Firewall Wizards mailing list archives

Re: bypassing PIX limitation

From: "Horvath, Kevin M." <KEVIN.M.HORVATH () saic com>
Date: Thu, 9 Nov 2006 10:04:20 -0500

When you say carved out of their IP network, I assume you are talking about
the public assigned IP space, as the private ip space is anyones.  If this
is correct then whoever wrote their policy needs to go to some basic routing
training as that just doesn't make any sense.  You should be able to nat
traffic across a vpn tunnel, although I have never tried it, since nat is
done before packets are encrypted.  Your problem will be that you have to
assign the outside ip block from the partner to your global statement which
will probably give you issues, as it breaks routing concepts (meaning those
aren't assigned/routed to you so they wont go anywhere, but since they are
going over an ipsec tunnel its plausible).  Even if you get it working from
your side it will be interesting to see how they handle their incoming
public ip space from an ipsec tunnel since its routed to their outside
interface already.  The more and more I think about this the more I realize
it should not even be tried.  Its just a bad idea altogether.  I just hope
you mean private ip not the partners public ip space when you say " carved
out of their overall IP network range"?

Kevin M. Horvath
CISSP, CCSP, GCIH, INFOSEC, CQS-FW, CQS-VPN, CQS-IDS, CCNA
SAIC - IT Security Division
703.868.1503

-----Original Message-----
From: firewall-wizards-bounces () listserv cybertrust com
[mailto:firewall-wizards-bounces () listserv cybertrust com] On Behalf Of Paolo
Supino
Sent: Wednesday, November 08, 2006 7:23 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] bypassing PIX limitation

Hi

  I have a network that is protected by a PIX 515e running 6.3(1). I was 
asked to setup a IPSEC VPN with a partner. The partner's security policy 
mandates that  a remote encryption domain must use IP addresses on a 
subnet carved out of their overall IP network range. The network behind 
my PIX uses IP addresses on a subnet that is outside of their IP 
network. Adding a second IP to my network isn't supported by the PIX OS. 
To bypass this limitation I thought of NATing packets going into the VPN 
tunnel.  I've been looking for documentation for such a scenario, but 
can't find anything. Can packets going into a VPN tunnel be NATed?







TIA
Paolo

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

bypassing PIX limitation Paolo Supino (Nov 09)
- <Possible follow-ups>
- Re: bypassing PIX limitation Horvath, Kevin M. (Nov 09)
  - Re: bypassing PIX limitation Paolo Supino (Nov 09)
    - Re: bypassing PIX limitation Josh (Nov 09)
- Re: bypassing PIX limitation David Swafford (Nov 09)
  - Re: bypassing PIX limitation Paolo Supino (Nov 11)
    - Re: bypassing PIX limitation Marcus J. Ranum (Nov 11)
    - Re: bypassing PIX limitation Chris Blask (Nov 11)
    - Help Dave Piscitello (Nov 15)
    - Re: Help Utz, Ralph (Nov 15)
    - Re: Help Aaron Smith (Nov 15)
- Re: bypassing PIX limitation Horvath, Kevin M. (Nov 09)

(Thread continues...)