topic Re: VPN through Router in Network Security

VPN through Router

edw — Tue, 26 Mar 2019 00:38:12 GMT

Hi,

I was wondering if there is anything I need to do to a router which is infront of my PIX515E.

The setup I have is a PIX515E with a 3660 Router infront of this before the internet. On this router is the public IP addresses which are then nat'ed to ip on the PIX. So for instance my PIX has 10.10.10.1 as i IP on the outside interface card and on the 3660 it will have a static entry to map this to its public ip.

Is there anything special or extra I need to do on the router to get the traffic through as my client is not connecting. Is there any test i can do to see how far its getting ??

Thanks

Re: VPN through Router

Fernando_Meza — Mon, 23 Jul 2007 23:52:54 GMT

Hi .. are you trying to connect to the PIX using cisco vpn client ..? if that is the case then you might need to apply an access list to the internal and external interface of the router ... i.e

1.-

access-list 100 permit udp any host eq 500

access-list 100 permit udp any host eq 4500

access-list 100 permit esp any host

Add any other access for traffic initiated from the internet and then apply this access list to the outside interface of the router.

2.-

access-list 110 permit udp host 10.10.10.1 any eq 500

access-list 110 permit udp host 10.10.10.1 any eq 4500

access-list 110 permit esp host 10.10.10.1 any

add any other outbound access you want to allow and then apply the access list to the internal interface of the router.

You might also need to enable nat traversal on the PIX by adding isakmp nat-traversal 20 on the PIX

I hope it helps .. please rate it if it does !!!

Re: VPN through Router

edw — Tue, 24 Jul 2007 09:54:37 GMT

Hi,

The router has a very vanillia setup - traffic of all types flows through it without problem ? Unless the router blocks certain ports by default ??

It seems to be becuase I'm trying to NAT to a logical interface on the PIX. I was trying to seperate traffic from each other using virtual interfaces and VLANs. I'm not sure how secure it is giving a PIX a internet IP ??? Can't people hack these boxes easily when they are configured like that ?

Thanks

Re: VPN through Router

rajatsetia — Thu, 26 Jul 2007 04:15:01 GMT

Hi Ed

First thing that you asked is how to trace traffic ?

-> Check your PIX syslog messages and see if client traffic is passing through your router and hitting PIX interface ?

->You can check the netflow traffic on the router by enabling "ip route-cache flow " and you can check the current traffic by "show ip cache flow". If you want to get the netflow data collected offline, you need to have some netflow analyser tool.

and you can troubleshoot where the traffic is getting bloacked and why ? could be any access-list that you have applied on router etc

Second thing that you have asked is :- is it safe to give public ip on pix outside interface ?

Yes, you can do this setup without any problem but you need to be clear about what trafic you are going to permit through PIX.

As fernando said if its client to site vpn setup you may need to enable NAT Traversal, as VPN and NAT by their basic nature donnt gel just like water and oil 🙂

best bet will be, give your pix a public ip and define your secuirty policies clearly and filter most of traffic on router only like private ips from internet etc.

HTH, please rate if it does

rgds

Re: VPN through Router

edw — Thu, 26 Jul 2007 09:52:48 GMT

Hi,

I managed to get it working. I in the end gave the public IP to the physical interface. I was wondering if its slightly safer giving it to the logical interface ? But I wasn't able to get this to work.

My access lists are pretty clear now. I'm pretty anal on these things - but the access list on the router are very vanilla. You say filter private ip from the internet on the router? What do you mean by this ??

Also on the PIX how do I limit traffic to each group ?? I use the crypto isakmp match address command but then traffic drops completely and I get a group does not match SA errors?

Thanks

Re: VPN through Router

rajatsetia — Thu, 26 Jul 2007 11:57:56 GMT

I was talking about various security controls which you can apply on internet facing router itself like private ips are not supposed to be present on internet cloud so filter them out on the router itslef i.e. block all the traffic hitting your internet router with private ips as source ...

similarly you donnt expect public ips allocated to your organisation to come as source, any internet incoming to your router , these public ips will always remain as destination only so block them as source ips at router (anti- spoofing technique)..

you can dig more about these controls , search for keywords "security best practises" at cisco.

rgds