Firewall Wizards mailing list archives
Re: bypassing PIX limitation
From: Paolo Supino <paolo () actcom net il>
Date: Fri, 10 Nov 2006 10:57:16 -0500
Hi Kevin That is what I thought of doing but I can't find any documentation on how to do it. Can you please direct me to documentation that show's how to NAT traffic going into a VPN? TIA Paolo Horvath, Kevin M. wrote:
In this case you could just try to nat the traffic through the vpn….haven’t tried it before but it should work. Kevin ------------------------------------------------------------------------ *From:* firewall-wizards-bounces () listserv cybertrust com [mailto:firewall-wizards-bounces () listserv cybertrust com] *On Behalf Of *David Swafford *Sent:* Thursday, November 09, 2006 2:16 PM *To:* firewall-wizards () listserv icsalabs com *Subject:* Re: [fw-wiz] bypassing PIX limitation Hi Paolo, In your existing network, are you using any of the 172.28.x.x address space? If not, then one option that comes to my mind is that you could setup another Pix box who's sole purpose is to connect to the partner's tunnel (if the traffic is not too demanding maybe something small like a PIX 506?) I would then suggest that you somehow propagate a route that points to the PIX as being the next hop gateway for all 172.28.x.x addresses. This most likely involves the need to purchase another PIX or maybe just setting another interface on a cisco router running the IOS firewall would work? Just a few thoughts. David Swafford.Hi Kevin The IP address space assigned to me is not part of their public IP address space. I apologize, I explained myself wrong. Hopefully the following information will be clearer: The network behind my PIX is 192.168.99.x (the pix has a public IP address). Our partner uses IP addresses on network 172.28.x.x/16. They want me to use on my network IP addresses on subnet 172.28.150.32/28. TIA Paolo Horvath, Kevin M. wrote:When you say carved out of their IP network, I assume you aretalking aboutthe public assigned IP space, as the private ip space is anyones. Ifthisis correct then whoever wrote their policy needs to go to some basicroutingtraining as that just doesn't make any sense. You should be able to nat traffic across a vpn tunnel, although I have never tried it, sincenat isdone before packets are encrypted. Your problem will be that you have to assign the outside ip block from the partner to your globalstatement whichwill probably give you issues, as it breaks routing concepts(meaning thosearen't assigned/routed to you so they wont go anywhere, but sincethey aregoing over an ipsec tunnel its plausible). Even if you get itworking fromyour side it will be interesting to see how they handle their incoming public ip space from an ipsec tunnel since its routed to their outside interface already. The more and more I think about this the more Irealizeit should not even be tried. Its just a bad idea altogether. I just hope you mean private ip not the partners public ip space when you say "carvedout of their overall IP network range"? Kevin M. Horvath CISSP, CCSP, GCIH, INFOSEC, CQS-FW, CQS-VPN, CQS-IDS, CCNA SAIC - IT Security Division 703.868.1503 -----Original Message----- From: firewall-wizards-bounces () listserv cybertrust com<mailto:firewall-wizards-bounces () listserv cybertrust com>[mailto:firewall-wizards-bounces () listserv cybertrust com] On BehalfOf PaoloSupino Sent: Wednesday, November 08, 2006 7:23 PM To: Firewall Wizards Security Mailing List Subject: [fw-wiz] bypassing PIX limitation Hi I have a network that is protected by a PIX 515e running 6.3(1). I was asked to setup a IPSEC VPN with a partner. The partner's securitypolicymandates that a remote encryption domain must use IP addresses on a subnet carved out of their overall IP network range. The network behind my PIX uses IP addresses on a subnet that is outside of their IP network. Adding a second IP to my network isn't supported by the PIXOS.To bypass this limitation I thought of NATing packets going into theVPNtunnel. I've been looking for documentation for such a scenario, but can't find anything. Can packets going into a VPN tunnel be NATed? TIA Paolo _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com<mailto:firewall-wizards () listserv icsalabs com>https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com<mailto:firewall-wizards () listserv icsalabs com>https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com <mailto:firewall-wizards () listserv icsalabs com> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards ______________________________________________________ Founded in Faith - Preserved with Pride - Sustained by Spirit ______________________________________________________ Upcoming Events: ALTER OPEN HOUSE November 16 7 - 9 p.m. ------------------------------------------------------------------------ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: bypassing PIX limitation, (continued)
- Re: bypassing PIX limitation Paolo Supino (Nov 09)
- Re: bypassing PIX limitation Josh (Nov 09)
- Re: bypassing PIX limitation Paolo Supino (Nov 09)
- Re: bypassing PIX limitation David Swafford (Nov 09)
- Re: bypassing PIX limitation Paolo Supino (Nov 11)
- Re: bypassing PIX limitation Marcus J. Ranum (Nov 11)
- Re: bypassing PIX limitation Chris Blask (Nov 11)
- Help Dave Piscitello (Nov 15)
- Re: Help Utz, Ralph (Nov 15)
- Re: Help Aaron Smith (Nov 15)
- Re: bypassing PIX limitation Paolo Supino (Nov 11)
- Re: bypassing PIX limitation Paolo Supino (Nov 11)