08-02-2007 12:15 AM
Hello
Does anyone know if there is a limited number of secured routes that you can give a vpn client?
Im testing my lab pix515E 6.3.3 with new vpn profiles/acl and encounterd this problem
I have created a object-group (network) for the secured routes that i want to give the user
object-group network new_vpn_ip_ranges
description internal_network_ip_ranges
network-object 192.168.2.0 255.255.255.0 network-object 192.168.14.0 255.255.255.0 network-object 192.168.15.0 255.255.255.0 network-object 192.168.16.0 255.255.255.0 network-object 192.168.17.0 255.255.255.0 network-object 192.168.19.0 255.255.255.0 network-object 192.168.20.0 255.255.255.0 network-object 192.168.21.0 255.255.255.0 network-object 192.168.25.0 255.255.255.0
Then I created a new object-group for the vpn ip pools that i wanted the internal network to be able to access
object-group network new_vpn_ip_pools
description internal_vpn_pools
network-object 192.168.34.0 255.255.255.0
network-object 192.168.35.0 255.255.255.0
network-object 192.168.35.0 255.255.255.0
network-object 192.168.36.0 255.255.255.0
network-object 192.168.37.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
network-object 192.168.41.0 255.255.255.0
network-object 192.168.42.0 255.255.255.0
network-object 192.168.43.0 255.255.255.0
network-object 192.168.64.0 255.255.255.0
network-object 192.168.65.0 255.255.255.0
network-object 192.168.69.0 255.255.255.0
Then I created the ACL for this to work
access-list testingnewvpn permit ip object-group new_vpn_ip_ranges object-group new_vpn_ip_pools
If I then check "secure routes" in the vpn client, it only gives me 192.168.2.0, 192.168.14.0, 192.168.15.0, 192.168.16.0,192.168.17.0 networks and skipping the rest. There are like 14 secure routes entries for each ACL rule.
Like
192.168.2.0 255.255.255.0
192.168.2.0 255.255.255.0
192.168.2.0 255.255.255.0
(and so on x 14 for each acl rule)
Am I doing this wrong?
If I just do this ACL, it becomes perfect
access-list testingnewvpn permit ip object-group new_vpn_ip_ranges 192.168.32.0 255.255.255.0
Thank you
08-08-2007 07:57 AM
Many network attacks rely on an attacker that falsifies, or spoofs, the source addresses of IP datagrams. Some attacks rely on spoofing to work at all, and other attacks are much harder to trace if the attacker can use the address of someone else instead of his or her own. Therefore, it is valuable for network administrators to prevent spoofing wherever feasible
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide