Firewall Wizards mailing list archives
[Re: An interesting VPN problem]
From: Luke Butcher <luke.butcher () alphawest com au>
Date: Mon, 01 Sep 2003 08:43:12 +1000
On Thu, 2003-08-28 at 18:27, Jonas Anden wrote:
I've managed to set up a Site-to-Site VPN between the two PIXes, establishing network connectivity between the two networks, but I have found no solution to applying a default gateway for the traffic going from the remote network to Internet. The traffic needs to be source-routed in some way, or the clients on the remote network will not be able to access the Internet (or any of the other routed networks I've got set up here) at all. Is this at all possible to do with two PIXes? As far as I can tell, the remote PIX is doing what it should; forwarding *all* traffic through the tunnel. But the local PIX doesn't know what to do with the packets to the Internet, to it just drops them.
Jonas, It sounds like what you need is policy routing. Without knowing the exact specifics of your network this may not be the best solution. I also don't see why adding a default route in the remote pix that points to the inside interface of FW. As long as it also knows how to get to that network there shouldn't be a problem. I.E. on remote route inside 0.0.0.0 0.0.0.0 10.0.0.2 then push all the traffic hitting the outside of the local pix to the inside of the FW I.E. on local route outside 0.0.0.0 0.0.0.0 192.168.20.1 you will probably also need a static on the inside of the local pix to tell it how to get to the remote network. route inside 192.168.21.0 255.255.255.0 10.10.0.2 Also as these are not strictly point to point you may need some other routes for specific addresses such as how to get to the outside of the remote pix. If this doesn't help policy routing can be done but not on a PIX, only on IOS Routers. But as the job you're trying to do seems more about routing then firewalling (i.e. the FW is doing the security work), maybe you would be better replacing your Local PIX with a router. Regards, Luke Butcher Network/Security Consultant Alphawest Disclaimer --------------------------------------------------------------------------- If this communication is not intended for you and you are not an authorised recipient of this email you are prohibited by law from dealing with or relying on the email or any file attachments. This prohibition includes reading, printing, copying, re-transmitting, disseminating, storing or in any other way dealing or acting in reliance on the information. If you have received this email in error, we request you contact Alphawest immediately by returning the email to postmaster () alphawest com au and destroy the original. This email is confidential and may contain privileged client information. Alphawest has taken reasonable steps to ensure the accuracy and integrity of all its communications, including electronic communications, but accepts no liability for materials transmitted. --------------------------------------------------------------------------- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- [Re: An interesting VPN problem] Luke Butcher (Sep 01)