Firewall Wizards mailing list archives
RE: An interesting VPN problem
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Tue, 2 Sep 2003 09:55:22 -0400
Because the main Internet firewall's behavior and capability is somewhat of a wildcard, I'm not sure that this is going to be possible, but if it is, here's what I would try. Set the default gateway of the L-PIX to the inside interface of FW: route inside 0.0.0.0 0.0.0.0 192.168.20.1 Then set a static route on L-PIX that points to R-PIX via GW: route outside 10.10.0.2 255.255.255.255 10.0.0.1 L-PIX will automatically create the local route for L-NET. Make certain that L-PIX does not NAT packets destined for R-NET and that L-PIX is only encrypting traffic destined for R-NET: access-list vpntornet permit ip 0.0.0.0 0.0.0.0 192.168.21.0 255.255.255.0 nat (inside) 0 access-list vpntornet crypto map mymap 20 match address vpntornet !-- obviously the map name and priority will need !-- to match what's already configured on L-PIX Then, do essentially the same thing for R-PIX, making sure that the match for the crypto map is a mirror image of what's on R-PIX: access-list vpntolnet permit ip 192.168.21.0 255.255.255.0 0.0.0.0 0.0.0.0 nat (inside) 0 access-list vpntolnet crypto map mymap 20 match address vpntolnet !-- obviously the map name and priority will need !-- to match what's already configured on R-PIX Good luck! PaulM PS - If this doesn't work, you can always allow Internet access to R-NET via R-PIX, and still perform logging, authentication, and content filtering across the VPN tunnel to servers located on L-NET. Keep that in mind as a fall-back scenario.
-----Original Message----- I've got two Cisco PIX 501 with the latest software (6.3.1). We're trying to use them to set up a remote site with *all* client traffic on the remote network being redirected through the site-to-site tunnel (including the traffic that should ultimately end up on the Internet). Traffic from the remote network not targeted for the local network should be routed through a firewall reachable from the local network. My network looks like this: [L-NET]<-+--->[FW]<---+->[B-GW]<-->[INET]<-->[R-PIX]<-->[R-NET] | | +-->[L-PIX]<-+ L-NET - The network at the central site Net=192.168.20.0/24 FW - Firewall protecting the entire network and providing user authentication for Internet access. Inside IP=192.168.20.1 Outside IP=10.0.0.2 L-PIX - Local tunnel endpoint at the central site. Connected to both the internal network at the central site and the Internet. Inside IP=192.168.20.2 Outside IP=10.0.0.3 B-GW - Border gateway of central site. IP=10.0.0.1 INET - Internet R-PIX - PIX as border router of remote network. Inside IP=192.168.21.1 Outside IP=10.10.0.2 R-Net - Remote network. Net=192.168.21.0/24 Now, what I want to do is first set up a tunnel between the two networks (L-NET and R-NET). Computers on L-NET has a default gateway of 192.168.20.1, accessing Internet through FW. FW Provides access control for these users. FW also has a static route to route traffic to R-NET through the L-PIX. Computers on R-NET has the PIX inside IP (192.168.21.1) as the default gateway. All their traffic (including the traffic that should end up on the Internet,) should be transmitted through the tunnel. For the client traffic exiting the tunnel on L-NET, there needs to be a default gateway set to 192.168.20.1, so that their Internet traffic also exits through FW, and FW can provide access control for these users. It is absolutely vital that the traffic does not exit directly to the Internet at either PIX. All client traffic bound for the Internet *must* be routed through the firewall at the central site (FW). I've managed to set up a Site-to-Site VPN between the two PIXes, establishing network connectivity between the two networks, but I have found no solution to applying a default gateway for the traffic going from the remote network to Internet. The traffic needs to be source-routed in some way, or the clients on the remote network will not be able to access the Internet (or any of the other routed networks I've got set up here) at all. Is this at all possible to do with two PIXes? As far as I can tell, the remote PIX is doing what it should; forwarding *all* traffic through the tunnel. But the local PIX doesn't know what to do with the packets to the Internet, to it just drops them. If this is not possible with the PIXes, could anyone recommend a solution? I've done experiments with a Linux box with FreeS/WAN and got that to work (using source routing), but I'd like to use a peripheral for this job. // J _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: An interesting VPN problem Melson, Paul (Sep 02)