Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: RE: An interesting VPN problem

RE: An interesting VPN problem

From: Melson, Paul <PMelson_at_sequoianet.com>
Date: Tue, 2 Sep 2003 09:55:22 -0400

Because the main Internet firewall's behavior and capability is somewhat of a wildcard, I'm not sure that this is going to be possible, but if it is, here's what I would try. Set the default gateway of the L-PIX to the inside interface of FW:

route inside 0.0.0.0 0.0.0.0 192.168.20.1

Then set a static route on L-PIX that points to R-PIX via GW:

route outside 10.10.0.2 255.255.255.255 10.0.0.1

L-PIX will automatically create the local route for L-NET. Make certain that L-PIX does not NAT packets destined for R-NET and that L-PIX is only encrypting traffic destined for R-NET:

access-list vpntornet permit ip 0.0.0.0 0.0.0.0 192.168.21.0 255.255.255.0
nat (inside) 0 access-list vpntornet
crypto map mymap 20 match address vpntornet
!-- obviously the map name and priority will need
!-- to match what's already configured on L-PIX

Then, do essentially the same thing for R-PIX, making sure that the match for the crypto map is a mirror image of what's on R-PIX:

access-list vpntolnet permit ip 192.168.21.0 255.255.255.0 0.0.0.0 0.0.0.0
nat (inside) 0 access-list vpntolnet
crypto map mymap 20 match address vpntolnet
!-- obviously the map name and priority will need
!-- to match what's already configured on R-PIX

Good luck!

PaulM

PS - If this doesn't work, you can always allow Internet access to R-NET via R-PIX, and still perform logging, authentication, and content filtering across the VPN tunnel to servers located on L-NET. Keep that in mind as a fall-back scenario.

> -----Original Message-----
> I've got two Cisco PIX 501 with the latest software (6.3.1). We're
> trying to use them to set up a remote site with *all* client traffic on
> the remote network being redirected through the site-to-site tunnel
> (including the traffic that should ultimately end up on the Internet).
> Traffic from the remote network not targeted for the local network
> should be routed through a firewall reachable from the local network.
>
> My network looks like this:
>
>
> [L-NET]<-+--->[FW]<---+->[B-GW]<-->[INET]<-->[R-PIX]<-->[R-NET]
> | |
> +-->[L-PIX]<-+
>
>
> L-NET - The network at the central site
> Net=192.168.20.0/24
>
> FW - Firewall protecting the entire network and
> providing user authentication for Internet access.
> Inside IP=192.168.20.1
> Outside IP=10.0.0.2
>
> L-PIX - Local tunnel endpoint at the central site.
> Connected to both the internal network at
> the central site and the Internet.
> Inside IP=192.168.20.2
> Outside IP=10.0.0.3
>
> B-GW - Border gateway of central site.
> IP=10.0.0.1
>
> INET - Internet
>
> R-PIX - PIX as border router of remote network.
> Inside IP=192.168.21.1
> Outside IP=10.10.0.2
>
> R-Net - Remote network.
> Net=192.168.21.0/24
>
> Now, what I want to do is first set up a tunnel between the two networks
> (L-NET and R-NET). Computers on L-NET has a default gateway of
> 192.168.20.1, accessing Internet through FW. FW Provides access control
> for these users. FW also has a static route to route traffic to R-NET
> through the L-PIX.
>
> Computers on R-NET has the PIX inside IP (192.168.21.1) as the default
> gateway. All their traffic (including the traffic that should end up on
> the Internet,) should be transmitted through the tunnel. For the client
> traffic exiting the tunnel on L-NET, there needs to be a default gateway
> set to 192.168.20.1, so that their Internet traffic also exits through
> FW, and FW can provide access control for these users.
>
> It is absolutely vital that the traffic does not exit directly to the
> Internet at either PIX. All client traffic bound for the Internet *must*
> be routed through the firewall at the central site (FW).
>
> I've managed to set up a Site-to-Site VPN between the two PIXes,
> establishing network connectivity between the two networks, but I have
> found no solution to applying a default gateway for the traffic going
> from the remote network to Internet. The traffic needs to be
> source-routed in some way, or the clients on the remote network will not
> be able to access the Internet (or any of the other routed networks I've
> got set up here) at all.
>
> Is this at all possible to do with two PIXes? As far as I can tell, the
> remote PIX is doing what it should; forwarding *all* traffic through the
> tunnel. But the local PIX doesn't know what to do with the packets to
> the Internet, to it just drops them.
>
> If this is not possible with the PIXes, could anyone recommend a
> solution? I've done experiments with a Linux box with FreeS/WAN and got
> that to work (using source routing), but I'd like to use a peripheral
> for this job.
>
> // J
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Sep 02 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos