RE: Cisco Pix 515E Configuration

["Joe Mazzotti" <jmazzotti () mercyhousing org>]

> > 1.  The "problem" in which the PIX OS 6.x can not forward a packet
back
> > out the same interface that it received, known as hairpinning, is
> > correct, but may not be an issue soon, assuming that it is your
problem.
> > This likely will not be an issue in PIX OS 7.0, from what I have
heard.

The hairpinning problem is a known issue, but I was under the impression
that it was by design because it is a firewall.  I hadn't heard that 7.0
may fix this issue.  Will this be a fix for VPN traffic only?  If it was
general hairpinning fix, then wouldn't the PIX just be a router with an
advanced firewall set?  I'm just curious.

> > Also keep in mind that a Cisco VPN router, in addition to the VPN
> > Concentrator, would also get around this problem, and has advantages
> > such as supporting QoS for VoIP which the Concentrator may not offer.

True.  And to go a step further, if the switch that the PIX drops into
is a layer 3 switch, then you need not get any more hardware.  Just let
it do the routing for you. One thing worth mentioning though, is that a
VPN in general does not support QoS.  VPN's may carry QoS tagged
packets, but you're passing encrypted packets along an arbitrary source
network (i.e. the Internet).  So you can support QoS at either end of
the connection, but not for the VPN connection itself.  This COULD
effect the voice quality with not many avenues to correct it.




On Sat, 2004-12-11 at 16:29 -0500, Sanford Reed wrote:
> I have done both.
>
> I have installed several 515E and the 506/506E PIXs. In all installs I
have
> used the same interface to connect direct to the Internet. It I called
> 'split tunneling' in the PIX setup. Having to use a Proxy to get 'back
out'
> that your configuration is not setup for split tunneling so the
outbound
> ACL's don't include the VPN Client subnet as an allowed.
>
> As for the IP Phones, as I stated before I had this working using an
Avaya
> Switch. It uses 2 interfaces on the switch to establish the call but
if the
> IP extensions are on the same switch it then drops the "Control'
channel and
> continues the call via only the Voice channel. It still controls the
call
> thru the switch so the path is really IP Phone #1 -> VPN Client -> PIX
->
> Switch -> PIX -> VPN client -> IP Phone.  If I remember the Nortel
setup
> correctly, it works the same. I did have a lot of problems with the IP
> Phones software getting it to recognize the VPN Client as the correct
> interface to use because the PC running the client maintains its
'real' IP
> address for the network. It was finally solved by Avaya issuing new
software
> that had and 'override' setting that the user had to set each VPN
Session to
> match the assigned VPN address received. Once this occurred it took
some
> tweaking of the protocols that the Switch used to establish the VOIP
Session
> and everything works great. 
>
> Sanford Reed 
> (V) 7575.406.7067
>
> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Eric
Gunnett
> Sent: Tuesday, December 07, 2004 4:36 PM
> To: firewall-wizards () honor icsalabs com;
bruce_the_loon () worldonline co za
> Subject: RE: [fw-wiz] Cisco Pix 515E Configuration
>
>       That is the exact problem we are having. As I have found out.
Our
> phone switch is a Nortel and I have the admin of it looking in it.
Otherwise
> it looks like we will have to scrap the idea and move to a VPN
connectrator
> or reconfigure a section of our network in order to get the phone
switch and
> vpn working in conjunction.
>
>
>
> Eric Gunnett
> System Administrator
> Zoovy, Inc.
> eric () zoovy com
>
>
> > > > "Bruce Smith" <bruce_the_loon () worldonline co za> 12/07/04 01:15PM
> Hi Eric
>
> As far as I am aware, the PIX will not route out via the same
interface the
> packet came in on. For example if I connect to our VPN from the
Internet, I
> cannot get direct access to the Internet unless I use the proxy server
> inside the network. If I am wrong on this, can someone tell me what
I've
> misconfigured.
>
> So the ability for the two VPN clients to connect via the IP phone
switch
> depends on how the system works. If all traffic is routed explicitly
to the
> phone switch and out, you shouldn't have a problem if all ACLs are set
up
> correctly to allow the IP phone traffic. If the system only uses the
switch
> to setup the call and then the two hosts begin talking directly to
each
> other, as Skype does and a couple of IP phone systems I've seen, then
I
> guess you're buggered. But before you give up if the ip phones talk
> directly, check whether the software can be configured to route all
traffic
> via the phone switch.
>
> Regards
>
> Bruce Smith
> Firewall Administrator
> Port Elizabeth Technikon
>
> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Eric
Gunnett
> Sent: 03 December 2004 11:33 PM
> To: firewall-wizards () honor icsalabs com 
> Subject: [fw-wiz] Cisco Pix 515E Configuration
>
>
>       I am hoping someone can help me with this problem. I have a
Cisco
> 515E with 6.3 on it. I have configured to pix for vpn connections with
> authenticaiton through a radius. My connections from Client -> Pix ->
> Internal Network, work great. But we are using a phone switch that is
trying
> to pass of the ip phone connection between two clients that are
connected
> through the pix, such as VPN Client 1 -> Pix -> VPN Client 2, is this
> possible. I have attached my config below.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards