Hello everybody.
I have a PIX501. I want to force all vpn client to have all internet access through another router in the same network. Can anyone please teach me if it is possible? If yes, how to config PIX to do that?
Example:
vpn client-->internet-->PIX501-->local lan-->ROUTER-->internet
PIX501 ext ip: 10.0.1.20 PIX501 int ip: 192.168.1.1 ROUTER ext ip: 10.0.1.21 ROUTER int ip: 192.168.1.2
No, you can't do that with a PIX 501, not unless the source IP ranges for the vpn clients does not overlap with any internet destination for any client or any inside host.
Dear Roberson,
First, thank you for your answer.
I am sorry that I do not understand what you mean. I know PIX 501 will not allow vpn traffic to go in and out through the same interface. But for my case, I think it is not applicable.
That doesn't look like the time that I posted that article.
You have a routing problem. You want VPN packets addressed to any destination to travel over the VPN, hit the PIX, and be directed from there to an inside router, which will then do whatever is necessary to mediate the internet access. However, when the VPN packet arrives at the PIX, and gets decapsulated, the PIX is going to try to route the decapsulated packet, and as the outside destination could be anywhere on the internet, the route that is going to be used is likely the default route for the PIX, which would point directly out the outside interface. The PIX 501 would drop such packets, though, which is just as well because you wouldn't want the packets to go directly outside at that first PIX (you want them to go to the inside router.)
In order to do what you want, you would have to run the VPN directly to the inside router, with the packets decapsulated there. The packets that passed through the PIX 501 would have a single destination (the IP address of the inner router) because they would still be encapsulated, and the route for that inside router IP would go to the inside interface, which would be fine.
You may wish to consider requiring your users to use an internet proxy that was on your inside interface. The packets would be addressed to the proxy server, which would perform the transaction on the requester's behalf.
Dear Roberson,
Thank you again.
I have a little idea on what you mean. Please take a look at my current PIX config below. I have tested that all vpn clients can come in and have access to the internal network.
To run the VPN directly to the inside router, can you please tell me how to change or add into my current PIX config?
I have also think of about setting up an internal proxy server. If using proxy server instead, do I need any modification on my current PIX config?
: Saved : PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxxxxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxxxx encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inside_outbound_nat0_acl permit ip any 192.168.2.0
255.255.255.224 access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.224 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 10.0.1.20 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnpool 192.168.2.11-192.168.2.20 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 10.0.1.19 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup vpngroup address-pool vpnpool vpngroup vpngroup dns-server 20.0.10.1 vpngroup vpngroup idle-time 1800 vpngroup vpngroup password ******** telnet 192.168.1.0 255.255.255.0 inside telnet timeout 60 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:8f23df7362f48afbef225f353f52b97d
Virtually nothing. The endpoint of the VPN tunnel has to be moved from the PIX to the router, which requires that is has VPN capabilities. Depending on your network, the tunnel will then pass through the PIX to the router or directly from the Internet to it. In the first case, you'll probably have to insert a "static" command to translate the virtual outside address of the router into the internal one.
No - you'd have to change the setup of the VPN clients. The question is: what protocols are the clients supposed to use? If it's only HTTP[S], a web proxy would be an easy solution. If they also use a number of other protocols (ssh, NNTP or whatever), something like a SOCKS host may help.
Regards
fw
Hello Frank.
Moving endpoint from PIX to router... Do you mean like the below:
Now: vpn client-->internet-->PIX501-->local lan-->ROUTER-->internet Change to: vpn client-->internet-->VPN ROUTER-->local lan-->PIX501--
That means I need to buy another VPN router. Is that all vpn routers can do this job? If yes, than maybe I can go get a cheap one.
About the other way, setting up a proxy server inside the local lan, I have setup a pc with proxy server installed in the local lan. But it seems that vpn clients cannot access the internet through the proxy server. Vpn clients already enabled the proxy server in Internet Explorer. Is there anything wrong with my PIX config?
No, you could keep the upper topology with one difference: currently, the VPN tunnel terminated at the PIX and form there on, it's pure IP through the LAN. What you need is an IPsec tunnel through the PIX right to the router (if it's a VPN router), connecting to a different IP address from the client. Or you could access the router directly from the Internet, bypassing the PIX. But this depends on your network topology, which I don't know.
If your current router is not a VPN router then buying a new one would result in the same situation as the current one with the PIX. The point is that you have to terminate the VPN tunnel at the same box you want the Internet traffic to go outside. If this box is a router (not a PIX 501, which is limited to v6), there won't be a problem with traffic passing in and out on the same interface.
The PIX should be transparent for this, as soon as the ACLs and NAT settings are ok. Can you reach the proxy from the VPN clients? Can you reach the Internet from the proxy? To fulfill your needs, this proxy server has to have its default route set to ROUTER from above and a backwards route to the VPN clients through the PIX.
Regards
fw
If I buy another vpn router (replace the exisiting router), I need to build a vpn tunnel between PIX and new vpn router. And at the vpn router, I just let all traffic from lan interface routed to outside interface. Is that correct like below?
vpn client-->internet (vpn tunnel)-->PIX501-->local lan (vpn tunnel)--
I have setup a pc in the local lan with FreeProxy installed and running. I have also confirmed that other local pc can access websites through that proxy pc. Vpn clients can ping that pc successfully and can use VNC to remote control that pc also. But vpn clients still cannot access website in IE. That's strange... Any reasons?
So the existing router doesn't speak IPsec.
No. The VPN tunnel must have its two ends at the client and on the router. If this path goes through the PIX or on some other way deoends on your network topology.
Do the PIX and the router have separate paths to the Internet or is there a common external network?
Maybe the proxy only accepts request from the internal LAN addresses, not from VPN clients? Check its config.
Regards
fw
The exisitng router doesn't have vpn function.
It is then I need to make vpn to the router not to PIX. Is that what you mean?
Actually they are connected to the internet provided by the same ISP. Just the global ip addresses are different.
Is that mean the proxy software that I have cannot do the job? Then, can you suggest which proxy software can be used?
Exactly.
I don't know your software, I just made a guess what mey be the problem. Can the VPN clients telnet to the proxy port on the machine?
Regards
fw
OK. Is that means I can setup the new vpn router for the following:
Then internet access for vpn clients will then be go out through PIX?
I have checked that local pc can telnet to the proxy port of the proxy pc. I still need to verify that from the vpn client.
I have checked on the vpn client. It can telnet to the proxy port of the proxy server pc. I tried to install Monzilla Firefox and it can successfully access websites through the proxy server pc. I believe there's something wrong with IE7 or IE7 with WinXP. Since some websites can only show correctly with IE, viewing with Firefox is causing a little problem. Have you heard of this problem before?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.