Maxium number of secured routes?

Unanswered Question
Aug 2nd, 2007
User Badges:

Hello


Does anyone know if there is a limited number of secured routes that you can give a vpn client?


Im testing my lab pix515E 6.3.3 with new vpn profiles/acl and encounterd this problem


I have created a object-group (network) for the secured routes that i want to give the user


object-group network new_vpn_ip_ranges

description internal_network_ip_ranges

network-object 192.168.2.0 255.255.255.0 network-object 192.168.14.0 255.255.255.0 network-object 192.168.15.0 255.255.255.0 network-object 192.168.16.0 255.255.255.0 network-object 192.168.17.0 255.255.255.0 network-object 192.168.19.0 255.255.255.0 network-object 192.168.20.0 255.255.255.0 network-object 192.168.21.0 255.255.255.0 network-object 192.168.25.0 255.255.255.0


Then I created a new object-group for the vpn ip pools that i wanted the internal network to be able to access


object-group network new_vpn_ip_pools

description internal_vpn_pools


network-object 192.168.34.0 255.255.255.0

network-object 192.168.35.0 255.255.255.0

network-object 192.168.35.0 255.255.255.0

network-object 192.168.36.0 255.255.255.0

network-object 192.168.37.0 255.255.255.0

network-object 192.168.40.0 255.255.255.0

network-object 192.168.41.0 255.255.255.0

network-object 192.168.42.0 255.255.255.0

network-object 192.168.43.0 255.255.255.0

network-object 192.168.64.0 255.255.255.0

network-object 192.168.65.0 255.255.255.0

network-object 192.168.69.0 255.255.255.0


Then I created the ACL for this to work

access-list testingnewvpn permit ip object-group new_vpn_ip_ranges object-group new_vpn_ip_pools


If I then check "secure routes" in the vpn client, it only gives me 192.168.2.0, 192.168.14.0, 192.168.15.0, 192.168.16.0,192.168.17.0 networks and skipping the rest. There are like 14 secure routes entries for each ACL rule.


Like

192.168.2.0 255.255.255.0

192.168.2.0 255.255.255.0

192.168.2.0 255.255.255.0

(and so on x 14 for each acl rule)


Am I doing this wrong?


If I just do this ACL, it becomes perfect

access-list testingnewvpn permit ip object-group new_vpn_ip_ranges 192.168.32.0 255.255.255.0


Thank you


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
carenas123 Wed, 08/08/2007 - 07:57
User Badges:
  • Silver, 250 points or more

Many network attacks rely on an attacker that falsifies, or spoofs, the source addresses of IP datagrams. Some attacks rely on spoofing to work at all, and other attacks are much harder to trace if the attacker can use the address of someone else instead of his or her own. Therefore, it is valuable for network administrators to prevent spoofing wherever feasible

Actions

This Discussion