.sys.cisco)