Firewall Wizards mailing list archives
Re: An interesting VPN problem
From: "Patrick M. Hausen" <hausen () punkt de>
Date: Fri, 29 Aug 2003 08:52:44 +0200 (CEST)
Hi all!
Hi all you Wizes out there. I've got a bit of a problem that I think you might help me solve...
Unfortunately I don't know PIXen, but I think I can give you two general directions to investigate:
I've got two Cisco PIX 501 with the latest software (6.3.1). We're trying to use them to set up a remote site with *all* client traffic on the remote network being redirected through the site-to-site tunnel (including the traffic that should ultimately end up on the Internet). Traffic from the remote network not targeted for the local network should be routed through a firewall reachable from the local network. My network looks like this: [L-NET]<-+--->[FW]<---+->[B-GW]<-->[INET]<-->[R-PIX]<-->[R-NET] | | +-->[L-PIX]<-+
So, if the PIXen only do site-to-site VPN and you want all your internal-to-Internet traffic to leave through the firewall at L-Site, you could use something called policy routing. As I said, I don't know if PIXen are "IOS'y" enough, but I did it in a couple of places with Cisco routers like this: L-PIX/router: interface tun0 descr tunnel to R-NET ip route-cache policy ip policy route-map vpn-to-internet route-map vpn-to-internet permit 10 match ip address 101 set ip next-hop <insert internal IP of firewall here> access-list 101 remark match traffic that comes out of R-NET and is not (!) directed to L-NET access-list 101 deny ip <R-NET> <R-NET-INVERSE-MASK> <L-NET> <L-NET-INVERSE-MASK> access-list 101 permit ip <R-NET> <R-NET-INVERSE-MASK> any Works like a charm, but I think in your case that's waaaaayyy to complicated, because - if I understood you correctly - you can achieve the same with simple routing: Why should L-PIX know about "the Internet" at all? (read: why should it have a default route pointing to the Internet?) Set up your routing tables on the PIXen like this: R-PIX: Host route for external IP address of L-PIX directed to "the Internet" Default route to tunnel L-PIX: Host route for external IP address of R-PIX to "the Internet" Network route for R-NET to the tunnel Default route to _internal_ IP address of firewall Firewall: Network route for R-NET to internal IP address of L-PIX (you probably have that already) HTH, Patrick M. Hausen Leiter Netzwerke und Sicherheit -- punkt.de GmbH Internet - Dienstleistungen - Beratung Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100 76137 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- An interesting VPN problem Jonas Anden (Aug 28)
- Re: An interesting VPN problem Patrick M. Hausen (Aug 29)
- RE: An interesting VPN problem Ben Nagy (Aug 29)