Re: An interesting VPN problem

["Patrick M. Hausen" <hausen () punkt de>]

Hi all!

> Hi all you Wizes out there. I've got a bit of a problem that I think you
> might help me solve...

Unfortunately I don't know PIXen, but I think I can give you
two general directions to investigate:

> I've got two Cisco PIX 501 with the latest software (6.3.1). We're
> trying to use them to set up a remote site with *all* client traffic on
> the remote network being redirected through the site-to-site tunnel
> (including the traffic that should ultimately end up on the Internet).
> Traffic from the remote network not targeted for the local network
> should be routed through a firewall reachable from the local network.
>
> My network looks like this:
>
>
> [L-NET]<-+--->[FW]<---+->[B-GW]<-->[INET]<-->[R-PIX]<-->[R-NET]
>          |            |
>          +-->[L-PIX]<-+

So, if the PIXen only do site-to-site VPN and you want all your
internal-to-Internet traffic to leave through the firewall at L-Site,
you could use something called policy routing. As I said, I don't know
if PIXen are "IOS'y" enough, but I did it in a couple of places
with Cisco routers like this:

L-PIX/router:

interface tun0
 descr tunnel to R-NET
 ip route-cache policy
 ip policy route-map vpn-to-internet

route-map vpn-to-internet permit 10
 match ip address 101
 set ip next-hop <insert internal IP of firewall here>

access-list 101 remark match traffic that comes out of R-NET and is not (!) directed to L-NET
access-list 101 deny ip <R-NET> <R-NET-INVERSE-MASK> <L-NET> <L-NET-INVERSE-MASK>
access-list 101 permit ip <R-NET> <R-NET-INVERSE-MASK> any


Works like a charm, but I think in your case that's waaaaayyy to
complicated, because - if I understood you correctly - you can achieve
the same with simple routing:

Why should L-PIX know about "the Internet" at all? (read: why should
it have a default route pointing to the Internet?)

Set up your routing tables on the PIXen like this:

R-PIX:

Host route for external IP address of L-PIX directed to "the Internet"
Default route to tunnel

L-PIX:

Host route for external IP address of R-PIX to "the Internet"
Network route for R-NET to the tunnel
Default route to _internal_ IP address of firewall

Firewall:

Network route for R-NET to internal IP address of L-PIX
(you probably have that already)


HTH,

Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards