Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Followup: An interesting VPN problem

Re: Followup: An interesting VPN problem

From: Luke Butcher <luke.butcher_at_alphawest.com.au>
Date: Wed, 03 Sep 2003 08:36:42 +1000

On Tue, 2003-09-02 at 01:51, Jonas Anden wrote:.

> One comment though: I'm also using dhcp relaying for the IP address
> assignments. Strange enough; the relayed DHCP does *not* go through the
> tunnel (bypassing routing rules). So I had to set up a two-step
> relaying; the remote pix relays to the external IP of the local pix,
> which has relays into the local dhcp server.

For what it's worth, I have seen problem doing DHCP relay over a VPN
tunnel.
After much discussion with Cisco the solution was to upgrade to the
bleeding edge at the time (12.2.16). That however was on an 803 using
IOS. There maybe similar problems on the PIXes.

Also the setup was slightly different to yours in that, at the remote
end, net traffic was going straight out, the VPN was only for private
address space. Basically the vpn crypto match was occuring before the
DHCP broadcast request was converted to a directed broadcast. Hence it
was being pushed out to the net and never getting a reply.

Maybe some food for thought.

Luke Butcher
Network/Security Consultant 

--
Alphawest Disclaimer
---------------------------------------------------------------------------
If this communication is not intended for you and you are not an authorised
recipient of this email you are prohibited by law from dealing with or
relying on the email or any file attachments. This prohibition includes
reading, printing, copying, re-transmitting, disseminating, storing or in
any other way dealing or acting in reliance on the information.
If you have received this email in error, we request you contact Alphawest 
immediately by returning the email to postmaster_at_alphawest.com.au and
destroy the original. This email is confidential and may contain privileged
client information. Alphawest  has taken reasonable steps to ensure the
accuracy and integrity of all its communications, including electronic
communications, but accepts no liability for materials transmitted.
---------------------------------------------------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Sep 02 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos