Re: Pix and VPN 3030 traffic routing / redirection

From: Eric Chamberlain (telogix@hotmail.com)
Date: 03/27/02 

From: "Eric Chamberlain" <telogix@hotmail.com>
Date: Wed, 27 Mar 2002 05:00:20 GMT

"Paul B." <pfb71@hotmail.com> wrote in message
news:3c9f728c.260449236@news.qwest.net...
> Currently I have a Pix 515 serving as both a firewall and a VPN
> termination point for both site-to-site and VPN software client-based
> VPN sessions. The Pix has three interfaces (outside, dmz, and inside)
> on three networks. I've recently purchased a Cisco VPN 3030 that I
> plan to put in parallel with the Pix (see
>
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/3_5/getting/gs1u
nd.htm
> for a nearly perfect diagram of what I'm planning).
>
> Our goal is to move all VPN traffic from the Pix to the new 3030. My
> question has to do with routing (or, perhaps, redirection). First,
> I'll put out some basic info:
>
> Pix inside interface network: 192.168.10.0 (Default gateway for
> clients behind firewall)
> Pix dmz interface network: 192.168.20
> Pix outside interface network: 192.168.30.0
> Pix VPN software client pool: 10.0.0.0
>
> VPN 3030 inside interface network: 192.168.10.0
> VPN 3030 outside interface network: 192.168.30.0
> VPN 3030 VPN software client pool: 10.10.0.0
>
> Sample remote site network for site-to-site VPN: 172.16.3.0
>
> If a packet from the 192.168.10.0 network is bound for 172.16.3.0 it's
> going to go directly to its DG, the inside interface of the Pix.
> Similarly, if a packet from 192.168.10.0 is bound for 10.10.0.0 (i.e.
> a return to a VPN software client request) it too will go directly to
> the inside interface of the Pix. My question is how do I redirect that
> traffic from the Pix to the inside interface of the 3030? I suspect I
> may need to use a combination of some route statements and icmp
> redirection on the Pix to accomplish this but I'm at a loss. The only
> other alternative I can think of is to put a router ($$$) behind the
> inside interface of the Pix and handle it that way. Given budgetary
> constraints I can't really do that right now.
>

The PIX is a firewall, not a router, if will not redirect traffic out the
same interface it came in on. You will need a router between the inside
network and the PIX/VPN Concentrator. The router will then route the
traffic to the apropriate device. 

--
--
Eric Chamberlain
CISSP, CCNA, CCDA, MCSE, CCA

Relevant Pages

  • Re: Surfing the internet WHILST using a VPN connection (PIX 513)
    ... I don't have any experience with the Cisco VPN client, ... Once on the network users wish to browse the internet. ... There is a PIX 515, and a re-spun version of that called the PIX 515E. ... a seperate physical interface that is also connected to the ISP. ...
    (comp.dcom.sys.cisco)
  • Pix and VPN 3030 traffic routing / redirection
    ... Currently I have a Pix 515 serving as both a firewall and a VPN ... Pix dmz interface network: 192.168.20 ... VPN 3030 VPN software client pool: ...
    (comp.security.firewalls)
  • Re: access-list stops telnet
    ... This office has a s2s VPN to 10.10.0.0. ... there are cases that are certain not to work, and there are lurking PIX ... If you want to be able to telnet to a remote PIX itself, ... ssh is permitted to the outside interface of a PIX. ...
    (comp.dcom.sys.cisco)
  • RE: [fw-wiz] Pix VPN endpoint and split-tunnel
    ... Its much cheaper than an ASA, can hang off another interface, etc. ... > Another reply I got here from Simon expressed the possibility that PIX ... PIX 7.0 supports hub and spoke VPN routing, but only hub and spoke; ... > of anything the PIX or VPN client do. ...
    (Firewall-Wizards)
  • Re: pix 501 as vpn server
    ... I have the outside interface with dhcp and the inside is ... :> to properly configure this as VPN with RADIUS. ... over 2 megabits per second of 3DES. ... PIX models support. ...
    (comp.dcom.sys.cisco)