Re: [fw-wiz] bypassing PIX limitation
- From: Paolo Supino <paolo@xxxxxxxxxxxxx>
- Date: Fri, 10 Nov 2006 11:05:37 -0500
Hi David
Do you have any unused PIX that you can lend indefinitly? I don't
have any free and my budget os 0 :-(
TIA
Paolo
David Swafford wrote:
Hi Paolo,
In your existing network, are you using any of the 172.28.x.x address
space? If not, then one option that comes to my mind is that you
could setup another Pix box who's sole purpose is to connect to the
partner's tunnel (if the traffic is not too demanding maybe something
small like a PIX 506?) I would then suggest that you somehow
propagate a route that points to the PIX as being the next hop gateway
for all 172.28.x.x addresses. This most likely involves the need to
purchase another PIX or maybe just setting another interface on a
cisco router running the IOS firewall would work?
Just a few thoughts.
David Swafford.
Hi Kevintalking about
The IP address space assigned to me is not part of their public IP
address space. I apologize, I explained myself wrong.
Hopefully the following information will be clearer: The network behind
my PIX is 192.168.99.x (the pix has a public IP address). Our partner
uses IP addresses on network 172.28.x.x/16. They want me to use on my
network IP addresses on subnet 172.28.150.32/28.
TIA
Paolo
Horvath, Kevin M. wrote:
When you say carved out of their IP network, I assume you are
If thisthe public assigned IP space, as the private ip space is anyones.
basic routingis correct then whoever wrote their policy needs to go to some
to nattraining as that just doesn't make any sense. You should be able
nat istraffic across a vpn tunnel, although I have never tried it, since
have todone before packets are encrypted. Your problem will be that you
statement whichassign the outside ip block from the partner to your global
(meaning thosewill probably give you issues, as it breaks routing concepts
they arearen't assigned/routed to you so they wont go anywhere, but since
working fromgoing over an ipsec tunnel its plausible). Even if you get it
realizeyour side it will be interesting to see how they handle their incoming
public ip space from an ipsec tunnel since its routed to their outside
interface already. The more and more I think about this the more I
just hopeit should not even be tried. Its just a bad idea altogether. I
carvedyou mean private ip not the partners public ip space when you say "
<mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx>out of their overall IP network range"?
Kevin M. Horvath
CISSP, CCSP, GCIH, INFOSEC, CQS-FW, CQS-VPN, CQS-IDS, CCNA
SAIC - IT Security Division
703.868.1503
-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx
Of Paolo[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf
wasSupino
Sent: Wednesday, November 08, 2006 7:23 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] bypassing PIX limitation
Hi
I have a network that is protected by a PIX 515e running 6.3(1). I
policyasked to setup a IPSEC VPN with a partner. The partner's security
behindmandates that a remote encryption domain must use IP addresses on a
subnet carved out of their overall IP network range. The network
PIX OS.my PIX uses IP addresses on a subnet that is outside of their IP
network. Adding a second IP to my network isn't supported by the
the VPNTo bypass this limitation I thought of NATing packets going into
<mailto:firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>tunnel. I've been looking for documentation for such a scenario, but
can't find anything. Can packets going into a VPN tunnel be NATed?
TIA
Paolo
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
<mailto:firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
<mailto:firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
______________________________________________________
Founded in Faith - Preserved with Pride - Sustained by Spirit
______________________________________________________
Upcoming Events:
ALTER OPEN HOUSE
November 16
7 - 9 p.m.
------------------------------------------------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Follow-Ups:
- Re: [fw-wiz] bypassing PIX limitation
- From: Marcus J. Ranum
- Re: [fw-wiz] bypassing PIX limitation
- References:
- Re: [fw-wiz] bypassing PIX limitation
- From: David Swafford
- Re: [fw-wiz] bypassing PIX limitation
- Prev by Date: Re: [fw-wiz] bypassing PIX limitation
- Next by Date: Re: [fw-wiz] bypassing PIX limitation
- Previous by thread: Re: [fw-wiz] bypassing PIX limitation
- Next by thread: Re: [fw-wiz] bypassing PIX limitation
- Index(es):
Relevant Pages
|
