topic Re: PIX routing in Network Security

PIX routing

milan.kulik — Fri, 21 Feb 2020 07:24:10 GMT

Hi,

I've configured my remote access VPN client to connect via an IPSec tunnel to a PIX in headquarters network.

VPN client is able to connect to the company network now.

But users require to be able to browse the Internet at the time they are connected to the company network via VPN client.

I don't want to use split tunnel - I consider it dangerous.

So I'd like to configure the PIX to recognize the traffic originated from VPN clients and forward it to the company default gateway when VPN clients try to connect to the Internet.

But I can't use default route on the PIX - it has to be configured on the outside interface to be able to provide routing for IPSec tunnel establishment (client can connect from any place in Internet).

I'd need something like policy routing - to recognize traffic going from VPN client pool address range to the Internet and forward it to the company default gateway.

Can anybody help?

Thanks,

Milan

Re: PIX routing

mostiguy — Mon, 17 May 2004 14:09:23 GMT

You need a proxy. there is no other way. If you are not using split tunnelling, then everything is going to go to the pix in the encrypted tunnel. Traffic will not leave the pix interface it came in on, which is likely the outside int.

Re: PIX routing

milan.kulik — Tue, 18 May 2004 05:17:37 GMT

Hi, could you please explain in details what do you mean by "You need a proxy"?

The only solution I can imagine in the moment is following:

Put my PIX into DMZ (I've got another firewall used for DMZ implementation).

Configure the other firewall to translate the source address of packets coming to my PIX to one private subnet.

Configure IPSec NAT Traversal on my PIX.

Then I can configure one static route (to the translated source address) on my PIX outside interface and default route on the inside interface (enabling VPN users to browse the Internet).

The disadvantage of this solution is using NAT Traversal for all VPN IPSec connections which disables IPSec AH forever (if the VPN client supports AH in the future).

Can you imagine another solution with a proxy?

(I've suggested my users to use a Citrix terminal server for Internet browsing but they consider this solution "not comfortable".)

Thanks,

Milan

Re: PIX routing

ehirsel — Tue, 18 May 2004 11:20:33 GMT

A proxy is a host that will connect to another system on the user's behalf. All connections to the internet terminate on the proxy, and the proxy will in turn send the data to the user. Being an endpoint of both the user's and the internet connection will allow the pix to handle your case. The pix is unaware of the proxy presense, it will see two distinct connections and route both of them properly.

When you suggested that your users use a Citrix terminal server, that is one form of proxying.