Firewall Wizards mailing list archives
Re: bypassing PIX limitation
From: Paolo Supino <paolo () actcom net il>
Date: Thu, 09 Nov 2006 10:34:50 -0500
Hi Kevin The IP address space assigned to me is not part of their public IP address space. I apologize, I explained myself wrong. Hopefully the following information will be clearer: The network behind my PIX is 192.168.99.x (the pix has a public IP address). Our partner uses IP addresses on network 172.28.x.x/16. They want me to use on my network IP addresses on subnet 172.28.150.32/28. TIA Paolo Horvath, Kevin M. wrote:
When you say carved out of their IP network, I assume you are talking about the public assigned IP space, as the private ip space is anyones. If this is correct then whoever wrote their policy needs to go to some basic routing training as that just doesn't make any sense. You should be able to nat traffic across a vpn tunnel, although I have never tried it, since nat is done before packets are encrypted. Your problem will be that you have to assign the outside ip block from the partner to your global statement which will probably give you issues, as it breaks routing concepts (meaning those aren't assigned/routed to you so they wont go anywhere, but since they are going over an ipsec tunnel its plausible). Even if you get it working from your side it will be interesting to see how they handle their incoming public ip space from an ipsec tunnel since its routed to their outside interface already. The more and more I think about this the more I realize it should not even be tried. Its just a bad idea altogether. I just hope you mean private ip not the partners public ip space when you say " carved out of their overall IP network range"? Kevin M. Horvath CISSP, CCSP, GCIH, INFOSEC, CQS-FW, CQS-VPN, CQS-IDS, CCNA SAIC - IT Security Division 703.868.1503 -----Original Message----- From: firewall-wizards-bounces () listserv cybertrust com [mailto:firewall-wizards-bounces () listserv cybertrust com] On Behalf Of Paolo Supino Sent: Wednesday, November 08, 2006 7:23 PM To: Firewall Wizards Security Mailing List Subject: [fw-wiz] bypassing PIX limitation Hi I have a network that is protected by a PIX 515e running 6.3(1). I was asked to setup a IPSEC VPN with a partner. The partner's security policy mandates that a remote encryption domain must use IP addresses on a subnet carved out of their overall IP network range. The network behind my PIX uses IP addresses on a subnet that is outside of their IP network. Adding a second IP to my network isn't supported by the PIX OS. To bypass this limitation I thought of NATing packets going into the VPN tunnel. I've been looking for documentation for such a scenario, but can't find anything. Can packets going into a VPN tunnel be NATed? TIA Paolo _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- bypassing PIX limitation Paolo Supino (Nov 09)
- <Possible follow-ups>
- Re: bypassing PIX limitation Horvath, Kevin M. (Nov 09)
- Re: bypassing PIX limitation Paolo Supino (Nov 09)
- Re: bypassing PIX limitation Josh (Nov 09)
- Re: bypassing PIX limitation Paolo Supino (Nov 09)
- Re: bypassing PIX limitation David Swafford (Nov 09)
- Re: bypassing PIX limitation Paolo Supino (Nov 11)
- Re: bypassing PIX limitation Marcus J. Ranum (Nov 11)
- Re: bypassing PIX limitation Chris Blask (Nov 11)
- Help Dave Piscitello (Nov 15)
- Re: Help Utz, Ralph (Nov 15)
- Re: Help Aaron Smith (Nov 15)
- Re: bypassing PIX limitation Paolo Supino (Nov 11)
- Re: bypassing PIX limitation Paolo Supino (Nov 11)