Firewall Wizards mailing list archives
Re: bypassing PIX limitation
From: Paolo Supino <paolo () actcom net il>
Date: Fri, 10 Nov 2006 11:05:37 -0500
Hi David Do you have any unused PIX that you can lend indefinitly? I don't have any free and my budget os 0 :-( TIA Paolo David Swafford wrote:
Hi Paolo, In your existing network, are you using any of the 172.28.x.x address space? If not, then one option that comes to my mind is that you could setup another Pix box who's sole purpose is to connect to the partner's tunnel (if the traffic is not too demanding maybe something small like a PIX 506?) I would then suggest that you somehow propagate a route that points to the PIX as being the next hop gateway for all 172.28.x.x addresses. This most likely involves the need to purchase another PIX or maybe just setting another interface on a cisco router running the IOS firewall would work? Just a few thoughts. David Swafford.Hi Kevin The IP address space assigned to me is not part of their public IP address space. I apologize, I explained myself wrong. Hopefully the following information will be clearer: The network behind my PIX is 192.168.99.x (the pix has a public IP address). Our partner uses IP addresses on network 172.28.x.x/16. They want me to use on my network IP addresses on subnet 172.28.150.32/28. TIA Paolo Horvath, Kevin M. wrote:When you say carved out of their IP network, I assume you aretalking aboutthe public assigned IP space, as the private ip space is anyones.If thisis correct then whoever wrote their policy needs to go to somebasic routingtraining as that just doesn't make any sense. You should be ableto nattraffic across a vpn tunnel, although I have never tried it, sincenat isdone before packets are encrypted. Your problem will be that youhave toassign the outside ip block from the partner to your globalstatement whichwill probably give you issues, as it breaks routing concepts(meaning thosearen't assigned/routed to you so they wont go anywhere, but sincethey aregoing over an ipsec tunnel its plausible). Even if you get itworking fromyour side it will be interesting to see how they handle their incoming public ip space from an ipsec tunnel since its routed to their outside interface already. The more and more I think about this the more Irealizeit should not even be tried. Its just a bad idea altogether. Ijust hopeyou mean private ip not the partners public ip space when you say "carvedout of their overall IP network range"? Kevin M. Horvath CISSP, CCSP, GCIH, INFOSEC, CQS-FW, CQS-VPN, CQS-IDS, CCNA SAIC - IT Security Division 703.868.1503 -----Original Message----- From: firewall-wizards-bounces () listserv cybertrust com<mailto:firewall-wizards-bounces () listserv cybertrust com>[mailto:firewall-wizards-bounces () listserv cybertrust com] On BehalfOf PaoloSupino Sent: Wednesday, November 08, 2006 7:23 PM To: Firewall Wizards Security Mailing List Subject: [fw-wiz] bypassing PIX limitation Hi I have a network that is protected by a PIX 515e running 6.3(1). Iwasasked to setup a IPSEC VPN with a partner. The partner's securitypolicymandates that a remote encryption domain must use IP addresses on a subnet carved out of their overall IP network range. The networkbehindmy PIX uses IP addresses on a subnet that is outside of their IP network. Adding a second IP to my network isn't supported by thePIX OS.To bypass this limitation I thought of NATing packets going intothe VPNtunnel. I've been looking for documentation for such a scenario, but can't find anything. Can packets going into a VPN tunnel be NATed? TIA Paolo _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com<mailto:firewall-wizards () listserv icsalabs com>https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com<mailto:firewall-wizards () listserv icsalabs com>https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com <mailto:firewall-wizards () listserv icsalabs com> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards ______________________________________________________ Founded in Faith - Preserved with Pride - Sustained by Spirit ______________________________________________________ Upcoming Events: ALTER OPEN HOUSE November 16 7 - 9 p.m. ------------------------------------------------------------------------ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- bypassing PIX limitation Paolo Supino (Nov 09)
- <Possible follow-ups>
- Re: bypassing PIX limitation Horvath, Kevin M. (Nov 09)
- Re: bypassing PIX limitation Paolo Supino (Nov 09)
- Re: bypassing PIX limitation Josh (Nov 09)
- Re: bypassing PIX limitation Paolo Supino (Nov 09)
- Re: bypassing PIX limitation David Swafford (Nov 09)
- Re: bypassing PIX limitation Paolo Supino (Nov 11)
- Re: bypassing PIX limitation Marcus J. Ranum (Nov 11)
- Re: bypassing PIX limitation Chris Blask (Nov 11)
- Help Dave Piscitello (Nov 15)
- Re: Help Utz, Ralph (Nov 15)
- Re: Help Aaron Smith (Nov 15)
- Re: bypassing PIX limitation Paolo Supino (Nov 11)
- Re: bypassing PIX limitation Paolo Supino (Nov 11)