Re: [fw-wiz] bypassing PIX limitation
- From: Josh <lostman@xxxxxxxxxxxxxx>
- Date: Thu, 09 Nov 2006 11:17:27 -0600
Couldn't you setup a policy NAT based on their address block? I know we
did this exact scenario in the SNPA class I just forget exactly what we
did and I'm still pretty new. If I can dig up my class material I may be
able to find the solution.
Paolo Supino wrote:
Hi Kevin
The IP address space assigned to me is not part of their public IP
address space. I apologize, I explained myself wrong.
Hopefully the following information will be clearer: The network behind
my PIX is 192.168.99.x (the pix has a public IP address). Our partner
uses IP addresses on network 172.28.x.x/16. They want me to use on my
network IP addresses on subnet 172.28.150.32/28.
TIA
Paolo
Horvath, Kevin M. wrote:
When you say carved out of their IP network, I assume you are talking about
the public assigned IP space, as the private ip space is anyones. If this
is correct then whoever wrote their policy needs to go to some basic routing
training as that just doesn't make any sense. You should be able to nat
traffic across a vpn tunnel, although I have never tried it, since nat is
done before packets are encrypted. Your problem will be that you have to
assign the outside ip block from the partner to your global statement which
will probably give you issues, as it breaks routing concepts (meaning those
aren't assigned/routed to you so they wont go anywhere, but since they are
going over an ipsec tunnel its plausible). Even if you get it working from
your side it will be interesting to see how they handle their incoming
public ip space from an ipsec tunnel since its routed to their outside
interface already. The more and more I think about this the more I realize
it should not even be tried. Its just a bad idea altogether. I just hope
you mean private ip not the partners public ip space when you say " carved
out of their overall IP network range"?
Kevin M. Horvath
CISSP, CCSP, GCIH, INFOSEC, CQS-FW, CQS-VPN, CQS-IDS, CCNA
SAIC - IT Security Division
703.868.1503
-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Paolo
Supino
Sent: Wednesday, November 08, 2006 7:23 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] bypassing PIX limitation
Hi
I have a network that is protected by a PIX 515e running 6.3(1). I was
asked to setup a IPSEC VPN with a partner. The partner's security policy
mandates that a remote encryption domain must use IP addresses on a
subnet carved out of their overall IP network range. The network behind
my PIX uses IP addresses on a subnet that is outside of their IP
network. Adding a second IP to my network isn't supported by the PIX OS.
To bypass this limitation I thought of NATing packets going into the VPN
tunnel. I've been looking for documentation for such a scenario, but
can't find anything. Can packets going into a VPN tunnel be NATed?
TIA
Paolo
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- Re: [fw-wiz] bypassing PIX limitation
- From: Horvath, Kevin M.
- Re: [fw-wiz] bypassing PIX limitation
- From: Paolo Supino
- Re: [fw-wiz] bypassing PIX limitation
- Prev by Date: Re: [fw-wiz] firewall-wizards Digest, Vol 7, Issue 4
- Next by Date: Re: [fw-wiz] bypassing PIX limitation
- Previous by thread: Re: [fw-wiz] bypassing PIX limitation
- Next by thread: Re: [fw-wiz] bypassing PIX limitation
- Index(es):
Relevant Pages
|
