Can a pix send traffic to an ipsec lan to lan tunnel

Unanswered Question
Mar 30th, 2007
User Badges:

Hello all. I have an ipsec tunnel to allow users to connect to a vendors network. Right now, I have static routes on end user pc's using the inside interface of the vpn concentrator as the gateway for their particular network. My question is, is their a better way to do this. I tried a route command on the pix to route traffic destined for 192.168.200.0 255.255.255.0 to the inside interface of the vpn concentrator. Did not work. Any thought would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 03/30/2007 - 14:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Is the pix the default gateway for your clients. It sounds like you do not have a router in your network as if you did you could just put the route to the vendor network on that and point the clients to the router.


If not what version of Pix are your running. Version 6.x and below will not allow traffic going into an interface to come straight back out so if your clients have their default gateway as the pix inside interface and to get to the VPN concentrator the pix has to send traffic via the inside interface this won't work on any pix running 6.x or before.


If that is the case you have a number of options


1) Upgrade pix software to v7.0. Then you can send traffic back out interface it entered on. Pix 501, 506 cannot run 7.0. Pix 515E can run 7.0 but needs 128Mb of RAM. Pix 525/535 should have enough memory already.

2) Could you not create the tunnel from the pix instead of the VPN concentrator ?

3) Buy a router or replace your layer 2 switch with a layer 3 switch.


HTH


Jon

vanguard1 Fri, 03/30/2007 - 17:26
User Badges:

Thanks for your input. Very helpful. Yes, the pix is the default gateway for clients. The pix is running 6.x. I think I will upgrade next week to 7. If running 7.0, would the command be route inside 192.168.200.0 255.255.255.0 192.168.x.x, assuming x.x is the inside address of the vpn concentrator?

I do have a router I can use, would I just add a static route on the router to the inside address of the vpn concentrator and then configure the pc's to use that as the default gateway. All other traffic not destined for the vendor network would then be sent to the pix. I tried this, but clients were still unable to access the tunnel. If I added a static route on the pc to the router I was testing with, it would work. Thanks again.

Jon Marshall Sat, 03/31/2007 - 03:22
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


If you have a router then you should have been able to use that. Not sure why it didn't work for you.


Just to confirm. You set the default gateway of the clients to be the router. And then on the router you add the static route that you orginally had on your clients pointing to the vpn concentrator interface for the remote partner network.


That should work. Ideally each PC should only need to point to the router. Then on the router you add the route for the partner network and you can then have a default route for all other traffic pointing to the inside interface of the pix.


What type of router is it. If Cisco could you send config ?


One other question - which PIX do you have ?

Jon

vanguard1 Sun, 04/01/2007 - 07:23
User Badges:

I had one lying around that I setup to test. Right, I set the default gateway of the clients to point to the router. Added static route for 192.168.200.0 traffic to be sent to the inside address of the vpn concentrator, 192.168.15.1.

Router is a Cisco 2611. Config attached. The pix is a 535, running 6.3. Hoping to upgrade to 7.0 this week. Thanks again for all of your help.



Attachment: 
Jon Marshall Sat, 03/31/2007 - 13:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Forgot to answer v7.0 bit. Yes you would add a route pointing back out the inside interface to get to the VPN concentrator.


This a ability to send traffic back out the interface it was received is called "hairpinning". Excerpt from Cisco doc


==============================================


Hairpinning is the process by which traffic is sent back out the same interface on which it arrived. This feature was introduced in security appliance software version 7.0. For versions earlier than 7.2(1), it is required that at least one arm of the hairpinned traffic (inbound or outbound) be encrypted. From 7.2(1) and later, this requirement is no longer in place. Both the traffic inbound and the traffic outbound might be unencrypted when you use 7.2(1).


==============================================


HTH


Jon

jasonrandolph Fri, 03/30/2007 - 15:01
User Badges:

As mentioned above, the PIX is likely discarding the traffic as a packet cannot ingress and egress on the same firewall interface (this is by design).


If you are unable to upgrade the PIX to allow this, you will either need to find a new device to act as your default gateway or static route each host...


You may consider eventually moving your VPN concentrator's inside interface to a DMZ by itself so that you can control access from the Vendor's side of the tunnel. This would also fix the routing issue.

Actions

This Discussion