[Re: An interesting VPN problem]

[Luke Butcher <luke.butcher () alphawest com au>]

On Thu, 2003-08-28 at 18:27, Jonas Anden wrote:

> I've managed to set up a Site-to-Site VPN between the two PIXes,
> establishing network connectivity between the two networks, but I have
> found no solution to applying a default gateway for the traffic going
> from the remote network to Internet. The traffic needs to be
> source-routed in some way, or the clients on the remote network will not
> be able to access the Internet (or any of the other routed networks I've
> got set up here) at all.
>
> Is this at all possible to do with two PIXes? As far as I can tell, the
> remote PIX is doing what it should; forwarding *all* traffic through the
> tunnel. But the local PIX doesn't know what to do with the packets to
> the Internet, to it just drops them.

Jonas,

  It sounds like what you need is policy routing. Without knowing the
exact specifics of your network this may not be the best solution.

I also don't see why adding a default route in the remote pix that
points to the inside interface of FW. As long as it also knows how to
get to that network there shouldn't be a problem.
I.E. on remote
route inside 0.0.0.0 0.0.0.0 10.0.0.2
then push all the traffic hitting the outside of the local pix to the
inside of the FW
I.E. on local 
route outside 0.0.0.0 0.0.0.0 192.168.20.1
you will probably also need a static on the inside of the local pix to
tell it how to get to the remote network.
route inside 192.168.21.0 255.255.255.0 10.10.0.2
Also as these are not strictly point to point you may need some other
routes for specific addresses such as how to get to the outside of the
remote pix.

If this doesn't help policy routing can be done but not on a PIX, only
on IOS Routers. But as the job you're trying to do seems more about
routing then firewalling (i.e. the FW is doing the security work), maybe
you would be better replacing your Local PIX with a router. 

Regards,
Luke Butcher
Network/Security Consultant



Alphawest Disclaimer

---------------------------------------------------------------------------
If this communication is not intended for you and you are not an authorised
recipient of this email you are prohibited by law from dealing with or
relying on the email or any file attachments. This prohibition includes
reading, printing, copying, re-transmitting, disseminating, storing or in
any other way dealing or acting in reliance on the information.
If you have received this email in error, we request you contact Alphawest 
immediately by returning the email to postmaster () alphawest com au and
destroy the original. This email is confidential and may contain privileged
client information. Alphawest  has taken reasonable steps to ensure the
accuracy and integrity of all its communications, including electronic
communications, but accepts no liability for materials transmitted.
---------------------------------------------------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards