I have a PIX501. I want to force all vpn client to have all internet access through another router in the same network. Can anyone please teach me if it is possible? If yes, how to config PIX to do that?
No, you can't do that with a PIX 501, not unless the source IP ranges for the vpn clients does not overlap with any internet destination for any client or any inside host.
I am sorry that I do not understand what you mean. I know PIX 501 will not allow vpn traffic to go in and out through the same interface. But for my case, I think it is not applicable.
That doesn't look like the time that I posted that article.
You have a routing problem. You want VPN packets addressed to any destination to travel over the VPN, hit the PIX, and be directed from there to an inside router, which will then do whatever is necessary to mediate the internet access. However, when the VPN packet arrives at the PIX, and gets decapsulated, the PIX is going to try to route the decapsulated packet, and as the outside destination could be anywhere on the internet, the route that is going to be used is likely the default route for the PIX, which would point directly out the outside interface. The PIX 501 would drop such packets, though, which is just as well because you wouldn't want the packets to go directly outside at that first PIX (you want them to go to the inside router.)
In order to do what you want, you would have to run the VPN directly to the inside router, with the packets decapsulated there. The packets that passed through the PIX 501 would have a single destination (the IP address of the inner router) because they would still be encapsulated, and the route for that inside router IP would go to the inside interface, which would be fine.
You may wish to consider requiring your users to use an internet proxy that was on your inside interface. The packets would be addressed to the proxy server, which would perform the transaction on the requester's behalf.
I have a little idea on what you mean. Please take a look at my current PIX config below. I have tested that all vpn clients can come in and have access to the internal network.
To run the VPN directly to the inside router, can you please tell me how to change or add into my current PIX config?
I have also think of about setting up an internal proxy server. If using proxy server instead, do I need any modification on my current PIX config?
Virtually nothing. The endpoint of the VPN tunnel has to be moved from the PIX to the router, which requires that is has VPN capabilities. Depending on your network, the tunnel will then pass through the PIX to the router or directly from the Internet to it. In the first case, you'll probably have to insert a "static" command to translate the virtual outside address of the router into the internal one.
No - you'd have to change the setup of the VPN clients. The question is: what protocols are the clients supposed to use? If it's only HTTP[S], a web proxy would be an easy solution. If they also use a number of other protocols (ssh, NNTP or whatever), something like a SOCKS host may help.
Moving endpoint from PIX to router... Do you mean like the below:
Now: vpn client-->internet-->PIX501-->local lan-->ROUTER-->internet Change to: vpn client-->internet-->VPN ROUTER-->local lan-->PIX501--
That means I need to buy another VPN router. Is that all vpn routers can do this job? If yes, than maybe I can go get a cheap one.
About the other way, setting up a proxy server inside the local lan, I have setup a pc with proxy server installed in the local lan. But it seems that vpn clients cannot access the internet through the proxy server. Vpn clients already enabled the proxy server in Internet Explorer. Is there anything wrong with my PIX config?
No, you could keep the upper topology with one difference: currently, the VPN tunnel terminated at the PIX and form there on, it's pure IP through the LAN. What you need is an IPsec tunnel through the PIX right to the router (if it's a VPN router), connecting to a different IP address from the client. Or you could access the router directly from the Internet, bypassing the PIX. But this depends on your network topology, which I don't know.
If your current router is not a VPN router then buying a new one would result in the same situation as the current one with the PIX. The point is that you have to terminate the VPN tunnel at the same box you want the Internet traffic to go outside. If this box is a router (not a PIX 501, which is limited to v6), there won't be a problem with traffic passing in and out on the same interface.
The PIX should be transparent for this, as soon as the ACLs and NAT settings are ok. Can you reach the proxy from the VPN clients? Can you reach the Internet from the proxy? To fulfill your needs, this proxy server has to have its default route set to ROUTER from above and a backwards route to the VPN clients through the PIX.
If I buy another vpn router (replace the exisiting router), I need to build a vpn tunnel between PIX and new vpn router. And at the vpn router, I just let all traffic from lan interface routed to outside interface. Is that correct like below?
vpn client-->internet (vpn tunnel)-->PIX501-->local lan (vpn tunnel)--
I have setup a pc in the local lan with FreeProxy installed and running. I have also confirmed that other local pc can access websites through that proxy pc. Vpn clients can ping that pc successfully and can use VNC to remote control that pc also. But vpn clients still cannot access website in IE. That's strange... Any reasons?
No. The VPN tunnel must have its two ends at the client and on the router. If this path goes through the PIX or on some other way deoends on your network topology.
Do the PIX and the router have separate paths to the Internet or is there a common external network?
Maybe the proxy only accepts request from the internal LAN addresses, not from VPN clients? Check its config.
I have checked on the vpn client. It can telnet to the proxy port of the proxy server pc. I tried to install Monzilla Firefox and it can successfully access websites through the proxy server pc. I believe there's something wrong with IE7 or IE7 with WinXP. Since some websites can only show correctly with IE, viewing with Firefox is causing a little problem. Have you heard of this problem before?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.