|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
google@spiresfamily.com
Guest
|
 Posted: Fri Apr 21, 2006 12:49 am Post subject: PIX 501 <-> Concentrator remote client question |
 |
|
I'm new to the world of PIX. I am learning quickly though, I think.
Anyway I purchased a 501 and what I would like to do; I believe it is
possible is the following.
Configure an IPSEC tunnel from my PIX to the office where I work. I do
not have admin rights to the equipment at work but I believe I have the
buy-in from the network administrator if I can come up with the
configuration.
At the office we have a Cisco VPN Conentrator that all of the existing
vpn tunnels terminate against (software vpn clients, 501 vpnclients,
etc).
Is it possible to configure up my 501 at home so that only 1 IP address
NATed inside my network would traverse the IPSEC tunnel to the office,
and the relevant data to return through the tunnel. I don't have a
problem with other traffic coming through the tunnel to my house; but
the only traffic that "should" be coming through the tunnel should
be reply traffic.
Any other data from my house would not go through the tunnel, but go
out the standard interface.
I know we have another user who has a 501 at his house; however he is
using the easyvpn client which causes all of his traffic to go through
the tunnel, this causes the traffic not bound for the office to
"double-dip" off of the office internet connection and I don't
want to do that, especially since my wife works from home. I would not
want all of her traffic to traverse the tunnel to my office to get out
to the internet (as I'm sure the network admin).
So the million dollar question is, is this possible, or am I asking for
too much.
In addition to the VPN concentrator at the office we have mostly cisco
hardware (routers, PIXes, swithes, etc...), so if its not possible to
terminate against the concentrator, could I terminate against another
device?
If it is possible, could I trouble you all for some help putting
together the commands to make it work on the PIX and the concentrator?
| Quote: | From what I've read I believe I could get the PIX commands, but I
don't have any idea about the concentrator. |
Cheers,
And Thanks for the help,
-Tyler |
|
| Back to top |
|
 |
|
|
Merv
Guest
|
|
| Back to top |
|
|
google@spiresfamily.com
Guest
|
| Posted: Fri Apr 21, 2006 7:36 pm Post subject: Re: PIX 501 <-> Concentrator remote client question |
|
|
That is a great reference but if I read it correctly it would tunnel
all of my traffic from home to work and then out to the internet.
Heres the best I can do at ASCII art:
HOME: WORK:
(192.168.1.31) PC1 --\
| Quote: | ---- PIX --- ( Internet ) --- WORK CONCENTRATOR
(192.168.1.20) PC2 --/ |
What I'm looking for is the PIX to establish a connection to the
Concentrator and then only forward traffic from 192.168.1.31 through
the tunnel, and then only when the traffic is bound for the work IP
range (A class B IP Range). |
|
| Back to top |
|
|
Mark Williams
Guest
|
| Posted: Fri Apr 21, 2006 11:45 pm Post subject: Re: PIX 501 <-> Concentrator remote client question |
|
|
What you are looking for is called a split-tunnel VPN. Only traffic
that needs to be encrypted is encrypted and tunneled into your office.
The policy for an EasyVPN split-tunnel would have to be defined by your
admin at the VPN Concentrator. It could be enabled for all EasyVPN
clients, or your admin could create a new vpngroup just for you.
Using split-tunnel vpns for clients is a security risk however;
probably why your admin has it turned off. |
|
| Back to top |
|
|
Merv
Guest
|
|
| Back to top |
|
|
Tyler
Guest
|
| Posted: Sat Apr 22, 2006 6:20 am Post subject: Re: PIX 501 <-> Concentrator remote client question |
|
|
I already have this successfully working.
The main reason for this request is that
1) I work from home occasionally
2) My work VPN client does not allow local traffic (i.e. I would like
to be able to use local network printers & local file servers on this
side of the tunnel).
3) I just wanted to tinker with the pix and learn a little along the
way.
4) To access work email I either have to sign on to the web client (not
that big of a deal) or sign on to the VPN to use the client on my
laptop, thus forfeiting my local network access.
So the request is out of academic curiosity and convenience.
So if I understand correctly I'll need to convenes the Network Admin
to change the security policy for the vpngroup to be able to have local
access to my network while attached to the VPN? |
|
| Back to top |
|
|
Guest
|
| Posted: Sat Apr 22, 2006 9:16 pm Post subject: Re: PIX 501 <-> Concentrator remote client question |
|
|
The default when you create a group on the Concentrator is that all
remote traffic will go over the tunnel.
This can be modified, though, so that only traffic to(/from?) a
specific set of networks will be encrypted, while the rest will exit
the remote client unencrypted (thus accessing the Internet locally). As
was said previously in the thread, this is called split tunneling. And
it has nothing to do with the EasyVPN feature: EasyVPN *can* be used
with split tunneling.
And yes, this modification needs be done on the Concentrator.
HTH,
James |
|
| Back to top |
|
|
|
|
Martin Bilgrav
Guest
|
| Posted: Mon Apr 24, 2006 12:50 am Post subject: Re: PIX 501 <-> Concentrator remote client question |
|
|
"Mark Williams" <webmaster@sdps-idpa.org> wrote in message
news:1145648744.048779.13070@i39g2000cwa.googlegroups.com...
| Quote: | What you are looking for is called a split-tunnel VPN. Only traffic
that needs to be encrypted is encrypted and tunneled into your office.
The policy for an EasyVPN split-tunnel would have to be defined by your
admin at the VPN Concentrator. It could be enabled for all EasyVPN
clients, or your admin could create a new vpngroup just for you.
Using split-tunnel vpns for clients is a security risk however;
probably why your admin has it turned off.
|
You guys are a bit of track ...
What you need to do is not tunnelspilt !
What you need to do is allow the single IP your workstation has through the
Lan2Lan tunnel to the headend
This you do via the Match address statement in the crypto map.
And you need to have the same configured in the VPN3000 at headend,
otherwise it will drop.
The config in your end and the headend MUST be 100% reversibled.
So if you can get your network admin, to setup a Lan-to-Lan tunnel on the
VPN3000 - No problems !
HTH
Martin Bilgrav |
|
| Back to top |
|
|
Robert Bonomi
Guest
|
| Posted: Mon Apr 24, 2006 12:53 am Post subject: Re: PIX 501 <-> Concentrator remote client question |
|
|
In article <1145566150.759574.104300@e56g2000cwe.googlegroups.com>,
google@spiresfamily.com <google@spiresfamily.com> wrote:
| Quote: | I'm new to the world of PIX. I am learning quickly though, I think.
Anyway I purchased a 501 and what I would like to do; I believe it is
possible is the following.
Configure an IPSEC tunnel from my PIX to the office where I work. I do
not have admin rights to the equipment at work but I believe I have the
buy-in from the network administrator if I can come up with the
configuration.
At the office we have a Cisco VPN Conentrator that all of the existing
vpn tunnels terminate against (software vpn clients, 501 vpnclients,
etc).
Is it possible to configure up my 501 at home so that only 1 IP address
NATed inside my network would traverse the IPSEC tunnel to the office,
and the relevant data to return through the tunnel. I don't have a
problem with other traffic coming through the tunnel to my house; but
the only traffic that "should" be coming through the tunnel should
be reply traffic.
Any other data from my house would not go through the tunnel, but go
out the standard interface.
I know we have another user who has a 501 at his house; however he is
using the easyvpn client which causes all of his traffic to go through
the tunnel, this causes the traffic not bound for the office to
"double-dip" off of the office internet connection and I don't
want to do that, especially since my wife works from home. I would not
want all of her traffic to traverse the tunnel to my office to get out
to the internet (as I'm sure the network admin).
So the million dollar question is, is this possible, or am I asking for
too much.
|
Yes, it -is- possible.
It just takes a little 'routing smarts' on the home network.
_and_ a path to the public Internet that bypasses the PIX.
e.g.:
pc1 -----+ +----dumb router ---
| | |
hub |
| | |
pc2 -----+ +--pix----+
Now, on the PC's, you
a) set a default route to the hub-facing side of the 'dumb router'.
b) set a static route for the office network to the hub-facing side
of the PIX.
It's actually a little easier with a 4-port router, then you:
pc1 -----+ +----dumb router---
| | | |
hub | |
| | |
pc2 -----+ +-pix-+
and the PC's need only the 'standard' default route to the router.
while the router has:
route to local network on PORT A
route to 'inside' of PIX on port B
route to 'outside' of PIX on port C
default route on PORT D
If you don't have multiple static IP addresses available, then the
dumb router needs to be able to do NAT -- in/out on port D, with
_static_ bi-directional NAT for the ports the PIX uses.
It's even possible to set this mess up where the PIX is 'managed'
exclusively from the corporate head-end -- accessible only via the
VPN tunnel, and not from the local lan, nor the public Internet. |
|
| Back to top |
|
|
|
|
