RE: An interesting VPN problem

["Melson, Paul" <PMelson () sequoianet com>]

Because the main Internet firewall's behavior and capability is somewhat of a wildcard, I'm not sure that this is going 
to be possible, but if it is, here's what I would try.  Set the default gateway of the L-PIX to the inside interface of 
FW:

route inside 0.0.0.0 0.0.0.0 192.168.20.1

Then set a static route on L-PIX that points to R-PIX via GW:

route outside 10.10.0.2 255.255.255.255 10.0.0.1

L-PIX will automatically create the local route for L-NET.  Make certain that L-PIX does not NAT packets destined for 
R-NET and that L-PIX is only encrypting traffic destined for R-NET:

access-list vpntornet permit ip 0.0.0.0 0.0.0.0 192.168.21.0 255.255.255.0
nat (inside) 0 access-list vpntornet
crypto map mymap 20 match address vpntornet
!-- obviously the map name and priority will need
!-- to match what's already configured on L-PIX

Then, do essentially the same thing for R-PIX, making sure that the match for the crypto map is a mirror image of 
what's on R-PIX:

access-list vpntolnet permit ip 192.168.21.0 255.255.255.0 0.0.0.0 0.0.0.0 
nat (inside) 0 access-list vpntolnet
crypto map mymap 20 match address vpntolnet
!-- obviously the map name and priority will need
!-- to match what's already configured on R-PIX

Good luck!

PaulM

PS - If this doesn't work, you can always allow Internet access to R-NET via R-PIX, and still perform logging, 
authentication, and content filtering across the VPN tunnel to servers located on L-NET.  Keep that in mind as a 
fall-back scenario.



>  -----Original Message-----
> I've got two Cisco PIX 501 with the latest software (6.3.1). We're
> trying to use them to set up a remote site with *all* client traffic on
> the remote network being redirected through the site-to-site tunnel
> (including the traffic that should ultimately end up on the Internet).
> Traffic from the remote network not targeted for the local network
> should be routed through a firewall reachable from the local network.
>
> My network looks like this:
>
>
> [L-NET]<-+--->[FW]<---+->[B-GW]<-->[INET]<-->[R-PIX]<-->[R-NET]
>          |            |
>          +-->[L-PIX]<-+
>
>
> L-NET - The network at the central site
>         Net=192.168.20.0/24
>
> FW    - Firewall protecting the entire network and
>         providing user authentication for Internet access.
>         Inside IP=192.168.20.1
>         Outside IP=10.0.0.2
>
> L-PIX - Local tunnel endpoint at the central site.
>         Connected to both the internal network at
>         the central site and the Internet.
>         Inside IP=192.168.20.2
>         Outside IP=10.0.0.3
>
> B-GW  - Border gateway of central site.
>         IP=10.0.0.1
>
> INET  - Internet
>
> R-PIX - PIX as border router of remote network.
>         Inside IP=192.168.21.1
>         Outside IP=10.10.0.2
>
> R-Net - Remote network.
>         Net=192.168.21.0/24
>
> Now, what I want to do is first set up a tunnel between the two networks
> (L-NET and R-NET). Computers on L-NET has a default gateway of
> 192.168.20.1, accessing Internet through FW. FW Provides access control
> for these users. FW also has a static route to route traffic to R-NET
> through the L-PIX.
>
> Computers on R-NET has the PIX inside IP (192.168.21.1) as the default
> gateway. All their traffic (including the traffic that should end up on
> the Internet,) should be transmitted through the tunnel. For the client
> traffic exiting the tunnel on L-NET, there needs to be a default gateway
> set to 192.168.20.1, so that their Internet traffic also exits through
> FW, and FW can provide access control for these users.
>
> It is absolutely vital that the traffic does not exit directly to the
> Internet at either PIX. All client traffic bound for the Internet *must*
> be routed through the firewall at the central site (FW).
>
> I've managed to set up a Site-to-Site VPN between the two PIXes,
> establishing network connectivity between the two networks, but I have
> found no solution to applying a default gateway for the traffic going
> from the remote network to Internet. The traffic needs to be
> source-routed in some way, or the clients on the remote network will not
> be able to access the Internet (or any of the other routed networks I've
> got set up here) at all.
>
> Is this at all possible to do with two PIXes? As far as I can tell, the
> remote PIX is doing what it should; forwarding *all* traffic through the
> tunnel. But the local PIX doesn't know what to do with the packets to
> the Internet, to it just drops them.
>
> If this is not possible with the PIXes, could anyone recommend a
> solution? I've done experiments with a Linux box with FreeS/WAN and got
> that to work (using source routing), but I'd like to use a peripheral
> for this job.
>
>   // J
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards