[vpn] Cisco VPN 3.x client

dgillett at deepforest.org dgillett at deepforest.org
Mon Dec 10 16:23:42 EST 2001


  Is the PIX also doing NAT?

  My guess would be that client packets for the outside, emerging 
from the tunnel at the PIX, are getting sent to (router) with their 
origin addresses still in the client 192.168.2.0/24 space, and so 
nobody out on the internet can route replies back to them (if they 
accept the traffic at all).

  Ideally, you want to force client-riginated traffic to use the 
firewall as its gateway if it's headed back out to the Internet, but 
I remember having a similar issue with a Cisco (Altiga) 30xx box 
after a software upgrade, and having a great deal of difficulty 
convincing a Cisco TAC engineer that dumping client packets back out 
the untrusted interface was inappropriate behaviour.  (In my case, 
the problem only showed up when the destination appeared to be local 
to the untrusted interface, but (a) the Cisco theory seemed to be 
that the box was a router first and a security device second, and (b) 
it wasn't a PIX.

DG


On 7 Dec 2001, at 18:24, Chuck Renner wrote:

> Ok...let me clarify my earlier question.
> 
> I've got a situation like this:
> 
>                  Internet
>                     |
>                     |
>        	     (router)
>                  |     |
>                 /       >                /         >       (firewall          (Cisco PIX)
>          NAT               |
>        default GW)         |
>                \          /
>                 \        /
>                 internal network
> 
> 
> The internal network is 192.168.1.0/24.  The VPN clients are 192.168.2.0/24.
> A routing entry in the NAT firewall redirects all traffic for 192.168.2.0/24
> to the PIX.  At this time, no other traffic passes through the PIX; it's
> only doing VPN duties, so all encrypted traffic bypasses conduit rules.
> 
> I've tried adding a default route on the PIX's internal interface to point
> to my internal network's gateway, and I've added an ipchains rule on that
> system to forward the traffic.
> 
> I've done some packet sniffing now with the client doing a tracert to
> www.yahoo.com, and can report the following:
> 
> * The client is encrypting each packet of the traceroute and sending it to
> the PIX.
> 
> * On the internal network, the most I see from the client is a DNS query for
> www.yahoo.com.  
> 
> 
> So something in the PIX configuration has to be the culprit.  Any ideas?
> 
> 
> 
> 
> 
> > -----Original Message-----
> > From: Chuck Renner [mailto:crenner at dynalivery.com]
> > Sent: Thursday, December 06, 2001 5:01 PM
> > To: 'vpn at securityfocus.com'
> > Subject: [vpn] Cisco VPN 3.x client
> > 
> > 
> > First, a big "thank you" to those on the list that have given 
> > me a hand in
> > the past.  You've helped me over some big hurdles in getting 
> > a VPN working
> > across my PIX.  Hopefully, you'll be able to do the same this time.
> > 
> > Here's what I have:
> > * Cisco VPN 3.x client running on WinNT connecting to a PIX 506
> > 
> > * Everything is working nicely as far as connecting back into 
> > the LAN from a
> > public network (except that pesky browse list...)
> > 
> > *  The only problem is connecting to sites outside of the LAN.  
> > 
> > In other words, I'm connected to my LAN via the VPN, and want 
> > to get to
> > Yahoo's web site.  Without opening up local LAN access in the 
> > Cisco client,
> > I would need packets to go through my LAN's gateway.
> > 
> > Can anyone nudge me in the right direction to get this to work?
> > 
> > Thanks
> > 
> > VPN is sponsored by SecurityFocus.com
> > 
> 
> VPN is sponsored by SecurityFocus.com
> 



VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list