Re: bypassing PIX limitation

[Josh <lostman () liquidcode org>]

Couldn't you setup a policy NAT based on their address block? I know we 
did this exact scenario in the SNPA class I just forget exactly what we 
did and I'm still pretty new. If I can dig up my class material I may be 
able to find the solution.

Paolo Supino wrote:
> Hi Kevin
>
>    The IP address space assigned to me is not part of their public IP 
> address space. I apologize, I explained myself wrong.
> Hopefully the following information will be clearer: The network behind 
> my PIX is 192.168.99.x (the pix has a public IP address). Our partner 
> uses IP addresses on network 172.28.x.x/16. They want me to use on my 
> network IP addresses on subnet 172.28.150.32/28.
>
>
>
>
>
>
> TIA
> Paolo
>
>
>
> Horvath, Kevin M. wrote:
>
>   
> > When you say carved out of their IP network, I assume you are talking about
> > the public assigned IP space, as the private ip space is anyones.  If this
> > is correct then whoever wrote their policy needs to go to some basic routing
> > training as that just doesn't make any sense.  You should be able to nat
> > traffic across a vpn tunnel, although I have never tried it, since nat is
> > done before packets are encrypted.  Your problem will be that you have to
> > assign the outside ip block from the partner to your global statement which
> > will probably give you issues, as it breaks routing concepts (meaning those
> > aren't assigned/routed to you so they wont go anywhere, but since they are
> > going over an ipsec tunnel its plausible).  Even if you get it working from
> > your side it will be interesting to see how they handle their incoming
> > public ip space from an ipsec tunnel since its routed to their outside
> > interface already.  The more and more I think about this the more I realize
> > it should not even be tried.  Its just a bad idea altogether.  I just hope
> > you mean private ip not the partners public ip space when you say " carved
> > out of their overall IP network range"?
> >
> > Kevin M. Horvath
> > CISSP, CCSP, GCIH, INFOSEC, CQS-FW, CQS-VPN, CQS-IDS, CCNA
> > SAIC - IT Security Division
> > 703.868.1503
> >
> > -----Original Message-----
> > From: firewall-wizards-bounces () listserv cybertrust com
> > [mailto:firewall-wizards-bounces () listserv cybertrust com] On Behalf Of Paolo
> > Supino
> > Sent: Wednesday, November 08, 2006 7:23 PM
> > To: Firewall Wizards Security Mailing List
> > Subject: [fw-wiz] bypassing PIX limitation
> >
> > Hi
> >
> >  I have a network that is protected by a PIX 515e running 6.3(1). I was 
> > asked to setup a IPSEC VPN with a partner. The partner's security policy 
> > mandates that  a remote encryption domain must use IP addresses on a 
> > subnet carved out of their overall IP network range. The network behind 
> > my PIX uses IP addresses on a subnet that is outside of their IP 
> > network. Adding a second IP to my network isn't supported by the PIX OS. 
> > To bypass this limitation I thought of NATing packets going into the VPN 
> > tunnel.  I've been looking for documentation for such a scenario, but 
> > can't find anything. Can packets going into a VPN tunnel be NATed?
> >
> >
> >
> >
> >
> >
> >
> > TIA
> > Paolo
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () listserv icsalabs com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> >  
> >
> >     
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>   


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards