Internet access for VPN client
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||||||||
|
Posted by on May 8, 2007, 2:13 am
Please log in for more thread options I have a PIX501. I want to force all vpn client to have all internet access through another router in the same network. Can anyone please teach me if it is possible? If yes, how to config PIX to do that? Example: vpn client-->internet-->PIX501-->local lan-->ROUTER-->internet
PIX501 ext ip: 10.0.1.20 PIX501 int ip: 192.168.1.1 ROUTER ext ip: 10.0.1.21 ROUTER int ip: 192.168.1.2 | |||||||||||||||||||||||||
|
Posted by Walter Roberson on May 8, 2007, 9:16 am
Please log in for more thread options >I have a PIX501. I want to force all vpn client to have all internet
>access through another router in the same network. Can anyone please >teach me if it is possible? If yes, how to config PIX to do that? No, you can't do that with a PIX 501, not unless the source IP ranges for the vpn clients does not overlap with any internet destination for any client or any inside host. | |||||||||||||||||||||||||
|
Posted by on May 8, 2007, 10:51 am
Please log in for more thread options On 5=E6=9C=888=E6=97=A5, =E4=B8=8B=E5=8D=889=E6=99=8216=E5=88=86, rober...@=
hushmail.com (Walter Roberson) wrote: >
> >I have a PIX501. I want to force allvpnclientto have allinternet
> >accessthrough another router in the same network. Can anyone please > >teach me if it is possible? If yes, how to config PIX to do that? >
> No, you can't do that with a PIX 501, not unless the source IP > ranges for thevpnclients does not overlap with anyinternet > destination for anyclientor any inside host. Dear Roberson, First, thank you for your answer. I am sorry that I do not understand what you mean. I know PIX 501 will not allow vpn traffic to go in and out through the same interface. But for my case, I think it is not applicable. | |||||||||||||||||||||||||
|
Posted by Walter Roberson on May 9, 2007, 1:00 am
Please log in for more thread options >On 5月8日, 下午9時16分, rober...@hushmail.com (Walter Roberson) wrote:
That doesn't look like the time that I posted that article. >> >I have a PIX501. I want to force allvpnclientto have allinternet
>> >accessthrough another router in the same network. Can anyone please >> >teach me if it is possible? If yes, how to config PIX to do that? >> No, you can't do that with a PIX 501, not unless the source IP
>> ranges for thevpnclients does not overlap with anyinternet >> destination for anyclientor any inside host. >I am sorry that I do not understand what you mean. I know PIX 501 will
>not allow vpn traffic to go in and out through the same interface. But >for my case, I think it is not applicable. You have a routing problem. You want VPN packets addressed to any destination to travel over the VPN, hit the PIX, and be directed from there to an inside router, which will then do whatever is necessary to mediate the internet access. However, when the VPN packet arrives at the PIX, and gets decapsulated, the PIX is going to try to route the decapsulated packet, and as the outside destination could be anywhere on the internet, the route that is going to be used is likely the default route for the PIX, which would point directly out the outside interface. The PIX 501 would drop such packets, though, which is just as well because you wouldn't want the packets to go directly outside at that first PIX (you want them to go to the inside router.) In order to do what you want, you would have to run the VPN directly to the inside router, with the packets decapsulated there. The packets that passed through the PIX 501 would have a single destination (the IP address of the inner router) because they would still be encapsulated, and the route for that inside router IP would go to the inside interface, which would be fine. You may wish to consider requiring your users to use an internet proxy that was on your inside interface. The packets would be addressed to the proxy server, which would perform the transaction on the requester's behalf. | |||||||||||||||||||||||||
|
Posted by on May 9, 2007, 5:22 am
Please log in for more thread options Dear Roberson,
Thank you again. I have a little idea on what you mean. Please take a look at my current PIX config below. I have tested that all vpn clients can come in and have access to the internal network. To run the VPN directly to the inside router, can you please tell me how to change or add into my current PIX config? I have also think of about setting up an internal proxy server. If using proxy server instead, do I need any modification on my current PIX config? : Saved : PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxxxx encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.224 access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.224 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 10.0.1.20 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnpool 192.168.2.11-192.168.2.20 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 10.0.1.19 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup vpngroup address-pool vpnpool vpngroup vpngroup dns-server 20.0.10.1 vpngroup vpngroup idle-time 1800 vpngroup vpngroup password ******** telnet 192.168.1.0 255.255.255.0 inside telnet timeout 60 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:8f23df7362f48afbef225f353f52b97d On 5=E6=9C=889=E6=97=A5, =E4=B8=8B=E5=8D=881=E6=99=8200=E5=88=86, rober...@= hushmail.com (Walter Roberson) wrote: >
> >On 5=E6=9C=888=E6=97=A5, =E4=B8=8B=E5=8D=889=E6=99=8216=E5=88=86, rober.=
.=2E@hushmail.com (Walter Roberson) wrote:
>
> That doesn't look like the time that I posted that article. > > >> >I have a PIX501. I want to force allvpnclientto have allinternet
> >> >accessthrough another router in the same network. Can anyone please > >> >teach me if it is possible? If yes, how to config PIX to do that? > >> No, you can't do that with a PIX 501, not unless the source IP > >> ranges for thevpnclients does not overlap with anyinternet > >> destination for anyclientor any inside host. > >I am sorry that I do not understand what you mean. I know PIX 501 will
> >not allowvpntraffic to go in and out through the same interface. But > >for my case, I think it is not applicable. >
> You have a routing problem. You wantVPNpackets addressed to any > destination to travel over theVPN, hit the PIX, and be directed from > there to an inside router, which will then do whatever is necessary to > mediate theinternetaccess. However, when theVPNpacket arrives at > the PIX, and gets decapsulated, the PIX is going to try to route the > decapsulated packet, and as the outside destination could be anywhere > on theinternet, the route that is going to be used is likely the > default route for the PIX, which would point directly out the outside > interface. =C2=A0The PIX 501 would drop such packets, though, which is > just as well because you wouldn't want the packets to go directly > outside at that first PIX (you want them to go to the inside router.) > > In order to do what you want, you would have to run theVPNdirectly > to the inside router, with the packets decapsulated there. > The packets that passed through the PIX 501 would have a single > destination (the IP address of the inner router) because they > would still be encapsulated, and the route for that inside router > IP would go to the inside interface, which would be fine. > > You may wish to consider requiring your users to use aninternet > proxy that was on your inside interface. The packets would be > addressed to the proxy server, which would perform the transaction > on the requester's behalf. | |||||||||||||||||||||||||
